diff --git a/umn/source/_static/images/en-us_image_0000001151300782.png b/umn/source/_static/images/en-us_image_0000001151300782.png deleted file mode 100644 index eb1ae9b..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001151300782.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001229959315.png b/umn/source/_static/images/en-us_image_0000001229959315.png deleted file mode 100644 index 4c0b0da..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001229959315.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001267230305.png b/umn/source/_static/images/en-us_image_0000001267230305.png deleted file mode 100644 index 806c94c..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001267230305.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001267350317.png b/umn/source/_static/images/en-us_image_0000001267350317.png deleted file mode 100644 index 806c94c..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001267350317.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001500905066.png b/umn/source/_static/images/en-us_image_0000001572300492.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001500905066.png rename to umn/source/_static/images/en-us_image_0000001572300492.png diff --git a/umn/source/_static/images/en-us_image_0000001503011070.png b/umn/source/_static/images/en-us_image_0000001626574358.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001503011070.png rename to umn/source/_static/images/en-us_image_0000001626574358.png diff --git a/umn/source/_static/images/en-us_image_0000001503011074.png b/umn/source/_static/images/en-us_image_0000001626574362.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001503011074.png rename to umn/source/_static/images/en-us_image_0000001626574362.png diff --git a/umn/source/_static/images/en-us_image_0000001503159042.png b/umn/source/_static/images/en-us_image_0000001626574366.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001503159042.png rename to umn/source/_static/images/en-us_image_0000001626574366.png diff --git a/umn/source/_static/images/en-us_image_0000001503170970.png b/umn/source/_static/images/en-us_image_0000001626574370.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001503170970.png rename to umn/source/_static/images/en-us_image_0000001626574370.png diff --git a/umn/source/_static/images/en-us_image_0000001503170974.png b/umn/source/_static/images/en-us_image_0000001626575750.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001503170974.png rename to umn/source/_static/images/en-us_image_0000001626575750.png diff --git a/umn/source/_static/images/en-us_image_0000001503318922.png b/umn/source/_static/images/en-us_image_0000001626576382.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001503318922.png rename to umn/source/_static/images/en-us_image_0000001626576382.png diff --git a/umn/source/_static/images/en-us_image_0000001503330854.png b/umn/source/_static/images/en-us_image_0000001626576858.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001503330854.png rename to umn/source/_static/images/en-us_image_0000001626576858.png diff --git a/umn/source/_static/images/en-us_image_0000001503330858.png b/umn/source/_static/images/en-us_image_0000001626578706.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001503330858.png rename to umn/source/_static/images/en-us_image_0000001626578706.png diff --git a/umn/source/_static/images/en-us_image_0000001503478818.png b/umn/source/_static/images/en-us_image_0000001626734158.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001503478818.png rename to umn/source/_static/images/en-us_image_0000001626734158.png diff --git a/umn/source/_static/images/en-us_image_0000001503490746.png b/umn/source/_static/images/en-us_image_0000001626734162.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001503490746.png rename to umn/source/_static/images/en-us_image_0000001626734162.png diff --git a/umn/source/_static/images/en-us_image_0000001503490750.png b/umn/source/_static/images/en-us_image_0000001626734166.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001503490750.png rename to umn/source/_static/images/en-us_image_0000001626734166.png diff --git a/umn/source/_static/images/en-us_image_0000001553650753.png b/umn/source/_static/images/en-us_image_0000001626734174.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001553650753.png rename to umn/source/_static/images/en-us_image_0000001626734174.png diff --git a/umn/source/_static/images/en-us_image_0000001553650757.png b/umn/source/_static/images/en-us_image_0000001626735566.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001553650757.png rename to umn/source/_static/images/en-us_image_0000001626735566.png diff --git a/umn/source/_static/images/en-us_image_0000001553770733.png b/umn/source/_static/images/en-us_image_0000001626735570.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001553770733.png rename to umn/source/_static/images/en-us_image_0000001626735570.png diff --git a/umn/source/_static/images/en-us_image_0000001553770737.png b/umn/source/_static/images/en-us_image_0000001626736198.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001553770737.png rename to umn/source/_static/images/en-us_image_0000001626736198.png diff --git a/umn/source/_static/images/en-us_image_0000001553930581.png b/umn/source/_static/images/en-us_image_0000001626736678.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001553930581.png rename to umn/source/_static/images/en-us_image_0000001626736678.png diff --git a/umn/source/_static/images/en-us_image_0000001554010645.png b/umn/source/_static/images/en-us_image_0000001626736794.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001554010645.png rename to umn/source/_static/images/en-us_image_0000001626736794.png diff --git a/umn/source/_static/images/en-us_image_0000001554010649.png b/umn/source/_static/images/en-us_image_0000001626738526.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001554010649.png rename to umn/source/_static/images/en-us_image_0000001626738526.png diff --git a/umn/source/_static/images/en-us_image_0000001626894086.png b/umn/source/_static/images/en-us_image_0000001626894086.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001626894086.png differ diff --git a/umn/source/_static/images/en-us_image_0000001626894090.png b/umn/source/_static/images/en-us_image_0000001626894090.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001626894090.png differ diff --git a/umn/source/_static/images/en-us_image_0000001626894094.png b/umn/source/_static/images/en-us_image_0000001626894094.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001626894094.png differ diff --git a/umn/source/_static/images/en-us_image_0000001626894098.png b/umn/source/_static/images/en-us_image_0000001626894098.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001626894098.png differ diff --git a/umn/source/_static/images/en-us_image_0000001626894106.png b/umn/source/_static/images/en-us_image_0000001626894106.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001626894106.png differ diff --git a/umn/source/_static/images/en-us_image_0000001626894110.png b/umn/source/_static/images/en-us_image_0000001626894110.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001626894110.png differ diff --git a/umn/source/_static/images/en-us_image_0000001626895486.png b/umn/source/_static/images/en-us_image_0000001626895486.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001626895486.png differ diff --git a/umn/source/_static/images/en-us_image_0000001626896590.png b/umn/source/_static/images/en-us_image_0000001626896590.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001626896590.png differ diff --git a/umn/source/_static/images/en-us_image_0000001626897562.png b/umn/source/_static/images/en-us_image_0000001626897562.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001626897562.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627052380.png b/umn/source/_static/images/en-us_image_0000001627052380.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627052380.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627054054.png b/umn/source/_static/images/en-us_image_0000001627054054.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627054054.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627054058.png b/umn/source/_static/images/en-us_image_0000001627054058.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627054058.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627054062.png b/umn/source/_static/images/en-us_image_0000001627054062.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627054062.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627054082.png b/umn/source/_static/images/en-us_image_0000001627054082.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627054082.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627055450.png b/umn/source/_static/images/en-us_image_0000001627055450.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627055450.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627055454.png b/umn/source/_static/images/en-us_image_0000001627055454.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627055454.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627056086.png b/umn/source/_static/images/en-us_image_0000001627056086.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627056086.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627056574.png b/umn/source/_static/images/en-us_image_0000001627056574.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627056574.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627056686.png b/umn/source/_static/images/en-us_image_0000001627056686.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627056686.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627174280.png b/umn/source/_static/images/en-us_image_0000001627174280.png new file mode 100644 index 0000000..39fad00 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627174280.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627334080.png b/umn/source/_static/images/en-us_image_0000001627334080.png new file mode 100644 index 0000000..281f9f7 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627334080.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627493158.png b/umn/source/_static/images/en-us_image_0000001627493158.png new file mode 100644 index 0000000..29a2351 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627493158.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627653972.png b/umn/source/_static/images/en-us_image_0000001627653972.png new file mode 100644 index 0000000..be2f35c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627653972.png differ diff --git a/umn/source/_static/images/en-us_image_0000001627744152.png b/umn/source/_static/images/en-us_image_0000001627744152.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001627744152.png differ diff --git a/umn/source/_static/images/en-us_image_0000001650535960.png b/umn/source/_static/images/en-us_image_0000001650535960.png new file mode 100644 index 0000000..6306214 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001650535960.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675254013.png b/umn/source/_static/images/en-us_image_0000001675254013.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675254013.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675254017.png b/umn/source/_static/images/en-us_image_0000001675254017.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675254017.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675254021.png b/umn/source/_static/images/en-us_image_0000001675254021.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675254021.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675254033.png b/umn/source/_static/images/en-us_image_0000001675254033.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675254033.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675255405.png b/umn/source/_static/images/en-us_image_0000001675255405.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675255405.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675256029.png b/umn/source/_static/images/en-us_image_0000001675256029.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675256029.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675256529.png b/umn/source/_static/images/en-us_image_0000001675256529.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675256529.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675256657.png b/umn/source/_static/images/en-us_image_0000001675256657.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675256657.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675258381.png b/umn/source/_static/images/en-us_image_0000001675258381.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675258381.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675258889.png b/umn/source/_static/images/en-us_image_0000001675258889.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675258889.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675373901.png b/umn/source/_static/images/en-us_image_0000001675373901.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675373901.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675373905.png b/umn/source/_static/images/en-us_image_0000001675373905.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675373905.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675373909.png b/umn/source/_static/images/en-us_image_0000001675373909.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675373909.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675373913.png b/umn/source/_static/images/en-us_image_0000001675373913.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675373913.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675373917.png b/umn/source/_static/images/en-us_image_0000001675373917.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675373917.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675375297.png b/umn/source/_static/images/en-us_image_0000001675375297.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675375297.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675375405.png b/umn/source/_static/images/en-us_image_0000001675375405.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675375405.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675378241.png b/umn/source/_static/images/en-us_image_0000001675378241.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675378241.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675413821.png b/umn/source/_static/images/en-us_image_0000001675413821.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675413821.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675413825.png b/umn/source/_static/images/en-us_image_0000001675413825.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675413825.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675413829.png b/umn/source/_static/images/en-us_image_0000001675413829.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675413829.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675413833.png b/umn/source/_static/images/en-us_image_0000001675413833.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675413833.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675413841.png b/umn/source/_static/images/en-us_image_0000001675413841.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675413841.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675413845.png b/umn/source/_static/images/en-us_image_0000001675413845.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675413845.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675415213.png b/umn/source/_static/images/en-us_image_0000001675415213.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675415213.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675415841.png b/umn/source/_static/images/en-us_image_0000001675415841.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675415841.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675416345.png b/umn/source/_static/images/en-us_image_0000001675416345.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675416345.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675418673.png b/umn/source/_static/images/en-us_image_0000001675418673.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675418673.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675613937.png b/umn/source/_static/images/en-us_image_0000001675613937.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675613937.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675613941.png b/umn/source/_static/images/en-us_image_0000001675613941.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675613941.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675613945.png b/umn/source/_static/images/en-us_image_0000001675613945.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675613945.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675613953.png b/umn/source/_static/images/en-us_image_0000001675613953.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675613953.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675613957.png b/umn/source/_static/images/en-us_image_0000001675613957.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675613957.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675615337.png b/umn/source/_static/images/en-us_image_0000001675615337.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675615337.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675616433.png b/umn/source/_static/images/en-us_image_0000001675616433.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675616433.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675616561.png b/umn/source/_static/images/en-us_image_0000001675616561.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675616561.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675618277.png b/umn/source/_static/images/en-us_image_0000001675618277.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675618277.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675619157.png b/umn/source/_static/images/en-us_image_0000001675619157.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675619157.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675813933.png b/umn/source/_static/images/en-us_image_0000001675813933.png new file mode 100644 index 0000000..39fad00 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675813933.png differ diff --git a/umn/source/_static/images/en-us_image_0000001676063997.png b/umn/source/_static/images/en-us_image_0000001676063997.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001676063997.png differ diff --git a/umn/source/_static/images/en-us_image_0000001678437642.png b/umn/source/_static/images/en-us_image_0000001678437642.png new file mode 100644 index 0000000..f3ba480 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001678437642.png differ diff --git a/umn/source/_static/images/en-us_image_0000001681512581.png b/umn/source/_static/images/en-us_image_0000001681512581.png new file mode 100644 index 0000000..d8f9804 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001681512581.png differ diff --git a/umn/source/_static/images/en-us_image_0000001699135873.png b/umn/source/_static/images/en-us_image_0000001699135873.png new file mode 100644 index 0000000..60afbc0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001699135873.png differ diff --git a/umn/source/_static/images/en-us_image_0122999741.png b/umn/source/_static/images/en-us_image_0122999741.png deleted file mode 100644 index faf01e7..0000000 Binary files a/umn/source/_static/images/en-us_image_0122999741.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0148244691.png b/umn/source/_static/images/en-us_image_0148244691.png deleted file mode 100644 index 833927c..0000000 Binary files a/umn/source/_static/images/en-us_image_0148244691.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0162733894.png b/umn/source/_static/images/en-us_image_0162733894.png new file mode 100644 index 0000000..95121dc Binary files /dev/null and b/umn/source/_static/images/en-us_image_0162733894.png differ diff --git a/umn/source/_static/images/en-us_image_0167839112.png b/umn/source/_static/images/en-us_image_0167839112.png index 754024d..05e485d 100644 Binary files a/umn/source/_static/images/en-us_image_0167839112.png and b/umn/source/_static/images/en-us_image_0167839112.png differ diff --git a/umn/source/_static/images/en-us_image_0167840073.png b/umn/source/_static/images/en-us_image_0167840073.png index 6120e8e..05e485d 100644 Binary files a/umn/source/_static/images/en-us_image_0167840073.png and b/umn/source/_static/images/en-us_image_0167840073.png differ diff --git a/umn/source/_static/images/en-us_image_0211552164.png b/umn/source/_static/images/en-us_image_0211552164.png index 14fd3fc..df810e8 100644 Binary files a/umn/source/_static/images/en-us_image_0211552164.png and b/umn/source/_static/images/en-us_image_0211552164.png differ diff --git a/umn/source/_static/images/en-us_image_0211560998.png b/umn/source/_static/images/en-us_image_0211560998.png index 413c588..ea33dfe 100644 Binary files a/umn/source/_static/images/en-us_image_0211560998.png and b/umn/source/_static/images/en-us_image_0211560998.png differ diff --git a/umn/source/_static/images/en-us_image_0239476777.png b/umn/source/_static/images/en-us_image_0239476777.png deleted file mode 100644 index 8aadcff..0000000 Binary files a/umn/source/_static/images/en-us_image_0239476777.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0274115599.png b/umn/source/_static/images/en-us_image_0274115599.png index 2d2d02f..b20d87f 100644 Binary files a/umn/source/_static/images/en-us_image_0274115599.png and b/umn/source/_static/images/en-us_image_0274115599.png differ diff --git a/umn/source/_static/images/en-us_image_0285048674.png b/umn/source/_static/images/en-us_image_0285048674.png index 63e5249..d6de83d 100644 Binary files a/umn/source/_static/images/en-us_image_0285048674.png and b/umn/source/_static/images/en-us_image_0285048674.png differ diff --git a/umn/source/security/differences_between_security_groups_and_firewalls.rst b/umn/source/access_control/differences_between_security_groups_and_firewalls.rst similarity index 96% rename from umn/source/security/differences_between_security_groups_and_firewalls.rst rename to umn/source/access_control/differences_between_security_groups_and_firewalls.rst index 27ea951..c4b42e5 100644 --- a/umn/source/security/differences_between_security_groups_and_firewalls.rst +++ b/umn/source/access_control/differences_between_security_groups_and_firewalls.rst @@ -5,16 +5,16 @@ Differences Between Security Groups and Firewalls ================================================= -You can configure security groups and firewall to increase the security of ECSs in your VPC. +You can configure security groups and firewalls to increase the security of ECSs in your VPC. - Security groups operate at the ECS level. -- firewalls protect associated subnets and all the resources in the subnets. +- Firewalls protect associated subnets and all the resources in the subnets. For details, see :ref:`Figure 1 `. .. _en-us_topic_0052003963__fig9582182315479: -.. figure:: /_static/images/en-us_image_0148244691.png +.. figure:: /_static/images/en-us_image_0000001699135873.png :alt: **Figure 1** Security groups and firewalls **Figure 1** Security groups and firewalls @@ -28,7 +28,7 @@ For details, see :ref:`Figure 1 `. +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Category | Security Group | Firewall | +==========+================================================================================================================================================+=============================================================================================================================================================================================================================================================================================================================+ - | Targets | Operates at the ECS level. | Operates at the subnet level. | + | Scope | Operates at the ECS level. | Operates at the subnet level. | +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Rules | Does not support **Allow** or **Deny** rules. | Supports both **Allow** and **Deny** rules. | +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/security/firewall/adding_a_firewall_rule.rst b/umn/source/access_control/firewall/adding_a_firewall_rule.rst similarity index 60% rename from umn/source/security/firewall/adding_a_firewall_rule.rst rename to umn/source/access_control/firewall/adding_a_firewall_rule.rst index 7421e07..c4dd1aa 100644 --- a/umn/source/security/firewall/adding_a_firewall_rule.rst +++ b/umn/source/access_control/firewall/adding_a_firewall_rule.rst @@ -10,6 +10,11 @@ Scenarios Add an inbound or outbound rule based on your network security requirements. +Notes and Constraints +--------------------- + +A firewall can contain no more than 20 rules in one direction, or performance will deteriorate. + Procedure --------- @@ -19,6 +24,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Access Control** > **Firewalls**. 5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. @@ -36,51 +43,51 @@ Procedure .. table:: **Table 1** Parameter descriptions - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +========================+================================================================================================================================================================================================================================================================+=======================+ - | Priority | Priority of firewall rule. A smaller priority value represents a higher priority. Each network ACL includes a default rule whose priority value is an asterisk (``*``). Default rules have the lowest priority. | 3 | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Status | Status of a firewall. When you add a rule to it, its default status is **Enabled**. | Enabled | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a value from the drop-down list. The value can be **TCP**, **UDP**, **All**, or **ICMP**. If **ICMP** or **All** is selected, you do not need to specify port information. | TCP | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - Security group: sg-A | | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | - | | | | - | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - Security group: sg-A | | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | - | | | | - | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | - | | | | - | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+========================================================================================================================================================================================+=======================+ + | Type | The firewall type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only **IPv4** and **IPv6** are supported. | IPv4 | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP | + | | | | + | | You can select **TCP**, **UDP**, **ICMP**, or **All**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - Security group: sg-A | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - Security group: sg-A | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ 7. Click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001627054054.png diff --git a/umn/source/security/firewall/associating_subnets_with_a_firewall.rst b/umn/source/access_control/firewall/associating_subnets_with_a_firewall.rst similarity index 71% rename from umn/source/security/firewall/associating_subnets_with_a_firewall.rst rename to umn/source/access_control/firewall/associating_subnets_with_a_firewall.rst index eb4a1e2..9b7409a 100644 --- a/umn/source/security/firewall/associating_subnets_with_a_firewall.rst +++ b/umn/source/access_control/firewall/associating_subnets_with_a_firewall.rst @@ -8,7 +8,12 @@ Associating Subnets with a Firewall Scenarios --------- -On the page showing firewall details, you can associate desired subnets with a firewall. After a firewall is associated with a subnet, the firewall denies all traffic to and from the subnet until you add rules to allow traffic. +You can associate a firewall with a subnet to protect resources in the subnet. After a firewall is associated with a subnet, the firewall denies all traffic to and from the subnet until you add rules to allow traffic. + +Notes and Constraints +--------------------- + +You can associate a firewall with multiple subnets. However, a subnet can only be associated with one firewall at a time. Procedure --------- @@ -16,11 +21,19 @@ Procedure #. Log in to the management console. 2. Click |image1| in the upper left corner and select the desired region and project. + 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Access Control** > **Firewalls**. + 5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + 6. On the displayed page, click the **Associated Subnets** tab. + 7. On the **Associated Subnets** page, click **Associate**. + 8. On the displayed page, select the subnets to be associated with the firewall, and click **OK**. .. note:: @@ -28,4 +41,4 @@ Procedure Subnets with firewalls associated will not be displayed on the page for you to select. If you want to associate such a subnet with another firewall, you must first disassociate the subnet from the original firewall. One-click subnet association and disassociation are not supported currently. A subnet can only be associated with one firewall. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626734158.png diff --git a/umn/source/security/firewall/changing_the_sequence_of_a_firewall_rule.rst b/umn/source/access_control/firewall/changing_the_sequence_of_a_firewall_rule.rst similarity index 91% rename from umn/source/security/firewall/changing_the_sequence_of_a_firewall_rule.rst rename to umn/source/access_control/firewall/changing_the_sequence_of_a_firewall_rule.rst index 4708ccf..f56ccf5 100644 --- a/umn/source/security/firewall/changing_the_sequence_of_a_firewall_rule.rst +++ b/umn/source/access_control/firewall/changing_the_sequence_of_a_firewall_rule.rst @@ -21,6 +21,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Access Control** > **Firewalls**. 5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. @@ -32,4 +34,4 @@ Procedure The rule is inserted. The procedure for inserting an outbound rule is the same as that for inserting an inbound rule. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626894110.png diff --git a/umn/source/security/firewall/creating_a_firewall.rst b/umn/source/access_control/firewall/creating_a_firewall.rst similarity index 94% rename from umn/source/security/firewall/creating_a_firewall.rst rename to umn/source/access_control/firewall/creating_a_firewall.rst index e339786..32fdb05 100644 --- a/umn/source/security/firewall/creating_a_firewall.rst +++ b/umn/source/access_control/firewall/creating_a_firewall.rst @@ -8,7 +8,9 @@ Creating a Firewall Scenarios --------- -You can create a custom firewall. By default, a newly created firewall is disabled and has no inbound or outbound rules, or any subnets associated. Each user can create up to 200 firewalls by default. +You can create a custom firewall. By default, a newly created firewall is disabled and has no inbound or outbound rules, or any subnets associated. + +By default, you can create a maximum of 200 firewalls in a region. Procedure --------- @@ -19,6 +21,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Access Control** > **Firewalls**. 5. In the right pane displayed, click **Create Firewall**. @@ -48,4 +52,4 @@ Procedure 7. Click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626574358.png diff --git a/umn/source/security/firewall/deleting_a_firewall.rst b/umn/source/access_control/firewall/deleting_a_firewall.rst similarity index 76% rename from umn/source/security/firewall/deleting_a_firewall.rst rename to umn/source/access_control/firewall/deleting_a_firewall.rst index 83438d3..057b698 100644 --- a/umn/source/security/firewall/deleting_a_firewall.rst +++ b/umn/source/access_control/firewall/deleting_a_firewall.rst @@ -16,9 +16,15 @@ Procedure #. Log in to the management console. 2. Click |image1| in the upper left corner and select the desired region and project. + 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Access Control** > **Firewalls**. -5. Locate the firewall in the right pane, click **More** in the **Operation** column, and click **Delete**. + +5. Locate the firewall, click **More** in the **Operation** column, and click **Delete**. + 6. Click **Yes**. .. note:: @@ -26,4 +32,4 @@ Procedure Deleting a firewall will also disassociate its associated subnets and delete the firewall rules. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675613953.png diff --git a/umn/source/security/firewall/deleting_a_firewall_rule.rst b/umn/source/access_control/firewall/deleting_a_firewall_rule.rst similarity index 89% rename from umn/source/security/firewall/deleting_a_firewall_rule.rst rename to umn/source/access_control/firewall/deleting_a_firewall_rule.rst index 618b29e..278b692 100644 --- a/umn/source/security/firewall/deleting_a_firewall_rule.rst +++ b/umn/source/access_control/firewall/deleting_a_firewall_rule.rst @@ -16,10 +16,17 @@ Procedure #. Log in to the management console. 2. Click |image1| in the upper left corner and select the desired region and project. + 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Access Control** > **Firewalls**. + 5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + 6. On the **Inbound Rules** or **Outbound Rules** tab, locate the row that contains the target rule and click **Delete** in the **Operation** column. + 7. Click **Yes** in the displayed dialog box. **Deleting Multiple Firewall Rules at a Time** @@ -27,4 +34,4 @@ Procedure You can also select multiple firewall rules and click **Delete** above the firewall rule list to delete multiple rules at a time. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001627054082.png diff --git a/umn/source/security/firewall/disassociating_a_subnet_from_a_firewall.rst b/umn/source/access_control/firewall/disassociating_a_subnet_from_a_firewall.rst similarity index 90% rename from umn/source/security/firewall/disassociating_a_subnet_from_a_firewall.rst rename to umn/source/access_control/firewall/disassociating_a_subnet_from_a_firewall.rst index 848807e..808b884 100644 --- a/umn/source/security/firewall/disassociating_a_subnet_from_a_firewall.rst +++ b/umn/source/access_control/firewall/disassociating_a_subnet_from_a_firewall.rst @@ -16,11 +16,19 @@ Procedure #. Log in to the management console. 2. Click |image1| in the upper left corner and select the desired region and project. + 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Access Control** > **Firewalls**. + 5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + 6. On the displayed page, click the **Associated Subnets** tab. + 7. On the **Associated Subnets** page, locate the row that contains the target subnet and click **Disassociate** in the **Operation** column. + 8. Click **Yes** in the displayed dialog box. **Disassociating subnets from a firewall** @@ -28,4 +36,4 @@ Procedure Select multiple subnets and click **Disassociate** above the subnet list to disassociate the subnets from a firewall at a time. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675413845.png diff --git a/umn/source/security/firewall/enabling_or_disabling_a_firewall.rst b/umn/source/access_control/firewall/enabling_or_disabling_a_firewall.rst similarity index 69% rename from umn/source/security/firewall/enabling_or_disabling_a_firewall.rst rename to umn/source/access_control/firewall/enabling_or_disabling_a_firewall.rst index e2fa5ca..60c71ff 100644 --- a/umn/source/security/firewall/enabling_or_disabling_a_firewall.rst +++ b/umn/source/access_control/firewall/enabling_or_disabling_a_firewall.rst @@ -8,7 +8,7 @@ Enabling or Disabling a Firewall Scenarios --------- -After a firewall is created, you may need to enable it based on network security requirements. You can also disable an enabled firewall if need. Before enabling a firewall, ensure that subnets have been associated with the firewall and that inbound and outbound rules have been added to the firewall. +After a firewall is created, you may need to enable it based on network security requirements. You can also disable an enabled firewall if needed. Before enabling a firewall, ensure that subnets have been associated with the firewall and that inbound and outbound rules have been added to the firewall. When a firewall is disabled, custom rules will become invalid while default rules still take effect. Disabling a firewall may interrupt network traffic. For information about the default firewall rules, see :ref:`Default Firewall Rules `. @@ -18,10 +18,16 @@ Procedure #. Log in to the management console. 2. Click |image1| in the upper left corner and select the desired region and project. + 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Access Control** > **Firewalls**. -5. Locate the row that contains the firewall in the right pane, click **More** in the **Operation** column, and click **Enable** or **Disable**. + +5. Locate the row that contains the firewall, click **More** in the **Operation** column, and click **Enable** or **Disable**. + 6. Click **Yes** in the displayed dialog box. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626894106.png diff --git a/umn/source/security/firewall/enabling_or_disabling_a_firewall_rule.rst b/umn/source/access_control/firewall/enabling_or_disabling_a_firewall_rule.rst similarity index 90% rename from umn/source/security/firewall/enabling_or_disabling_a_firewall_rule.rst rename to umn/source/access_control/firewall/enabling_or_disabling_a_firewall_rule.rst index 1684a77..6d66828 100644 --- a/umn/source/security/firewall/enabling_or_disabling_a_firewall_rule.rst +++ b/umn/source/access_control/firewall/enabling_or_disabling_a_firewall_rule.rst @@ -19,6 +19,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Access Control** > **Firewalls**. 5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. @@ -30,4 +32,4 @@ Procedure The rule is enabled or disabled. The procedure for enabling or disabling an outbound rule is the same as that for enabling or disabling an inbound rule. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675254033.png diff --git a/umn/source/security/firewall/firewall_configuration_examples.rst b/umn/source/access_control/firewall/firewall_configuration_examples.rst similarity index 93% rename from umn/source/security/firewall/firewall_configuration_examples.rst rename to umn/source/access_control/firewall/firewall_configuration_examples.rst index 5a976f7..4f6d744 100644 --- a/umn/source/security/firewall/firewall_configuration_examples.rst +++ b/umn/source/access_control/firewall/firewall_configuration_examples.rst @@ -15,15 +15,15 @@ This section provides examples for configuring firewalls. Denying Access from a Specific Port ----------------------------------- -You might want to block TCP 445 to protect against the WannaCry ransomware attacks. You can add a firewall rule to deny all incoming traffic from TCP port 445. +You might want to block TCP port 445 to protect against the WannaCry ransomware attacks. You can add a firewall rule to deny all incoming traffic from TCP port 445. Firewall Configuration -:ref:`Table 1 ` lists the inbound rule required. +:ref:`Table 1 ` lists the inbound rules required. .. _acl_0002__table553618145582: -.. table:: **Table 1** firewall rules +.. table:: **Table 1** Firewall rules +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------+ | Direction | Action | Protocol | Source | Source Port Range | Destination | Destination Port Range | Description | @@ -35,7 +35,7 @@ Firewall Configuration .. note:: - - By default, a firewall denies all inbound traffic. You need to allow all inbound traffic if necessary. + - By default, a firewall denies all inbound traffic. You can add a rule to allow all inbound traffic if necessary. - If you want a deny rule to be matched first, insert the deny rule above the allow rule. For details, see :ref:`Changing the Sequence of a Firewall Rule `. .. _acl_0002__section61291659102216: @@ -47,11 +47,11 @@ In this example, an ECS in a subnet is used as the web server, and you need to a Firewall Configuration -:ref:`Table 2 ` lists the inbound rule required. +:ref:`Table 2 ` lists the inbound and outbound rules required. .. _acl_0002__table195634095313: -.. table:: **Table 2** firewall rules +.. table:: **Table 2** Firewall rules +-----------+--------+----------+-----------+-------------------+-------------+------------------------+------------------------------------------------------------------------------------------+ | Direction | Action | Protocol | Source | Source Port Range | Destination | Destination Port Range | Description | diff --git a/umn/source/security/firewall/firewall_overview.rst b/umn/source/access_control/firewall/firewall_overview.rst similarity index 91% rename from umn/source/security/firewall/firewall_overview.rst rename to umn/source/access_control/firewall/firewall_overview.rst index de893bb..d585350 100644 --- a/umn/source/security/firewall/firewall_overview.rst +++ b/umn/source/access_control/firewall/firewall_overview.rst @@ -11,7 +11,7 @@ A firewall is an optional layer of security for your subnets. After you associat .. _acl_0001__fig9582182315479: -.. figure:: /_static/images/en-us_image_0148244691.png +.. figure:: /_static/images/en-us_image_0000001699135873.png :alt: **Figure 1** Security groups and firewalls **Figure 1** Security groups and firewalls @@ -42,7 +42,7 @@ By default, each firewall has preset rules that allow the following packets: - Metadata packets with the destination 169.254.169.254/32 and TCP port number 80, which is used to obtain metadata. -- Packets from CIDR blocks that are reserved for public services (for example, packets with the destination 100.125.0.0/16) +- Packets from CIDR blocks that are reserved for public services (for example, packets with the destination 100.125.0.0/16). - A firewall denies all traffic in and out of a subnet excepting the preceding packets. :ref:`Table 1 ` shows the default rules. You cannot modify or delete the default rules. @@ -102,7 +102,5 @@ Configuration Procedure Notes and Constraints --------------------- -- By default, you can create a maximum of 200 firewalls in your cloud account. -- You can associate a firewall with multiple subnets. However, a subnet can only be associated with one firewall at a time. +- By default, each account can have up to 200 firewalls in a region. - A firewall can contain no more than 20 rules in one direction, or performance will deteriorate. -- For optimal performance, import no more than 40 firewall rules at a time. Existing rules will still be available after new rules are imported. Each rule can be imported only once. diff --git a/umn/source/security/firewall/index.rst b/umn/source/access_control/firewall/index.rst similarity index 100% rename from umn/source/security/firewall/index.rst rename to umn/source/access_control/firewall/index.rst diff --git a/umn/source/security/firewall/modifying_a_firewall.rst b/umn/source/access_control/firewall/modifying_a_firewall.rst similarity index 82% rename from umn/source/security/firewall/modifying_a_firewall.rst rename to umn/source/access_control/firewall/modifying_a_firewall.rst index 8e8dfc7..e201d2b 100644 --- a/umn/source/security/firewall/modifying_a_firewall.rst +++ b/umn/source/access_control/firewall/modifying_a_firewall.rst @@ -16,15 +16,24 @@ Procedure #. Log in to the management console. 2. Click |image1| in the upper left corner and select the desired region and project. + 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Access Control** > **Firewalls**. + 5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + 6. On the displayed page, click |image3| on the right of **Name** and edit the firewall name. + 7. Click Y to save the new firewall name. -8. Click |image4| on the right of Description and edit the firewall description. + +8. Click |image4| on the right of **Description** and edit the firewall description. + 9. Click Y to save the new firewall description. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675413841.png .. |image3| image:: /_static/images/en-us_image_0142359884.png .. |image4| image:: /_static/images/en-us_image_0142359884.png diff --git a/umn/source/security/firewall/modifying_a_firewall_rule.rst b/umn/source/access_control/firewall/modifying_a_firewall_rule.rst similarity index 60% rename from umn/source/security/firewall/modifying_a_firewall_rule.rst rename to umn/source/access_control/firewall/modifying_a_firewall_rule.rst index a4caeba..df4f444 100644 --- a/umn/source/security/firewall/modifying_a_firewall_rule.rst +++ b/umn/source/access_control/firewall/modifying_a_firewall_rule.rst @@ -19,6 +19,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Access Control** > **Firewalls**. 5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. @@ -35,51 +37,51 @@ Procedure .. table:: **Table 1** Parameter descriptions - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +========================+================================================================================================================================================================================================================================================================+=======================+ - | Priority | Priority of firewall rule. A smaller priority value represents a higher priority. Each network ACL includes a default rule whose priority value is an asterisk (``*``). Default rules have the lowest priority. | 3 | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Status | Status of a firewall. When you add a rule to it, its default status is **Enabled**. | Enabled | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a value from the drop-down list. The value can be **TCP**, **UDP**, **All**, or **ICMP**. If **ICMP** or **All** is selected, you do not need to specify port information. | TCP | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - Security group: sg-A | | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | - | | | | - | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - Security group: sg-A | | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | - | | | | - | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | - | | | | - | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+========================================================================================================================================================================================+=======================+ + | Type | The firewall type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only **IPv4** and **IPv6** are supported. | IPv4 | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP | + | | | | + | | You can select **TCP**, **UDP**, **ICMP**, or **All**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - Security group: sg-A | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - Security group: sg-A | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ 7. Click **Confirm**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675613957.png diff --git a/umn/source/security/firewall/viewing_a_firewall.rst b/umn/source/access_control/firewall/viewing_a_firewall.rst similarity index 87% rename from umn/source/security/firewall/viewing_a_firewall.rst rename to umn/source/access_control/firewall/viewing_a_firewall.rst index 238258b..eb2ded4 100644 --- a/umn/source/security/firewall/viewing_a_firewall.rst +++ b/umn/source/access_control/firewall/viewing_a_firewall.rst @@ -16,10 +16,16 @@ Procedure #. Log in to the management console. 2. Click |image1| in the upper left corner and select the desired region and project. + 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Access Control** > **Firewalls**. + 5. Locate the target firewall and click its name to switch to the page showing details of that particular firewall. + 6. On the displayed page, click the **Inbound Rules**, **Outbound Rules**, and **Associated Subnets** tabs one by one to view details about inbound rules, outbound rules, and subnet associations. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675373917.png diff --git a/umn/source/security/index.rst b/umn/source/access_control/index.rst similarity index 92% rename from umn/source/security/index.rst rename to umn/source/access_control/index.rst index 43617e9..829a69e 100644 --- a/umn/source/security/index.rst +++ b/umn/source/access_control/index.rst @@ -2,8 +2,8 @@ .. _vpc_SecurityGroup_0000: -Security -======== +Access Control +============== - :ref:`Differences Between Security Groups and Firewalls ` - :ref:`Security Group ` diff --git a/umn/source/security/security_group/adding_a_security_group_rule.rst b/umn/source/access_control/security_group/adding_a_security_group_rule.rst similarity index 66% rename from umn/source/security/security_group/adding_a_security_group_rule.rst rename to umn/source/access_control/security_group/adding_a_security_group_rule.rst index 4ab1dd9..adc8d75 100644 --- a/umn/source/security/security_group/adding_a_security_group_rule.rst +++ b/umn/source/access_control/security_group/adding_a_security_group_rule.rst @@ -8,14 +8,33 @@ Adding a Security Group Rule Scenarios --------- -A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, to control inbound and outbound traffic. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. +A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules. -If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specified TCP port, you can add an inbound rule. +Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group. -- Inbound rules control incoming traffic to cloud resources in the security group. -- Outbound rules control outgoing traffic from cloud resources in the security group. +Like whitelists, security group rules work as follows: -For details about the default security group rules, see :ref:`Default Security Groups and Security Group Rules `. For details about security group rule configuration examples, see :ref:`Security Group Configuration Examples `. +- Inbound rules control incoming traffic to instances in the security group. + + If an inbound request matches the source in an inbound security group rule, the request is allowed and other requests are denied. + + By default, you do not need to configure deny rules in the inbound direction because requests that do not match allow rules will be denied. + +- Outbound rules control outgoing traffic from instances in the security group. + + If the destination of an outbound security group rule is 0.0.0.0/0, all outbound requests are allowed. + + 0.0.0.0/0 represents all IPv4 addresses. + + ::/0 represents all IPv6 addresses. + +If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specific TCP port, you can add an inbound rule to allow traffic on the TCP port. + +Security Group Rule Configuration Examples +------------------------------------------ + +- The system provides a default security group. For details about the default security group rules, see :ref:`Default Security Group and Its Rules `. If the default security group rules cannot meet your requirements, you can modify them. +- Before configuring security group rules, you need to plan access policies for instances in the security group. For details about common security group rule configuration examples, see :ref:`Security Group Configuration Examples `. Procedure --------- @@ -26,11 +45,21 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, locate the target security group and click **Manage Rule** in the **Operation** column to switch to the page for managing inbound and outbound rules. + The security group list is displayed. -#. On the **Inbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an inbound rule. +#. Locate the row that contains the target security group, and click **Manage Rule** in the **Operation** column. + + The page for configuring security group rules is displayed. + +#. On the **Inbound Rules** tab, click **Add Rule**. + + The **Add Inbound Rule** dialog box is displayed. + +#. Configure required parameters. You can click **+** to add more inbound rules. @@ -45,11 +74,16 @@ Procedure +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+==========================================================================================================================================================================+=======================+ - | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | + | | | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | **Port**: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + | | **Port**: The port or port range over which traffic can reach your ECS. The value can be from 1 to 65535. | 22, or 22-30 | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Type | IPv4 | IPv4 | + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Source | Source of the security group rule. The value can be an IP address or a security group to allow access from IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | | | | @@ -68,7 +102,15 @@ Procedure | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ -#. On the **Outbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an outbound rule. +#. Click **OK**. + + The inbound rule list is displayed. + +#. On the **Outbound Rules** tab, click **Add Rule**. + + The **Add Outbound Rule** dialog box is displayed. + +#. Configure required parameters. You can click **+** to add more outbound rules. @@ -83,11 +125,16 @@ Procedure +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+=============================================================================================================================================================================+=======================+ - | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | + | | | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | **Port**: The port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Type | IPv4 | IPv4 | + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | | | | @@ -106,5 +153,7 @@ Procedure #. Click **OK**. + The outbound rule list is displayed. + .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626734166.png diff --git a/umn/source/access_control/security_group/adding_an_instance_to_or_removing_an_instance_from_a_security_group.rst b/umn/source/access_control/security_group/adding_an_instance_to_or_removing_an_instance_from_a_security_group.rst new file mode 100644 index 0000000..e24950e --- /dev/null +++ b/umn/source/access_control/security_group/adding_an_instance_to_or_removing_an_instance_from_a_security_group.rst @@ -0,0 +1,84 @@ +:original_name: SecurityGroup_0017.html + +.. _SecurityGroup_0017: + +Adding an Instance to or Removing an Instance from a Security Group +=================================================================== + +Scenarios +--------- + +When you create an instance, the system automatically adds the instance to a security group for protection. + +- If one security group cannot meet your requirements, you can add an instance to multiple security groups. +- An instance must be added to at least one security group. If you want to change the security group for an instance, you can add the instance to a new security group and then remove the instance from the original security group. + +Adding an Instance to a Security Group +-------------------------------------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + +#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + + The security group list is displayed. + +#. In the security group list, locate the row that contains the security group and click **Manage Instances** in the **Operation** column. + + The **Associated Instances** tab is displayed. + +#. Click an instance type. + + The following operations use **Servers** as an example. + +#. Click the **Servers** tab and click **Add**. + + The **Add Server** dialog box is displayed. + +#. In the server list, select one or more servers and click OK to add them to the current security group. + +Removing an Instance from a Security Group +------------------------------------------ + +An instance must be added to at least one security group. If you want to remove an instance from a security group, the instance must be associated with at least two security groups now. + +#. Log in to the management console. + +#. Click |image3| in the upper left corner and select the desired region and project. + +#. Click |image4| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + +#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + + The security group list is displayed. + +#. In the security group list, locate the row that contains the security group and click **Manage Instances** in the **Operation** column. + + The **Associated Instances** tab is displayed. + +#. Click an instance type. + + The following operations use **Servers** as an example. + +#. Click the **Servers** tab, select one or more servers, and click **Remove** in the upper left corner of the server list. + + A confirmation dialog box is displayed. + +#. Confirm the information and click **Yes**. + +Follow-Up Operations +-------------------- + +You can delete the security groups that you no longer need. Deleting a security group will also delete all security group rules in the security group. For details, see :ref:`Deleting a Security Group `. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001627054058.png +.. |image3| image:: /_static/images/en-us_image_0141273034.png +.. |image4| image:: /_static/images/en-us_image_0000001626734162.png diff --git a/umn/source/security/security_group/changing_the_security_group_of_an_ecs.rst b/umn/source/access_control/security_group/changing_the_security_group_of_an_ecs.rst similarity index 91% rename from umn/source/security/security_group/changing_the_security_group_of_an_ecs.rst rename to umn/source/access_control/security_group/changing_the_security_group_of_an_ecs.rst index a93952e..4467f82 100644 --- a/umn/source/security/security_group/changing_the_security_group_of_an_ecs.rst +++ b/umn/source/access_control/security_group/changing_the_security_group_of_an_ecs.rst @@ -24,12 +24,12 @@ Procedure The **Change Security Group** dialog box is displayed. - .. figure:: /_static/images/en-us_image_0122999741.png + .. figure:: /_static/images/en-us_image_0162733894.png :alt: **Figure 1** Change Security Group **Figure 1** Change Security Group -#. Select the target NIC and security groups as prompted. +#. Select the target NIC and security groups. You can select multiple security groups. In such a case, the rules of all the selected security groups will be aggregated to apply on the ECS. diff --git a/umn/source/security/security_group/cloning_a_security_group.rst b/umn/source/access_control/security_group/cloning_a_security_group.rst similarity index 53% rename from umn/source/security/security_group/cloning_a_security_group.rst rename to umn/source/access_control/security_group/cloning_a_security_group.rst index 66695e7..5248029 100644 --- a/umn/source/security/security_group/cloning_a_security_group.rst +++ b/umn/source/access_control/security_group/cloning_a_security_group.rst @@ -14,6 +14,7 @@ You can clone a security group in the following scenarios: - For example, you have security group **sg-A** in region A. If ECSs in region B require the same security group rules as those configured for security group **sg-A**, you can clone security group **sg-A** to region B, freeing you from creating a new security group in region B. - If you need new security group rules, you can clone the original security group as a backup. +- Before you modify security group rules used by a service, you can clone the security group and modify the security group rules in the test environment to ensure that the modified rules work. .. note:: @@ -22,7 +23,12 @@ You can clone a security group in the following scenarios: Notes and Constraints --------------------- -If you clone security group across regions, the system will clone only rules whose source and destination are CIDR blocks or are in the current security group. +- You can clone a security group from the same or a different region. + + - If you want to clone a security group from the same region, you can clone all rules in the security group. + - If you want to clone a security group from a different region, the system will clone only rules whose source and destination are IP addresses and rules whose source and destination is the current security group. + +- Cloning a security group clones its security group rules, but not the instances associated with the security group. Procedure --------- @@ -33,11 +39,15 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, locate the row that contains the target security group and choose **More** > **Clone** in the **Operation** column. + The security group list is displayed. -#. Set required parameters as prompted. +#. Locate the row that contains the security group, click **More** in the **Operation** column, and click **Clone**. + +#. Select the region and name of the new security group as prompted. .. figure:: /_static/images/en-us_image_0000001602035305.png @@ -45,7 +55,9 @@ Procedure **Figure 1** Clone Security Group -#. Click **OK**. You can then switch to the required region to view the cloned security group in the security group list. +#. Click **OK**. + + You can then switch to the required region to view the cloned security group in the security group list. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675373901.png diff --git a/umn/source/security/security_group/creating_a_security_group.rst b/umn/source/access_control/security_group/creating_a_security_group.rst similarity index 54% rename from umn/source/security/security_group/creating_a_security_group.rst rename to umn/source/access_control/security_group/creating_a_security_group.rst index b415adf..e6844a6 100644 --- a/umn/source/security/security_group/creating_a_security_group.rst +++ b/umn/source/access_control/security_group/creating_a_security_group.rst @@ -8,11 +8,18 @@ Creating a Security Group Scenarios --------- -You can create security groups and add ECSs in a VPC to different security groups to improve ECS access security. We recommend that you allocate ECSs that have different Internet access requirements to different security groups. +A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules. -Each ECS must be associated with at least one security group. If you have no security group when creating an ECS, the system provides a default security group. +If your instances have different Internet access requirements, you can allocate them to different security groups when creating them. -You have an option to create a new security group for the ECS. This section describes how to create a security group on the management console. +Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group. + +Notes and Constraints +--------------------- + +If you have not created any security groups yet, the system automatically creates a default security group for you and associates it with the instance (such as an ECS) when you create it. + +The default security group name is **default**. For details, see :ref:`Default Security Group and Its Rules `. Procedure --------- @@ -23,11 +30,17 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, click **Create Security Group**. + The security group list is displayed. -#. In the **Create Security Group** area, set the parameters as prompted. :ref:`Table 1 ` lists the parameters to be configured. +#. In the upper right corner, click **Create Security Group**. + + The **Create Security Group** page is displayed. + +#. Configure the parameters as prompted. .. figure:: /_static/images/en-us_image_0000001197426329.png @@ -35,39 +48,43 @@ Procedure **Figure 1** Create Security Group - .. _en-us_topic_0013748715__table65377617111335: - .. table:: **Table 1** Parameter description - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ - | Parameter | Description | Example Value | - +=======================+=======================================================================================================================================================================================================================================================+============================+ - | Name | The security group name. This parameter is mandatory. | sg-318b | - | | | | - | | The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - | | | | - | | .. note:: | | - | | | | - | | You can change the security group name after a security group is created. It is recommended that you give each security group a different name. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ - | Enterprise Project | When creating a security group, you can add the security group to an enabled enterprise project. | default | - | | | | - | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | - | | | | - | | For details about creating and managing enterprise projects, see the *Enterprise Management User Guide*. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ - | Template | A template comes with default security group rules, helping you quickly create security groups. The following templates are provided: | General-purpose web server | - | | | | - | | - **Custom**: This template allows you to create security groups with custom security group rules. | | - | | - **General-purpose web server**: The security group that you create using this template is for general-purpose web servers and includes default rules that allow all inbound ICMP traffic and allow inbound traffic on ports 22, 80, 443, and 3389. | | - | | - **All ports open**: The security group that you create using this template includes default rules that allow inbound traffic on any port. Note that allowing inbound traffic on any port poses security risks. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ - | Description | Supplementary information about the security group. This parameter is optional. | N/A | - | | | | - | | The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + | Parameter | Description | Example Value | + +=======================+=======================================================================================================================================================================================================================================================================+============================+ + | Name | Mandatory | sg-AB | + | | | | + | | Enter the security group name. | | + | | | | + | | The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + | | | | + | | .. note:: | | + | | | | + | | You can change the security group name after a security group is created. It is recommended that you give each security group a different name. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + | Enterprise Project | Mandatory | default | + | | | | + | | When creating a security group, you can add the security group to an enabled enterprise project. | | + | | | | + | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + | Template | Mandatory | General-purpose web server | + | | | | + | | A template comes with default security group rules, helping you quickly create security groups. The following templates are provided: | | + | | | | + | | - **Custom**: This template allows you to create security groups with custom security group rules. | | + | | - **General-purpose web server** (default value): The security group that you create using this template is for general-purpose web servers and includes default rules that allow all inbound ICMP traffic and allow inbound traffic on ports 22, 80, 443, and 3389. | | + | | - **All ports open**: The security group that you create using this template includes default rules that allow inbound traffic on any port. Note that allowing inbound traffic on any port poses security risks. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + | Description | Optional | N/A | + | | | | + | | Supplementary information about the security group. This parameter is optional. | | + | | | | + | | The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ -#. Click **OK**. +#. Confirm the inbound and outbound rules of the template and click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001627054062.png diff --git a/umn/source/security/security_group/default_security_groups_and_security_group_rules.rst b/umn/source/access_control/security_group/default_security_group_and_its_rules.rst similarity index 67% rename from umn/source/security/security_group/default_security_groups_and_security_group_rules.rst rename to umn/source/access_control/security_group/default_security_group_and_its_rules.rst index 3d7394c..dc6f8da 100644 --- a/umn/source/security/security_group/default_security_groups_and_security_group_rules.rst +++ b/umn/source/access_control/security_group/default_security_group_and_its_rules.rst @@ -2,13 +2,13 @@ .. _SecurityGroup_0003: -Default Security Groups and Security Group Rules -================================================ +Default Security Group and Its Rules +==================================== -The system creates a default security group for each account. By default, the default security group rules: +If you have not created any security group, the system automatically creates a default security group for you and associates it with the instance (such as an ECS) when you create it. A default security group has the following rules: -- Allow all outbound packets: Instances in the default security group can send requests to and receive responses from instances in other security groups. -- Deny all inbound packets: Requests from instances in other security groups will be denied by the default security group. +- Inbound rules control incoming traffic to instances in a security group. Only instances in the same security group can communicate with each other, and all inbound requests are denied. +- Outbound rules allow all outbound traffic and response traffic to the outbound requests. .. figure:: /_static/images/en-us_image_0000001230120807.png @@ -18,8 +18,8 @@ The system creates a default security group for each account. By default, the de .. note:: - - You cannot delete the default security group, but you can modify the rules for the default security group. - - If two ECSs are in the same security group but in different VPCs, the ECSs cannot communicate with each other. To enable communications between the ECSs, use a VPC peering connection to connect the two VPCs. + - You cannot delete the default security group, but you can modify existing rules or add rules to the group. + - The default security group is automatically created to simplify the process of creating an instance for the first time. The default security group denies all external requests. To log in to an instance, add a security group rule by referring to :ref:`Remotely Logging In to an ECS from a Local Server `. :ref:`Table 1 ` describes the default rules for the default security group. diff --git a/umn/source/security/security_group/deleting_a_security_group.rst b/umn/source/access_control/security_group/deleting_a_security_group.rst similarity index 73% rename from umn/source/security/security_group/deleting_a_security_group.rst rename to umn/source/access_control/security_group/deleting_a_security_group.rst index 34f080c..c288840 100644 --- a/umn/source/security/security_group/deleting_a_security_group.rst +++ b/umn/source/access_control/security_group/deleting_a_security_group.rst @@ -8,16 +8,14 @@ Deleting a Security Group Scenarios --------- -This section describes how to delete security groups. +If your security group is no longer required, you can delete it. Notes and Constraints --------------------- - The default security group is named **default** and cannot be deleted. -- A security group cannot be deleted if it is being used by instances, such as cloud servers, containers, and databases. - - If you need to delete such a security group, delete the instances or change the security group used by the instance first. +- If you want to delete a security group that is associated with instances, such as cloud servers, containers, and databases, you need to remove the instances from the security group first. For details, see :ref:`Adding an Instance to or Removing an Instance from a Security Group `. - A security group cannot be deleted if it is used as the source or destination of a rule in another security group. @@ -34,6 +32,8 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. The security group list is displayed. @@ -45,4 +45,4 @@ Procedure #. Confirm the information and click **Yes**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626574362.png diff --git a/umn/source/access_control/security_group/deleting_a_security_group_rule.rst b/umn/source/access_control/security_group/deleting_a_security_group_rule.rst new file mode 100644 index 0000000..251fdfd --- /dev/null +++ b/umn/source/access_control/security_group/deleting_a_security_group_rule.rst @@ -0,0 +1,52 @@ +:original_name: vpc_SecurityGroup_0006.html + +.. _vpc_SecurityGroup_0006: + +Deleting a Security Group Rule +============================== + +Scenarios +--------- + +If your security group rule is no longer required, you can delete it. + +Notes and Constraints +--------------------- + +Security group rules use whitelists. Deleting a security group rule may result in ECS access failures. Security group rules work as follows: + +- Inbound rule: If an inbound request matches the source in an inbound security group rule with **Action** set to **Allow**, the request is allowed. +- Outbound rule: If the destination of an outbound security group rule with **Action** set to **Allow** is 0.0.0.0/0, all outbound requests are allowed. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + + The security group list is displayed. + +5. In the security group list, click the name of the security group. + + The security group details page is displayed. + +6. Click the **Inbound Rules** or **Outbound Rules** tab as required. + + The security group rule list is displayed. + +7. In the security group rule list: + + - To delete a single security group rule, locate the row that contains the rule and click **Delete** in the **Operation** column. + - To delete multiple security group rules, select multiple security group rules and click **Delete** in the upper left corner of the rule list. + +8. Click **Yes**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001675413825.png diff --git a/umn/source/access_control/security_group/fast-adding_security_group_rules.rst b/umn/source/access_control/security_group/fast-adding_security_group_rules.rst new file mode 100644 index 0000000..7928959 --- /dev/null +++ b/umn/source/access_control/security_group/fast-adding_security_group_rules.rst @@ -0,0 +1,123 @@ +:original_name: SecurityGroup_0004.html + +.. _SecurityGroup_0004: + +Fast-Adding Security Group Rules +================================ + +Scenarios +--------- + +The fast-adding rule function of security groups allows you to quickly add rules with common ports and protocols for remote login, ping tests, common web services, and database services. + +Procedure +--------- + +#. Log in to the management console. + +2. Click |image1| in the upper left corner and select the desired region and project. + +3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + +4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + + The security group list is displayed. + +5. Locate the row that contains the target security group and click **Manage Rule** in the **Operation** column. + + The page for configuring security group rules is displayed. + +6. On the **Inbound Rules** tab, click **Fast-Add Rule**. + + The **Fast-Add Inbound Rule** dialog box is displayed. + +7. Configure required parameters. + + + .. figure:: /_static/images/en-us_image_0211552164.png + :alt: **Figure 1** Fast-Add Inbound Rule + + **Figure 1** Fast-Add Inbound Rule + + .. table:: **Table 1** Inbound rule parameter description + + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+==============================================================================================================================================================================+=======================+ + | Protocols and Ports | Common protocols and ports are provided for: | SSH (22) | + | | | | + | | - Remote login and ping | | + | | - Web services | | + | | - Databases | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | Source of the security group rule. The value can be an IP address or a security group to allow access from IP addresses or instances in the security group. You can specify: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + | | | | + | | If the source is a security group, this rule will apply to all instances associated with the selected security group. | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | (Optional) Supplementary information about the security group rule. | ``-`` | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +8. Click **OK**. + + The inbound rule list is displayed and you can view your added rule. + +9. On the **Outbound Rules** tab, click **Fast-Add Rule**. + + The **Fast-Add Outbound Rule** dialog box is displayed. + +10. Configure required parameters. + + + .. figure:: /_static/images/en-us_image_0211560998.png + :alt: **Figure 2** Fast-Add Outbound Rule + + **Figure 2** Fast-Add Outbound Rule + + .. table:: **Table 2** Outbound rule parameter description + + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=================================================================================================================================================================================+=======================+ + | Protocols and Ports | Common protocols and ports are provided for: | SSH (22) | + | | | | + | | - Remote login and ping | | + | | - Web services | | + | | - Databases | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. You can specify: | 0.0.0.0/0 | + | | | | + | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | + | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | + | | - 0.0.0.0/0 (all IPv4 addresses) | | + | | - sg-abc (security group) | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | (Optional) Supplementary information about the security group rule. | ``-`` | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +11. Click **OK**. + + The outbound rule list is displayed and you can view your added rule. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001675373905.png diff --git a/umn/source/security/security_group/importing_and_exporting_security_group_rules.rst b/umn/source/access_control/security_group/importing_and_exporting_security_group_rules.rst similarity index 64% rename from umn/source/security/security_group/importing_and_exporting_security_group_rules.rst rename to umn/source/access_control/security_group/importing_and_exporting_security_group_rules.rst index bc8fac3..3a8afd2 100644 --- a/umn/source/security/security_group/importing_and_exporting_security_group_rules.rst +++ b/umn/source/access_control/security_group/importing_and_exporting_security_group_rules.rst @@ -8,24 +8,37 @@ Importing and Exporting Security Group Rules Scenarios --------- -- If you want to quickly create or restore security group rules, you can import existing rules to the security group. +You can configure security group rules in an Excel file and import the rules to the security group. You can also export security group rules to an Excel file. You are advised to use this function in the following scenarios: + +- If you want to quickly create or restore a security group rule, you can import your exported security group rule file to the security group. - If you want to back up security group rules locally, you can export the rules to an Excel file. - If you want to quickly apply the rules of one security group to another, or if you want to modify multiple rules of the current security group at once, you can import or export existing rules. Notes and Constraints --------------------- -- When modifying exported security group rules, you can only modify existing fields in the exported file based on the template and cannot add new fields or modify the field names. Otherwise, the file will fail to be imported. -- Duplicate rules are not allowed. +- The security group rules to be imported must be configured based on the template. Do not add parameters or change existing parameters. Otherwise, the import will fail. +- Duplicate rules are not allowed, you can delete the rule and try again. Procedure --------- #. Log in to the management console. + #. Click |image1| in the upper left corner and select the desired region and project. + #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, click the security group name. + + The security group list is displayed. + +#. On the security group list, click the name of the target security group. + + The security group details page is displayed. + #. Export and import security group rules. - Click |image3| to export all rules of the current security group to an Excel file. @@ -38,36 +51,38 @@ Procedure .. table:: **Table 1** Template parameters - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +=======================+=============================================================================================================================================================================+=======================+ - | Direction | The direction in which the security group rule takes effect. | Inbound | - | | | | - | | - Inbound rules control incoming traffic to cloud resources in the security group. | | - | | - Outbound rules control outgoing traffic from cloud resources in the security group. | | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | **Port**: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source | Source of the security group rule. The value can be an IP address or a security group to allow access from IP addresses or instances in the security group. For example: | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - Security group: sg-A | | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Description | Supplementary information about the security group rule. This parameter is optional. | ``-`` | - | | | | - | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+ + | Parameter | Description | Example Value | + +=======================+=============================================================================================================================================================================+====================================+ + | Direction | The direction in which the security group rule takes effect. | Inbound | + | | | | + | | - **Inbound**: Inbound rules control incoming traffic to instances in the security group. | | + | | - **Outbound**: Outbound rules control outgoing traffic from instances in the security group. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+ + | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | + | | | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+ + | | **Port**: The port or port range over which traffic can reach your ECS. The value can be from 1 to 65535. | 22, or 22-30 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+ + | Source | Source of the security group rule. The value can be an IP address or a security group to allow access from IP addresses or instances in the security group. For example: | sg-test[96a8a93f-XXX-d7872990c314] | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - Security group: sg-A | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+ + | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | sg-test[96a8a93f-XXX-d7872990c314] | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | ``-`` | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+ .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675254013.png .. |image3| image:: /_static/images/en-us_image_0142360062.png .. |image4| image:: /_static/images/en-us_image_0142360094.png diff --git a/umn/source/security/security_group/index.rst b/umn/source/access_control/security_group/index.rst similarity index 78% rename from umn/source/security/security_group/index.rst rename to umn/source/access_control/security_group/index.rst index 5a4b40c..d3a2872 100644 --- a/umn/source/security/security_group/index.rst +++ b/umn/source/access_control/security_group/index.rst @@ -5,20 +5,20 @@ Security Group ============== -- :ref:`Security Group Overview ` -- :ref:`Default Security Groups and Security Group Rules ` +- :ref:`Security Groups and Security Group Rules ` +- :ref:`Default Security Group and Its Rules ` - :ref:`Security Group Configuration Examples ` - :ref:`Creating a Security Group ` -- :ref:`Adding a Security Group Rule ` -- :ref:`Fast-Adding Security Group Rules ` -- :ref:`Replicating a Security Group Rule ` -- :ref:`Modifying a Security Group Rule ` -- :ref:`Deleting a Security Group Rule ` -- :ref:`Importing and Exporting Security Group Rules ` -- :ref:`Deleting a Security Group ` -- :ref:`Adding Instances to and Removing Them from a Security Group ` - :ref:`Cloning a Security Group ` - :ref:`Modifying a Security Group ` +- :ref:`Deleting a Security Group ` +- :ref:`Adding a Security Group Rule ` +- :ref:`Fast-Adding Security Group Rules ` +- :ref:`Modifying a Security Group Rule ` +- :ref:`Replicating a Security Group Rule ` +- :ref:`Importing and Exporting Security Group Rules ` +- :ref:`Deleting a Security Group Rule ` +- :ref:`Adding an Instance to or Removing an Instance from a Security Group ` - :ref:`Viewing the Security Group of an ECS ` - :ref:`Changing the Security Group of an ECS ` @@ -26,19 +26,19 @@ Security Group :maxdepth: 1 :hidden: - security_group_overview - default_security_groups_and_security_group_rules + security_groups_and_security_group_rules + default_security_group_and_its_rules security_group_configuration_examples creating_a_security_group - adding_a_security_group_rule - fast-adding_security_group_rules - replicating_a_security_group_rule - modifying_a_security_group_rule - deleting_a_security_group_rule - importing_and_exporting_security_group_rules - deleting_a_security_group - adding_instances_to_and_removing_them_from_a_security_group cloning_a_security_group modifying_a_security_group + deleting_a_security_group + adding_a_security_group_rule + fast-adding_security_group_rules + modifying_a_security_group_rule + replicating_a_security_group_rule + importing_and_exporting_security_group_rules + deleting_a_security_group_rule + adding_an_instance_to_or_removing_an_instance_from_a_security_group viewing_the_security_group_of_an_ecs changing_the_security_group_of_an_ecs diff --git a/umn/source/access_control/security_group/modifying_a_security_group.rst b/umn/source/access_control/security_group/modifying_a_security_group.rst new file mode 100644 index 0000000..5a6798e --- /dev/null +++ b/umn/source/access_control/security_group/modifying_a_security_group.rst @@ -0,0 +1,37 @@ +:original_name: vpc_SecurityGroup_0010.html + +.. _vpc_SecurityGroup_0010: + +Modifying a Security Group +========================== + +**Scenarios** +------------- + +After a security group is created, you can change its name and description. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + +#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. + + The security group list is displayed. + +#. Locate the row that contains the security group, click **More** in the **Operation** column, and click **Modify**. + + The **Modify Security Group** dialog box is displayed. + +#. Modify the name and description of the security group as required. + +#. Click **OK** to save the modification. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001626894086.png diff --git a/umn/source/security/security_group/modifying_a_security_group_rule.rst b/umn/source/access_control/security_group/modifying_a_security_group_rule.rst similarity index 54% rename from umn/source/security/security_group/modifying_a_security_group_rule.rst rename to umn/source/access_control/security_group/modifying_a_security_group_rule.rst index 7ecafef..ffc6be5 100644 --- a/umn/source/security/security_group/modifying_a_security_group_rule.rst +++ b/umn/source/access_control/security_group/modifying_a_security_group_rule.rst @@ -14,12 +14,28 @@ Procedure --------- #. Log in to the management console. + #. Click |image1| in the upper left corner and select the desired region and project. + #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, click the security group name. -#. On the displayed page, locate the row that contains the security group rule to be modified, and click **Modify** in the **Operation** column. -#. Modify the rule and click **Confirm**. + + The security group list is displayed. + +#. In the security group list, click the name of the security group. + + The security group details page is displayed. + +#. Click the **Inbound Rules** or **Outbound Rules** tab as required. + + The security group rule list is displayed. + +#. Locate the row that contains the rule and click **Modify** in the **Operation** column. + +#. Modify the security group rule information as prompted and click **Confirm**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675613937.png diff --git a/umn/source/access_control/security_group/replicating_a_security_group_rule.rst b/umn/source/access_control/security_group/replicating_a_security_group_rule.rst new file mode 100644 index 0000000..4559c3a --- /dev/null +++ b/umn/source/access_control/security_group/replicating_a_security_group_rule.rst @@ -0,0 +1,39 @@ +:original_name: vpc_SecurityGroup_0004.html + +.. _vpc_SecurityGroup_0004: + +Replicating a Security Group Rule +================================= + +**Scenarios** +------------- + +You can replicate an existing security group rule and modify it to quickly generate a new rule. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner and select the desired region and project. + +#. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + +#. In the security group list, click the name of the security group. + + The security group details page is displayed. + +#. Click the **Inbound Rules** or **Outbound Rules** tab as required. + + The security group rule list is displayed. + +#. Locate the row that contains the rule and click **Replicate** in the **Operation** column. + + The **Replicate Inbound Rule** dialog box is displayed. + +#. Modify the security group rule information as prompted and click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001626894090.png diff --git a/umn/source/access_control/security_group/security_group_configuration_examples.rst b/umn/source/access_control/security_group/security_group_configuration_examples.rst new file mode 100644 index 0000000..916f963 --- /dev/null +++ b/umn/source/access_control/security_group/security_group_configuration_examples.rst @@ -0,0 +1,201 @@ +:original_name: en-us_topic_0081124350.html + +.. _en-us_topic_0081124350: + +Security Group Configuration Examples +===================================== + +Here are some common security group configuration examples for different scenarios, including remote login to ECSs, website access, and internal communication between instances in different security groups. + +Generally, a security group denies all external requests by default. You need to add inbound rules to a security group based on the whitelist principle to allow specific external requests to access instances in the security group. + +- :ref:`Remotely Logging In to an ECS from a Local Server ` +- :ref:`Remotely Connecting to an ECS from a Local Server to Upload or Download Files ` +- :ref:`Setting Up a Website on an ECS to Provide Services Externally ` +- :ref:`Using ping Command to Verify Network Connectivity ` +- :ref:`Enabling ECSs In Different Security Groups to Communicate Through an Internal Network ` +- :ref:`ECS Providing Database Access Service ` +- :ref:`Allowing ECSs to Access Only Specific External Websites ` + +By default, all outbound rules of a security group allow all requests from instances in the security group to access external networks. :ref:`Table 1 ` lists the rules. + +.. _en-us_topic_0081124350__table102261597217: + +.. table:: **Table 1** Default outbound rules in a security group + + +-----------+------+-----------------+-------------+-------------------------------------------------------------------------------------------------+ + | Direction | Type | Protocol & Port | Destination | Description | + +===========+======+=================+=============+=================================================================================================+ + | Outbound | IPv4 | All | 0.0.0.0/0 | This rule allows access from instances in the security group to any IPv4 address over any port. | + +-----------+------+-----------------+-------------+-------------------------------------------------------------------------------------------------+ + | Outbound | IPv6 | All | ::/0 | This rule allows access from instances in the security group to any IPv6 address over any port. | + +-----------+------+-----------------+-------------+-------------------------------------------------------------------------------------------------+ + +.. _en-us_topic_0081124350__section14933617154810: + +Remotely Logging In to an ECS from a Local Server +------------------------------------------------- + +A security group denies all external requests by default. To remotely log in to an ECS from a local server, add an inbound security group rule based on the OS running on the ECS. + +- To remotely log in to a Linux ECS using SSH, enable the SSH (22) port. For details, see :ref:`Table 2 `. + +- To remotely log in to a Windows ECS using RDP, enable the RDP (3389) port. For details, see :ref:`Table 3 `. + + .. _en-us_topic_0081124350__table20321112045011: + + .. table:: **Table 2** Remotely logging in to a Linux ECS using SSH + + ========= ==== =============== ===================== + Direction Type Protocol & Port Source + ========= ==== =============== ===================== + Inbound IPv4 TCP: 22 IP address: 0.0.0.0/0 + ========= ==== =============== ===================== + + .. _en-us_topic_0081124350__table1579314381815: + + .. table:: **Table 3** Remotely logging in to a Windows ECS using RDP + + ========= ==== =============== ===================== + Direction Type Protocol & Port Source + ========= ==== =============== ===================== + Inbound IPv4 TCP: 3389 IP address: 0.0.0.0/0 + ========= ==== =============== ===================== + + .. important:: + + If the source is set to 0.0.0.0/0, remotely logging in to the ECS through any IP address is allowed. To ensure security, set the source to a specific IP address based on service requirements. For details about the configuration example, see :ref:`Table 4 `. + + .. _en-us_topic_0081124350__table1919016251434: + + .. table:: **Table 4** Remotely logging in to an ECS using a specified IP address + + =========== ========= ==== =============== ========================== + ECS Type Direction Type Protocol & Port Source + =========== ========= ==== =============== ========================== + Linux ECS Inbound IPv4 TCP: 22 IP address: 192.168.0.0/24 + Windows ECS Inbound IPv4 TCP: 3389 IP address: 10.10.0.0/24 + =========== ========= ==== =============== ========================== + +.. _en-us_topic_0081124350__section8685162114185: + +Remotely Connecting to an ECS from a Local Server to Upload or Download Files +----------------------------------------------------------------------------- + +By default, a security group denies all external requests. If you need to remotely connect to an ECS from a local server to upload or download files, you need to enable FTP ports 20 and 21. + +.. table:: **Table 5** Remotely connecting to an ECS from a local server to upload or download files + + ========= ==== =============== ===================== + Direction Type Protocol & Port Source + ========= ==== =============== ===================== + Inbound IPv4 TCP: 20-21 IP address: 0.0.0.0/0 + ========= ==== =============== ===================== + +.. important:: + + You must first install the FTP server program on the ECSs and check whether ports 20 and 21 are working properly. + +.. _en-us_topic_0081124350__section316061115481: + +Setting Up a Website on an ECS to Provide Services Externally +------------------------------------------------------------- + +A security group denies all external requests by default. If you have set up a website on an ECS that can be accessed externally, you need to add an inbound rule to the ECS security group to allow access over specific ports, such as HTTP (80) and HTTPS (443). + +.. table:: **Table 6** Setting up a website on an ECS to provide services externally + + ========= ==== =============== ===================== + Direction Type Protocol & Port Source + ========= ==== =============== ===================== + Inbound IPv4 TCP: 80 IP address: 0.0.0.0/0 + Inbound IPv4 TCP: 443 IP address: 0.0.0.0/0 + ========= ==== =============== ===================== + +.. _en-us_topic_0081124350__section29561427142511: + +Using **ping** Command to Verify Network Connectivity +----------------------------------------------------- + +By default, a security group denies all external requests. If you need to run the **ping** command on an ECS to verify network connectivity, add an inbound rule to the ECS security group to allow access over the ICMP port. + +.. table:: **Table 7** Using **ping** command to verify network connectivity + + ========= ==== =============== ===================== + Direction Type Protocol & Port Source + ========= ==== =============== ===================== + Inbound IPv4 ICMP: All IP address: 0.0.0.0/0 + Inbound IPv6 ICMP: All IP address: ::/0 + ========= ==== =============== ===================== + +.. _en-us_topic_0081124350__section094514632817: + +Enabling ECSs In Different Security Groups to Communicate Through an Internal Network +------------------------------------------------------------------------------------- + +ECSs in the same VPC but associated with different security groups cannot communicate with each other. If you want to share data between ECSs in a VPC, for example, ECSs in security group sg-A need to access MySQL databases in security group sg-B, you need to add an inbound rule to security group sg-B to allow access from ECSs in security group sg-A over MySQL port 3306. + +.. table:: **Table 8** Enabling instances in different security groups to communicate through an internal network + + ========= ==== =============== ==================== + Direction Type Protocol & Port Source + ========= ==== =============== ==================== + Inbound IPv4 TCP: 3306 Security group: sg-A + ========= ==== =============== ==================== + +.. _en-us_topic_0081124350__section7465183583515: + +ECS Providing Database Access Service +------------------------------------- + +A security group denies all external requests by default. If you have deployed the database service on an ECS and need to allow other ECSs to access the database service through an internal network, you need to add an inbound rule to the security group of the ECS with the database service deployed to allow access over ports, for example, MySQL (3306), Oracle (1521), MS SQL (1433), PostgreSQL (5432) and Redis (6379). + +.. table:: **Table 9** ECS providing database access service + + +-----------+------+-----------------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------+ + | Direction | Type | Protocol & Port | Source | Description | + +===========+======+=================+============================+===============================================================================================================================+ + | Inbound | IPv4 | TCP: 3306 | Security group: sg-A | This rule allows ECSs in security group sg-A to access the MySQL database service. | + +-----------+------+-----------------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 1521 | Security group: sg-B | This rule allows ECSs in security group sg-B to access the Oracle database service. | + +-----------+------+-----------------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 1433 | IP address: 172.16.3.21/32 | This rule allows the ECS whose private IP address is 172.16.3.21 to access the MS SQL database service. | + +-----------+------+-----------------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 5432 | IP address: 192.168.0.0/24 | This rule allows ECSs whose private IP addresses are in the 192.168.0.0/24 network to access the PostgreSQL database service. | + +-----------+------+-----------------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------+ + +.. important:: + + In this example, the source is for reference only. Set the source address based on actual requirements. + +.. _en-us_topic_0081124350__section949023514612: + +Allowing ECSs to Access Only Specific External Websites +------------------------------------------------------- + +By default, a security group allows all outbound traffic. :ref:`Table 11 ` lists the default rules. If you want to allow ECSs to access only specific websites, configure the security groups of the ECSs as follows: + +#. First, add outbound rules to allow traffic over specific ports and to specific IP addresses. + + .. table:: **Table 10** Enabling instances in different security groups to communicate through an internal network + + ========= ==== =============== ========================= + Direction Type Protocol & Port Source + ========= ==== =============== ========================= + Outbound IPv4 TCP: 80 IP address: 132.15.XX.XX + Outbound IPv4 TCP: 443 IP address: 145.117.XX.XX + ========= ==== =============== ========================= + +#. Then, delete the original outbound rules that allow all traffic shown in :ref:`Table 11 `. + + .. _en-us_topic_0081124350__table5759161135518: + + .. table:: **Table 11** Default outbound rules in a security group + + +-----------+------+-----------------+-------------+-------------------------------------------------------------------------------------------------+ + | Direction | Type | Protocol & Port | Destination | Description | + +===========+======+=================+=============+=================================================================================================+ + | Outbound | IPv4 | All | 0.0.0.0/0 | This rule allows access from instances in the security group to any IPv4 address over any port. | + +-----------+------+-----------------+-------------+-------------------------------------------------------------------------------------------------+ + | Outbound | IPv6 | All | ::/0 | This rule allows access from instances in the security group to any IPv6 address over any port. | + +-----------+------+-----------------+-------------+-------------------------------------------------------------------------------------------------+ diff --git a/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst b/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst new file mode 100644 index 0000000..1879e47 --- /dev/null +++ b/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst @@ -0,0 +1,122 @@ +:original_name: en-us_topic_0073379079.html + +.. _en-us_topic_0073379079: + +Security Groups and Security Group Rules +======================================== + +Security Groups +--------------- + +A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, that have the same security protection requirements and that are mutually trusted. After a security group is created, you can create various access rules for the security group, these rules will apply to all cloud resources added to this security group. + +If you have not created any security group yet, the system automatically creates a default security group for you and associates it with the instance (such as an ECS) when you create it. For details about the default security group, see :ref:`Default Security Group and Its Rules `. + +Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. + +Security groups use connection tracking to track traffic to and from instances that they contain and security group rules are applied based on the connection status of the traffic to determine whether to allow or deny traffic. + +- If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connection tracking of all instances in the security group will be automatically cleared. The inbound or outbound traffic of the instance will be considered as new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and the security of incoming traffic. + +- If there is no inbound or outbound traffic of an instance for a long time, the traffic will be considered as new connections after the connection tracking times out, and the connections need to match the outbound and inbound rules. The timeout period of connection tracking varies according to the protocol. The timeout period of a TCP connection in the established state is 600s, and the timeout period of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s. For protocols other than TCP, UDP, and ICMP, only the IP address and protocol number are tracked. + +Security Group Rules +-------------------- + +A security group has inbound and outbound rules to control traffic that's allowed to reach or leave the instances associated with the security group. You can specify protocol, port, source/destination for a security group rule. :ref:`Table 1 ` describes key information about a security group rule. + +.. _en-us_topic_0073379079__table1919155115499: + +.. table:: **Table 1** Security group rule information + + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+========================================================================================================================================================================================================================+ + | Protocol | The network protocol used to match traffic in a security group rule. Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Port | Destination port used to match traffic in a security group rule. The value can be from 1 to 65535. | + | | | + | | - Inbound rules control incoming traffic over specific ports to instances in the security group. | + | | - Outbound rules control outgoing traffic over specific ports from instances in the security group. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Source (Inbound) | The source in an inbound rule is used to match the IP address or address range of an external request. The source can be: | + | | | + | | - IP address: | + | | | + | | - Example IPv4 address: 192.168.10.10/32 | + | | - Example IPv6 address: 2002:50::44/128 | + | | - Example IPv4 address range: 192.168.52.0/24 All IPv4 addresses: 0.0.0.0/0 | + | | - Example IPv6 address range: 2407:c080:802:469::/64 All IPv6 addresses: ::/0 | + | | | + | | - Security group: You can select another security group in the same region under the current account as the source. | + | | | + | | For example, instance A is in security group A and instance B is in security group B. If security group A has a rule with **Source** set to security group B, access from instance B is allowed to instance A. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Destination (Outbound) | The destination in an outbound rule is used to match the IP address or address range of an internal request. The destination can be: | + | | | + | | - IP address: | + | | | + | | - Example IPv4 address: 192.168.10.10/32 | + | | - Example IPv6 address: 2002:50::44/128 | + | | - Example IPv4 address range: 192.168.52.0/24 All IPv4 addresses: 0.0.0.0/0 | + | | - Example IPv6 address range: 2407:c080:802:469::/64 All IPv6 addresses: ::/0 | + | | | + | | - Security group: You can select another security group in the same region under the current account as the destination. | + | | | + | | For example, instance A is in security group A and instance B is in security group B. If security group A has a rule with **Destination** set to security group B, access from instance A is allowed to instance B. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Like whitelists, security group rules work as follows: + +- Inbound rules control incoming traffic to instances in the security group. + + If an inbound request matches the source in an inbound security group rule, the request is allowed and other requests are denied. + + By default, you do not need to configure deny rules in the inbound direction because requests that do not match allow rules will be denied. + +- Outbound rules control outgoing traffic from instances in the security group. + + If the destination of an outbound security group rule is 0.0.0.0/0, all outbound requests are allowed. + + 0.0.0.0/0 represents all IPv4 addresses. + + ::/0 represents all IPv6 addresses. + +:ref:`Table 2 ` uses custom security group sg-AB as an example to describe its inbound and outbound rules in detail. + +.. _en-us_topic_0073379079__table102261597217: + +.. table:: **Table 2** Rules in security group sg-AB + + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Direction | Type | Protocol & Port | Source/Destination | Description | + +===========+======+=================+========================+==============================================================================================================================+ + | Inbound | IPv4 | All | Source: sg-AB | Allows ECSs in the security group to communicate with each other. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 22 | Source: 0.0.0.0/0 | Allows all IPv4 addresses to access ECSs in the security group over port 22 (SSH) for remotely logging in to Linux ECSs. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 3389 | Source: 0.0.0.0/0 | Allows all IPv4 addresses to access ECSs in the security group over port 3389 (RDP) for remotely logging in to Windows ECSs. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 80 | Source: 10.5.6.30/32 | Allows IP address 10.5.6.30 to access ECSs in the security group over port 80. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Outbound | IPv4 | All | Destination: 0.0.0.0/0 | Allows access from ECSs in the security group to any IPv4 address over any port. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Outbound | IPv6 | All | Destination: ::/0 | Allows access from ECSs in the security group to any IPv6 address over any port. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + +.. important:: + + - After a port is enabled in a security group rule, ensure that the port in the instance is also enabled to ensure normal network communication. + - Generally, instances in the same security group can communicate with each other by default. If instances in the same security group cannot communicate with each other, the possible causes are as follows: + + - The inbound rule for communication between instances in the same security group is deleted. + + - Different VPCs cannot communicate with each other. The instances belong to the same security group but different VPCs. + + You can use :ref:`VPC peering connections ` to connect VPCs in different regions. + +Security Group Constraints +-------------------------- + +- By default, you can create a maximum of 100 security groups in your cloud account. +- By default, you can add up to 50 security group rules to a security group. diff --git a/umn/source/security/security_group/viewing_the_security_group_of_an_ecs.rst b/umn/source/access_control/security_group/viewing_the_security_group_of_an_ecs.rst similarity index 80% rename from umn/source/security/security_group/viewing_the_security_group_of_an_ecs.rst rename to umn/source/access_control/security_group/viewing_the_security_group_of_an_ecs.rst index 0cc3518..2abb587 100644 --- a/umn/source/security/security_group/viewing_the_security_group_of_an_ecs.rst +++ b/umn/source/access_control/security_group/viewing_the_security_group_of_an_ecs.rst @@ -17,7 +17,7 @@ Procedure #. Click |image1| in the upper left corner and select the desired region and project. -#. Under **Computing**, click **Elastic Cloud Server**. +#. In the upper left corner of the page, click |image2|. In the service list, choose **Computing** > **Elastic Cloud Server**. The ECS list is displayed. @@ -30,3 +30,4 @@ Procedure You can view the security groups associated with the ECS and the inbound and outbound rules. .. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001675413821.png diff --git a/umn/source/change_history.rst b/umn/source/change_history.rst index ad6b13c..de4e8b9 100644 --- a/umn/source/change_history.rst +++ b/umn/source/change_history.rst @@ -8,9 +8,75 @@ Change History +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Released On | Description | +===================================+====================================================================================================================================================================================================================================================================================================================================+ +| 2023-10-10 | This release incorporates the following changes: | +| | | +| | - Added the figure for configuring route tables in :ref:`Route Table `. | +| | - Modified :ref:`Step 4: Add a Security Group Rule `. | +| | | +| | - Changed the location of parameter **Type**. | +| | - Added protocol **GRE**. | +| | | +| | - Modified :ref:`Step 5: Add a Security Group Rule ` and :ref:`Adding a Security Group Rule `. | +| | | +| | - Added description that each ECS must be associated with at least one security group. | +| | - Modified description about port. | +| | - Changed the location of parameter **Type**. | +| | - Added protocol **GRE**. | +| | | +| | - Added the function of adding multiple tags for search in :ref:`Managing VPC Tags `. | +| | - Added figures and modified steps in :ref:`Viewing and Deleting Resources in a Subnet `. | +| | - Modified :ref:`Security Groups and Security Group Rules `. | +| | | +| | - Added protocol **GRE** and deleted content about **Action**. | +| | - Modified description about security group sg-AB. | +| | - Added description about security group configuration. | +| | - Added support for IPv6. | +| | | +| | - Changed the section name in :ref:`Default Security Group and Its Rules `. | +| | - Optimized description in :ref:`Creating a Security Group `. | +| | - Modified the figure and added parameter **Type** in :ref:`Fast-Adding Security Group Rules `. | +| | - Modified notes and constraints in :ref:`Importing and Exporting Security Group Rules `. | +| | - Added description about the maximum number of security groups that can be created in :ref:`Creating a Firewall `. | +| | - Modified figures and parameter settings in :ref:`Adding a Firewall Rule `. | +| | - Added the route table quota in notes and constraints in :ref:`Creating a Custom Route Table `. | +| | - Added constraints on the maximum number of routes that can be added to a route table in :ref:`Adding a Custom Route `. | +| | - Modified :ref:`Creating a VPC Peering Connection with Another VPC in Your Account `. | +| | | +| | - Added description that you need to add routes to the route tables of the local and peer VPCs after creating a VPC peering connection. | +| | - Added parameter **Description** for creating a VPC peering connection. | +| | | +| | - Added parameter **Description** for creating a VPC peering connection in :ref:`Creating a VPC Peering Connection with a VPC in Another Account `. | +| | | +| | - Added description about the maximum number of flow log records that can be recorded in :ref:`VPC Flow Log Overview `. | +| | - Modified the section name and scenarios in :ref:`Disabling Source and Destination Check (HA Load Balancing Cluster Scenario) `. | +| | - Modified the verification procedure in :ref:`Creating a User and Granting VPC Permissions `. | ++-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2023-09-08 | This release incorporates the following changes: | +| | | +| | Updated the following content: | +| | | +| | - Optimized description in :ref:`Step 4: Add a Security Group Rule `. | +| | - Optimized the procedure for verifying IAM permissions in :ref:`Creating a User and Granting VPC Permissions `. | ++-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2023-07-18 | This release incorporates the following changes: | +| | | +| | Updated the following content: | +| | | +| | Added description about enabling shared SNAT using an API in :ref:`Shared SNAT `. | +| | | +| | Security group | +| | | +| | Firewall | ++-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2023-06-12 | This release incorporates the following changes: | +| | | +| | Updated the following content: | +| | | +| | Added description about viewing monitoring metrics in :ref:`Viewing Metrics `. | ++-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2023-05-26 | This release incorporates the following changes: | | | | -| | Added the following section: | +| | Added the following content: | | | | | | Added information about cloning a security group in :ref:`Cloning a Security Group `. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -110,7 +176,7 @@ Change History +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2020-05-30 | Added the following content: | | | | -| | Added basic information to :ref:`Security Group Overview ` and :ref:`Firewall Overview `. | +| | Added basic information to :ref:`Security Groups and Security Group Rules ` and :ref:`Firewall Overview `. | | | | | | Modified the following content: | | | | @@ -144,7 +210,7 @@ Change History | | - Optimized figure examples in this document. | | | - Optimized descriptions in :ref:`Firewall Configuration Examples `. | | | - Optimized descriptions in :ref:`Firewall Overview `. | -| | - Changed the position of :ref:`Security `. | +| | - Changed the position of :ref:`Access Control `. | | | - Optimized :ref:`What Is a Quota? ` | | | | | | Deleted the following content: | @@ -162,7 +228,7 @@ Change History +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2019-12-13 | Added the following content: | | | | -| | - Added restrictions on ports and port ranges in :ref:`Security Group Overview `. | +| | - Added restrictions on ports and port ranges in :ref:`Security Groups and Security Group Rules `. | | | - Added description about IP address groups in :ref:`Importing and Exporting Security Group Rules `. | | | - Added impacts caused by IP address group modification or deletion in "Managing an IP Address Group". | | | | @@ -177,7 +243,7 @@ Change History | | - Optimized figure examples in this document. | | | - Optimized descriptions in :ref:`Firewall Configuration Examples `. | | | - Optimized descriptions in :ref:`Firewall Overview `. | -| | - Changed the position of :ref:`Security `. | +| | - Changed the position of :ref:`Access Control `. | | | | | | Deleted the following content: | | | | @@ -224,14 +290,14 @@ Change History | | Modified the following content: | | | | | | - Modified description about **NTP Server Address** in :ref:`Modifying a Subnet `. | -| | - Modified description about replication in the "Default Route Table and Custom Route Table" part in :ref:`Route Table Overview `. | -| | - Modified descriptions about system routes and custom routes in :ref:`Route Table Overview `. | -| | - Modified description about usage restrictions in :ref:`Route Table Overview `. | +| | - Modified description about replication in the "Default Route Table and Custom Route Table" part in :ref:`Route Tables and Routes `. | +| | - Modified descriptions about system routes and custom routes in :ref:`Route Tables and Routes `. | +| | - Modified description about usage restrictions in :ref:`Route Tables and Routes `. | | | | | | Deleted the following content: | | | | | | - Deleted parameter **Enterprise Project** from the document. | -| | - Deleted the Cloud Connect service from the "Default Route Table and Custom Route Table" part in :ref:`Route Table Overview `. | +| | - Deleted the Cloud Connect service from the "Default Route Table and Custom Route Table" part in :ref:`Route Tables and Routes `. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2019-08-02 | Added the following content based on the RM-584 requirements: | | | | diff --git a/umn/source/elastic_ip/assigning_an_eip_and_binding_it_to_an_ecs.rst b/umn/source/elastic_ip/assigning_an_eip_and_binding_it_to_an_ecs.rst index 711e2f0..1ff3f9e 100644 --- a/umn/source/elastic_ip/assigning_an_eip_and_binding_it_to_an_ecs.rst +++ b/umn/source/elastic_ip/assigning_an_eip_and_binding_it_to_an_ecs.rst @@ -67,8 +67,6 @@ Assigning an EIP | Enterprise Project | The enterprise project that the EIP belongs to. | default | | | | | | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | - | | | | - | | For details about creating and managing enterprise projects, see the *Enterprise Management User Guide*. | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Bandwidth Name | The name of the bandwidth. | bandwidth | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ diff --git a/umn/source/elastic_ip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst b/umn/source/elastic_ip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst index 03c4ace..2db8bb8 100644 --- a/umn/source/elastic_ip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst +++ b/umn/source/elastic_ip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst @@ -22,7 +22,7 @@ Notes and Constraints - You are advised to bind BGP EIPs to or unbind them from dedicated load balancers. - EIP assigned together with your load balancers will also be displayed in the EIP list. -- You can only release EIPs that are not bound to any resources. +- Only EIPs with no instance bound can be released. If you want to release an EIP with an instance bound, you need to unbind EIP from the instance first. Procedure --------- @@ -32,7 +32,7 @@ Procedure #. Log in to the management console. #. Click |image1| in the upper left corner and select the desired region and project. #. Click |image2| in the upper left corner and choose **Network** > **Elastic IP**. -#. On the displayed page, locate the row that contains the target EIP, and click **Unbind**. +#. On the displayed page, locate the row that contains the EIP, and click **Unbind**. #. Click **Yes** in the displayed dialog box. **Releasing a single EIP** diff --git a/umn/source/faq/bandwidth/how_do_i_buy_a_shared_bandwidth.rst b/umn/source/faq/bandwidth/how_do_i_buy_a_shared_bandwidth.rst deleted file mode 100644 index 974d645..0000000 --- a/umn/source/faq/bandwidth/how_do_i_buy_a_shared_bandwidth.rst +++ /dev/null @@ -1,15 +0,0 @@ -:original_name: vpc_faq_0035.html - -.. _vpc_faq_0035: - -How Do I Buy a Shared Bandwidth? -================================ - -#. Log in to the management console. -#. Click |image1| in the upper left corner and select the desired region and project. -#. Click |image2| in the upper left corner and choose **Network** > **Elastic IP**. -#. In the navigation pane on the left, choose **Shared Bandwidths**. -#. In the upper right corner, click **Assign Shared Bandwidth**. On the displayed page, configure parameters as prompted to assign a shared bandwidth. - -.. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001454059512.png diff --git a/umn/source/faq/bandwidth/index.rst b/umn/source/faq/bandwidth/index.rst index 09f2fb0..b35debe 100644 --- a/umn/source/faq/bandwidth/index.rst +++ b/umn/source/faq/bandwidth/index.rst @@ -8,7 +8,6 @@ Bandwidth - :ref:`What Is the Bandwidth Size Range? ` - :ref:`What Bandwidth Types Are Available? ` - :ref:`What Are the Differences Between a Dedicated Bandwidth and a Shared Bandwidth? Can a Dedicated Bandwidth Be Changed to a Shared Bandwidth or the Other Way Around? ` -- :ref:`How Do I Buy a Shared Bandwidth? ` .. toctree:: :maxdepth: 1 @@ -17,4 +16,3 @@ Bandwidth what_is_the_bandwidth_size_range what_bandwidth_types_are_available what_are_the_differences_between_a_dedicated_bandwidth_and_a_shared_bandwidth_can_a_dedicated_bandwidth_be_changed_to_a_shared_bandwidth_or_the_other_way_around - how_do_i_buy_a_shared_bandwidth diff --git a/umn/source/faq/bandwidth/what_bandwidth_types_are_available.rst b/umn/source/faq/bandwidth/what_bandwidth_types_are_available.rst index 7df0e75..96fc9bf 100644 --- a/umn/source/faq/bandwidth/what_bandwidth_types_are_available.rst +++ b/umn/source/faq/bandwidth/what_bandwidth_types_are_available.rst @@ -5,4 +5,4 @@ What Bandwidth Types Are Available? =================================== -There are dedicated bandwidth and shared bandwidth. A dedicated bandwidth can only be used by one EIP, but a shared bandwidth can be used by multiple EIPs. +There are dedicated bandwidths and shared bandwidths. A dedicated bandwidth can only be used by one EIP, but a shared bandwidth can be used by multiple EIPs. diff --git a/umn/source/faq/eips/how_do_i_access_an_ecs_with_an_eip_bound_from_the_internet.rst b/umn/source/faq/eips/how_do_i_access_an_ecs_with_an_eip_bound_from_the_internet.rst index 7c32ff7..29c444b 100644 --- a/umn/source/faq/eips/how_do_i_access_an_ecs_with_an_eip_bound_from_the_internet.rst +++ b/umn/source/faq/eips/how_do_i_access_an_ecs_with_an_eip_bound_from_the_internet.rst @@ -7,7 +7,7 @@ How Do I Access an ECS with an EIP Bound from the Internet? Each ECS is automatically added to a security group after being created to ensure its security. The security group denies access traffic from the Internet by default. To allow external access to ECSs in the security group, add an inbound rule to the security group. -You can set **Protocol** to **TCP**, **UDP**, **ICMP**, or **All** as required on the page for creating a security group rule. +You can set **Protocol** to **TCP**, **UDP**, **ICMP**, **GRE**, or **All** as required on the page for creating a security group rule. - If your ECS needs to be accessible over the Internet and you know the IP address used to access the ECS, set **Source** to the IP address range containing the IP address. diff --git a/umn/source/faq/security/how_many_firewalls_can_i_create.rst b/umn/source/faq/security/how_many_firewalls_can_i_create.rst deleted file mode 100644 index ab1055c..0000000 --- a/umn/source/faq/security/how_many_firewalls_can_i_create.rst +++ /dev/null @@ -1,8 +0,0 @@ -:original_name: vpc_faq_0072.html - -.. _vpc_faq_0072: - -How Many Firewalls Can I Create? -================================ - -You can create up to 200 firewalls. It is recommended that you configure no more than 20 inbound or outbound rules for each firewall. If you configure more than 20 inbound or outbound rules for a firewall, forwarding performance will deteriorate. diff --git a/umn/source/faq/security/how_many_security_groups_can_i_create.rst b/umn/source/faq/security/how_many_security_groups_can_i_create.rst deleted file mode 100644 index b84715f..0000000 --- a/umn/source/faq/security/how_many_security_groups_can_i_create.rst +++ /dev/null @@ -1,10 +0,0 @@ -:original_name: vpc_faq_0040.html - -.. _vpc_faq_0040: - -How Many Security Groups Can I Create? -====================================== - -Each account can have up to 100 security groups and 5000 security group rules. - -When you create an ECS, you can select multiple security groups, but it is recommended that you select no more than five. diff --git a/umn/source/faq/security/index.rst b/umn/source/faq/security/index.rst index 787188c..7aaef8a 100644 --- a/umn/source/faq/security/index.rst +++ b/umn/source/faq/security/index.rst @@ -5,10 +5,9 @@ Security ======== +- :ref:`Why Can't I Delete a Security Group? ` - :ref:`Can I Change the Security Group of an ECS? ` -- :ref:`How Many Security Groups Can I Create? ` - :ref:`How Do I Configure a Security Group for Multi-Channel Protocols? ` -- :ref:`How Many Firewalls Can I Create? ` - :ref:`Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? ` - :ref:`Which Security Group Rule Has Priority When Multiple Security Group Rules Conflict? ` @@ -16,9 +15,8 @@ Security :maxdepth: 1 :hidden: + why_cant_i_delete_a_security_group can_i_change_the_security_group_of_an_ecs - how_many_security_groups_can_i_create how_do_i_configure_a_security_group_for_multi-channel_protocols - how_many_firewalls_can_i_create does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified which_security_group_rule_has_priority_when_multiple_security_group_rules_conflict diff --git a/umn/source/faq/security/why_cant_i_delete_a_security_group.rst b/umn/source/faq/security/why_cant_i_delete_a_security_group.rst new file mode 100644 index 0000000..0682f0b --- /dev/null +++ b/umn/source/faq/security/why_cant_i_delete_a_security_group.rst @@ -0,0 +1,16 @@ +:original_name: faq_security_0003.html + +.. _faq_security_0003: + +Why Can't I Delete a Security Group? +==================================== + +- The default security group is named **default** and cannot be deleted. + +- If you want to delete a security group that is associated with instances, such as cloud servers, containers, and databases, you need to remove the instances from the security group first. + +- A security group cannot be deleted if it is used as the source or destination of a rule in another security group. + + You need to delete or modify the rule first and delete the security group. + + For example, if the source of a rule in security group **sg-B** is set to **sg-A**, you need to delete or modify the rule in **sg-B** before deleting **sg-A**. diff --git a/umn/source/faq/vpc_peering_connections/why_did_communication_fail_between_vpcs_that_were_connected_by_a_vpc_peering_connection.rst b/umn/source/faq/vpc_peering_connections/why_did_communication_fail_between_vpcs_that_were_connected_by_a_vpc_peering_connection.rst index 4db7cfd..3f105ce 100644 --- a/umn/source/faq/vpc_peering_connections/why_did_communication_fail_between_vpcs_that_were_connected_by_a_vpc_peering_connection.rst +++ b/umn/source/faq/vpc_peering_connections/why_did_communication_fail_between_vpcs_that_were_connected_by_a_vpc_peering_connection.rst @@ -137,7 +137,7 @@ Incorrect Network Configuration #. Check whether security group rules of the ECSs that need to communicate allow inbound traffic from each other by referring to :ref:`Viewing the Security Group of an ECS `. - If the ECSs are associated with the same security group, you do not need to check their rules. - - If the ECSs are associated with different security groups, add an inbound rule to allow access from each other by referring to :ref:`Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network `. + - If the ECSs are associated with different security groups, add an inbound rule to allow access from each other by referring to :ref:`Security Group Configuration Examples `. #. Check whether the firewall of the ECS NIC blocks traffic. diff --git a/umn/source/faq/vpcs_and_subnets/can_subnets_communicate_with_each_other.rst b/umn/source/faq/vpcs_and_subnets/can_subnets_communicate_with_each_other.rst index 38e7aeb..6d684da 100644 --- a/umn/source/faq/vpcs_and_subnets/can_subnets_communicate_with_each_other.rst +++ b/umn/source/faq/vpcs_and_subnets/can_subnets_communicate_with_each_other.rst @@ -5,7 +5,8 @@ Can Subnets Communicate with Each Other? ======================================== -Subnets in the same VPC can communicate with each other, but subnets in different VPCs cannot communicate with each other by default. However, you can create VPC peering connections to enable subnets in different VPCs to communicate with each other. +- Subnets in the same VPC can communicate with each other by default. +- VPCs are isolated from each other. Subnets from different VPCs cannot communicate with each other. You can use a VPC peering connection to enable communication between VPCs in the same region. .. note:: diff --git a/umn/source/faq/vpcs_and_subnets/what_subnet_cidr_blocks_are_available.rst b/umn/source/faq/vpcs_and_subnets/what_subnet_cidr_blocks_are_available.rst index 115d849..067d789 100644 --- a/umn/source/faq/vpcs_and_subnets/what_subnet_cidr_blocks_are_available.rst +++ b/umn/source/faq/vpcs_and_subnets/what_subnet_cidr_blocks_are_available.rst @@ -5,4 +5,6 @@ What Subnet CIDR Blocks Are Available? ====================================== -A subnet CIDR block must be included in its VPC CIDR block. Supported VPC CIDR blocks are **10.0.0.0/8-24**, **172.16.0.0/12-24**, and **192.168.0.0/16-24**. The allowed block size of a subnet is between the netmask of its VPC CIDR block and the /29 netmask. +A subnet is an IP address range from a VPC. The VPC service supports CIDR blocks 10.0.0.0/8-24, 172.16.0.0/12-24, and 192.168.0.0/16-24. + +Subnets must reside within your VPC, and the subnet masks used to define them can be between the netmask of its VPC CIDR block and /29 netmask. diff --git a/umn/source/faq/vpcs_and_subnets/which_cidr_blocks_are_available_for_the_vpc_service.rst b/umn/source/faq/vpcs_and_subnets/which_cidr_blocks_are_available_for_the_vpc_service.rst index 32287a9..6f067aa 100644 --- a/umn/source/faq/vpcs_and_subnets/which_cidr_blocks_are_available_for_the_vpc_service.rst +++ b/umn/source/faq/vpcs_and_subnets/which_cidr_blocks_are_available_for_the_vpc_service.rst @@ -10,14 +10,18 @@ The following table lists the private CIDR blocks that you can specify when crea - Number of IP addresses: Reserve sufficient IP addresses in case of business growth. - IP address range: Avoid IP address conflicts if you need to connect a VPC to an on-premises data center or connect two VPCs. -The VPC service supports the following CIDR blocks: +:ref:`Table 1 ` lists the supported VPC CIDR blocks. -+-------------------+-----------------------------+--------------------------------+ -| VPC CIDR Block | IP Address Range | Maximum Number of IP Addresses | -+===================+=============================+================================+ -| 10.0.0.0/8-24 | 10.0.0.0-10.255.255.255 | 2^24-2=16777214 | -+-------------------+-----------------------------+--------------------------------+ -| 172.16.0.0/12-24 | 172.16.0.0-172.31.255.255 | 2^20-2=1048574 | -+-------------------+-----------------------------+--------------------------------+ -| 192.168.0.0/16-24 | 192.168.0.0-192.168.255.255 | 2^16-2=65534 | -+-------------------+-----------------------------+--------------------------------+ +.. _vpc_faq_0004__table3240172772213: + +.. table:: **Table 1** VPC CIDR blocks + + +-------------------+-----------------------------+--------------------------------+ + | VPC CIDR Block | IP Address Range | Maximum Number of IP Addresses | + +===================+=============================+================================+ + | 10.0.0.0/8-24 | 10.0.0.0-10.255.255.255 | 2^24-2=16777214 | + +-------------------+-----------------------------+--------------------------------+ + | 172.16.0.0/12-24 | 172.16.0.0-172.31.255.255 | 2^20-2=1048574 | + +-------------------+-----------------------------+--------------------------------+ + | 192.168.0.0/16-24 | 192.168.0.0-192.168.255.255 | 2^16-2=65534 | + +-------------------+-----------------------------+--------------------------------+ diff --git a/umn/source/faq/vpcs_and_subnets/why_cant_i_delete_my_vpcs_and_subnets.rst b/umn/source/faq/vpcs_and_subnets/why_cant_i_delete_my_vpcs_and_subnets.rst index 4d32cd9..97a7da5 100644 --- a/umn/source/faq/vpcs_and_subnets/why_cant_i_delete_my_vpcs_and_subnets.rst +++ b/umn/source/faq/vpcs_and_subnets/why_cant_i_delete_my_vpcs_and_subnets.rst @@ -26,7 +26,7 @@ You can refer to :ref:`Table 1 ` to delete sub +=================================================================================================+============================================================================+============================================================================================================================================================+ | You do not have permission to perform this operation. | Your account does not have permissions to delete subnets. | Contact the account administrator to grant permissions to your account and then delete the subnet. | +-------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Delete custom routes from the associated route table of the subnet and then delete the subnet. | The route table has custom routes with the following as the next hop type: | Delete the custom route from the route table and then delete the subnet. | + | Delete custom routes from the associated route table of the subnet and then delete the subnet. | The route table has custom routes with the following as the next hop type: | Delete the custom routes from the route table and then delete the subnet. | | | | | | | - Server | #. :ref:`Viewing the Route Table Associated with a Subnet ` | | | - Extension NIC | #. :ref:`Deleting a Route ` | @@ -37,7 +37,7 @@ You can refer to :ref:`Table 1 ` to delete sub | | | | | | | :ref:`Releasing a Virtual IP Address ` | +-------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Release any private IP addresses configured in the subnet and then delete the subnet. | The subnet has virtual IP addresses that are not used by any instance. | On the **IP Addresses** tab, view and release these private IP addresses and then delete the subnet. | + | Release any private IP addresses configured in the subnet and then delete the subnet. | The subnet has virtual IP addresses that are not used by any instance. | On the **IP Addresses** tab, release these private IP addresses that are not required and then delete the subnet. | | | | | | | | #. :ref:`Viewing IP Addresses in a Subnet ` | | | | #. In the private IP address list, locate the IP address that is not being used and click **Release** in the **Operation** column. | diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/index.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/index.rst index 0256770..4efe30f 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/index.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/index.rst @@ -11,6 +11,8 @@ Configuring a VPC for ECSs That Access the Internet Using EIPs #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. Click **Create VPC**. #. On the **Create VPC** page, set parameters as prompted. @@ -19,91 +21,89 @@ Configuring a VPC for ECSs That Access the Internet Using EIPs .. table:: **Table 1** VPC parameter descriptions - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Category | Parameter | Description | Example Value | - +=====================================+========================+=========================================================================================================================================================================================================================================================================================================+=====================+ - | Basic Information | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information | Name | The VPC name. | VPC-001 | - | | | | | - | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information | CIDR Block | The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). | 192.168.0.0/16 | - | | | | | - | | | The following CIDR blocks are supported: | | - | | | | | - | | | 10.0.0.0/8-24 | | - | | | | | - | | | 172.16.0.0/12-24 | | - | | | | | - | | | 192.168.0.0/16-24 | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information | Enterprise Project | The enterprise project to which the VPC belongs. | default | - | | | | | - | | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | - | | | | | - | | | For details about creating and managing enterprise projects, see the *Enterprise Management User Guide*. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information/Advanced Settings | Tag | The VPC tag, which consists of a key and value pair. You can add a maximum of 20 tags to each VPC. | - Key: vpc_key1 | - | | | | - Value: vpc-01 | - | | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information/Advanced Settings | Description | Supplementary information about the VPC. This parameter is optional. | N/A | - | | | | | - | | | The VPC description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet | Name | The subnet name. | Subnet | - | | | | | - | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | Gateway | The gateway address of the subnet. | 192.168.0.1 | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | - | | | | | - | | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | - | | | | | - | | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | - | | | | - Value: subnet-01 | - | | | The tag key and value must meet the requirements listed in :ref:`Table 3 `. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | Description | Supplementary information about the subnet. This parameter is optional. | N/A | - | | | | | - | | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Category | Parameter | Description | Example Value | + +=====================================+========================+=============================================================================================================================================================================================================================================================+=====================+ + | Basic Information | Region | Select the region nearest to you to ensure the lowest latency possible. | eu-de | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | Name | The VPC name. | VPC-001 | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | IPv4 CIDR Block | The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). | 192.168.0.0/16 | + | | | | | + | | | The following CIDR blocks are supported: | | + | | | | | + | | | 10.0.0.0/8-24 | | + | | | | | + | | | 172.16.0.0/12-24 | | + | | | | | + | | | 192.168.0.0/16-24 | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | Enterprise Project | The enterprise project to which the VPC belongs. | default | + | | | | | + | | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information/Advanced Settings | Tag | The VPC tag, which consists of a key and value pair. You can add a maximum of 20 tags to each VPC. | - Key: vpc_key1 | + | | | | - Value: vpc-01 | + | | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information/Advanced Settings | Description | Supplementary information about the VPC. This parameter is optional. | N/A | + | | | | | + | | | The VPC description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Name | The subnet name. | Subnet | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Gateway | The gateway address of the subnet. | 192.168.0.1 | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | | + | | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If you do not specify this parameter, no additional NTP server IP addresses will be added. | | + | | | | | + | | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | | - Value: subnet-01 | + | | | The tag key and value must meet the requirements listed in :ref:`Table 3 `. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Description | Supplementary information about the subnet. This parameter is optional. | N/A | + | | | | | + | | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ .. _en-us_topic_0017816228__en-us_topic_0013935842_table248245914136: .. table:: **Table 2** VPC tag key and value requirements - +-----------------------+----------------------------------------------------------------------------+-----------------------+ - | Parameter | Requirements | Example Value | - +=======================+============================================================================+=======================+ - | Key | - Cannot be left blank. | vpc_key1 | - | | - Must be unique for the same VPC and can be the same for different VPCs. | | - | | - Can contain a maximum of 36 characters. | | - | | - Can contain only the following character types: | | - | | | | - | | - Uppercase letters | | - | | - Lowercase letters | | - | | - Digits | | - | | - Special characters, including hyphens (-) and underscores (_) | | - +-----------------------+----------------------------------------------------------------------------+-----------------------+ - | Value | - Can contain a maximum of 43 characters. | vpc-01 | - | | - Can contain only the following character types: | | - | | | | - | | - Uppercase letters | | - | | - Lowercase letters | | - | | - Digits | | - | | - Special characters, including hyphens (-) and underscores (_) | | - +-----------------------+----------------------------------------------------------------------------+-----------------------+ + +-----------------------+------------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+========================================================================+=======================+ + | Key | - Cannot be left blank. | vpc_key1 | + | | - Must be unique for each VPC and can be the same for different VPCs. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+------------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | vpc-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+------------------------------------------------------------------------+-----------------------+ .. _en-us_topic_0017816228__en-us_topic_0013935842_table6536185812515: diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_1_create_a_vpc.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_1_create_a_vpc.rst index cd828ea..e2cda31 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_1_create_a_vpc.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_1_create_a_vpc.rst @@ -21,6 +21,8 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. Click **Create VPC**. #. On the **Create VPC** page, set parameters as prompted. @@ -29,91 +31,89 @@ Procedure .. table:: **Table 1** VPC parameter descriptions - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Category | Parameter | Description | Example Value | - +=====================================+========================+=========================================================================================================================================================================================================================================================================================================+=====================+ - | Basic Information | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information | Name | The VPC name. | VPC-001 | - | | | | | - | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information | CIDR Block | The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). | 192.168.0.0/16 | - | | | | | - | | | The following CIDR blocks are supported: | | - | | | | | - | | | 10.0.0.0/8-24 | | - | | | | | - | | | 172.16.0.0/12-24 | | - | | | | | - | | | 192.168.0.0/16-24 | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information | Enterprise Project | The enterprise project to which the VPC belongs. | default | - | | | | | - | | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | - | | | | | - | | | For details about creating and managing enterprise projects, see the *Enterprise Management User Guide*. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information/Advanced Settings | Tag | The VPC tag, which consists of a key and value pair. You can add a maximum of 20 tags to each VPC. | - Key: vpc_key1 | - | | | | - Value: vpc-01 | - | | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information/Advanced Settings | Description | Supplementary information about the VPC. This parameter is optional. | N/A | - | | | | | - | | | The VPC description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet | Name | The subnet name. | Subnet | - | | | | | - | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | Gateway | The gateway address of the subnet. | 192.168.0.1 | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | - | | | | | - | | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | - | | | | | - | | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | - | | | | - Value: subnet-01 | - | | | The tag key and value must meet the requirements listed in :ref:`Table 3 `. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | Description | Supplementary information about the subnet. This parameter is optional. | N/A | - | | | | | - | | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Category | Parameter | Description | Example Value | + +=====================================+========================+=============================================================================================================================================================================================================================================================+=====================+ + | Basic Information | Region | Select the region nearest to you to ensure the lowest latency possible. | eu-de | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | Name | The VPC name. | VPC-001 | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | IPv4 CIDR Block | The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). | 192.168.0.0/16 | + | | | | | + | | | The following CIDR blocks are supported: | | + | | | | | + | | | 10.0.0.0/8-24 | | + | | | | | + | | | 172.16.0.0/12-24 | | + | | | | | + | | | 192.168.0.0/16-24 | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | Enterprise Project | The enterprise project to which the VPC belongs. | default | + | | | | | + | | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information/Advanced Settings | Tag | The VPC tag, which consists of a key and value pair. You can add a maximum of 20 tags to each VPC. | - Key: vpc_key1 | + | | | | - Value: vpc-01 | + | | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information/Advanced Settings | Description | Supplementary information about the VPC. This parameter is optional. | N/A | + | | | | | + | | | The VPC description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Name | The subnet name. | Subnet | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Gateway | The gateway address of the subnet. | 192.168.0.1 | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | | + | | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If you do not specify this parameter, no additional NTP server IP addresses will be added. | | + | | | | | + | | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | | - Value: subnet-01 | + | | | The tag key and value must meet the requirements listed in :ref:`Table 3 `. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Description | Supplementary information about the subnet. This parameter is optional. | N/A | + | | | | | + | | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ .. _vpc_qs_0009__en-us_topic_0013935842_table248245914136: .. table:: **Table 2** VPC tag key and value requirements - +-----------------------+----------------------------------------------------------------------------+-----------------------+ - | Parameter | Requirements | Example Value | - +=======================+============================================================================+=======================+ - | Key | - Cannot be left blank. | vpc_key1 | - | | - Must be unique for the same VPC and can be the same for different VPCs. | | - | | - Can contain a maximum of 36 characters. | | - | | - Can contain only the following character types: | | - | | | | - | | - Uppercase letters | | - | | - Lowercase letters | | - | | - Digits | | - | | - Special characters, including hyphens (-) and underscores (_) | | - +-----------------------+----------------------------------------------------------------------------+-----------------------+ - | Value | - Can contain a maximum of 43 characters. | vpc-01 | - | | - Can contain only the following character types: | | - | | | | - | | - Uppercase letters | | - | | - Lowercase letters | | - | | - Digits | | - | | - Special characters, including hyphens (-) and underscores (_) | | - +-----------------------+----------------------------------------------------------------------------+-----------------------+ + +-----------------------+------------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+========================================================================+=======================+ + | Key | - Cannot be left blank. | vpc_key1 | + | | - Must be unique for each VPC and can be the same for different VPCs. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+------------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | vpc-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+------------------------------------------------------------------------+-----------------------+ .. _vpc_qs_0009__en-us_topic_0013935842_table6536185812515: diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_2_create_a_subnet_for_the_vpc.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_2_create_a_subnet_for_the_vpc.rst index f636c1b..da22c06 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_2_create_a_subnet_for_the_vpc.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_2_create_a_subnet_for_the_vpc.rst @@ -21,6 +21,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. 5. Click **Create Subnet**. @@ -37,33 +39,37 @@ Procedure .. table:: **Table 1** Parameter descriptions - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +========================+=============================================================================================================================================================================================================================================+=======================+ - | VPC | The VPC for which you want to create a subnet. | ``-`` | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Name | The subnet name. | Subnet | - | | | | - | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Gateway | The gateway address of the subnet. | 192.168.0.1 | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | DNS Server Address | By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | - | | | | - | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | - | | | | - | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | - | | | - Value: subnet-01 | - | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +======================================+=============================================================================================================================================================================================================================================================+=======================+ + | VPC | The VPC for which you want to create a subnet. | ``-`` | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Name | The subnet name. | Subnet | + | | | | + | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/Gateway | The gateway address of the subnet. | 192.168.0.1 | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/DNS Server Address | By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | + | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If you do not specify this parameter, no additional NTP server IP addresses will be added. | | + | | | | + | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | - Value: subnet-01 | + | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/Description | Supplementary information about the subnet. This parameter is optional. | ``-`` | + | | | | + | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ .. _vpc_qs_0010__en-us_topic_0013748726_table42131827173915: @@ -107,4 +113,4 @@ When a subnet is created, there are five reserved IP addresses, which cannot be If you configured the default settings under **Advanced Settings** during subnet creation, the reserved IP addresses may be different from the default ones, but there will still be five of them. The specific addresses depend on your subnet settings. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675254021.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_3_assign_an_eip_and_bind_it_to_an_ecs.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_3_assign_an_eip_and_bind_it_to_an_ecs.rst index 25113bd..b78cd70 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_3_assign_an_eip_and_bind_it_to_an_ecs.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_3_assign_an_eip_and_bind_it_to_an_ecs.rst @@ -67,8 +67,6 @@ Assigning an EIP | Enterprise Project | The enterprise project that the EIP belongs to. | default | | | | | | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | - | | | | - | | For details about creating and managing enterprise projects, see the *Enterprise Management User Guide*. | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Bandwidth Name | The name of the bandwidth. | bandwidth | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_4_create_a_security_group.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_4_create_a_security_group.rst index c9d6c67..f7cd93e 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_4_create_a_security_group.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_4_create_a_security_group.rst @@ -8,11 +8,11 @@ Step 4: Create a Security Group Scenarios --------- -You can create security groups and add ECSs in a VPC to different security groups to improve ECS access security. We recommend that you allocate ECSs that have different Internet access requirements to different security groups. +A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules. -Each ECS must be associated with at least one security group. If you have no security group when creating an ECS, the system provides a default security group. +If your instances have different Internet access requirements, you can allocate them to different security groups when creating them. -You have an option to create a new security group for the ECS. This section describes how to create a security group on the management console. +Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group. Procedure --------- @@ -23,11 +23,17 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, click **Create Security Group**. + The security group list is displayed. -#. In the **Create Security Group** area, set the parameters as prompted. :ref:`Table 1 ` lists the parameters to be configured. +#. In the upper right corner, click **Create Security Group**. + + The **Create Security Group** page is displayed. + +#. Configure the parameters as prompted. .. figure:: /_static/images/en-us_image_0000001197426329.png @@ -35,39 +41,43 @@ Procedure **Figure 1** Create Security Group - .. _vpc_qs_0012__en-us_topic_0013748715_table65377617111335: - .. table:: **Table 1** Parameter description - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ - | Parameter | Description | Example Value | - +=======================+=======================================================================================================================================================================================================================================================+============================+ - | Name | The security group name. This parameter is mandatory. | sg-318b | - | | | | - | | The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - | | | | - | | .. note:: | | - | | | | - | | You can change the security group name after a security group is created. It is recommended that you give each security group a different name. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ - | Enterprise Project | When creating a security group, you can add the security group to an enabled enterprise project. | default | - | | | | - | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | - | | | | - | | For details about creating and managing enterprise projects, see the *Enterprise Management User Guide*. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ - | Template | A template comes with default security group rules, helping you quickly create security groups. The following templates are provided: | General-purpose web server | - | | | | - | | - **Custom**: This template allows you to create security groups with custom security group rules. | | - | | - **General-purpose web server**: The security group that you create using this template is for general-purpose web servers and includes default rules that allow all inbound ICMP traffic and allow inbound traffic on ports 22, 80, 443, and 3389. | | - | | - **All ports open**: The security group that you create using this template includes default rules that allow inbound traffic on any port. Note that allowing inbound traffic on any port poses security risks. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ - | Description | Supplementary information about the security group. This parameter is optional. | N/A | - | | | | - | | The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + | Parameter | Description | Example Value | + +=======================+=======================================================================================================================================================================================================================================================================+============================+ + | Name | Mandatory | sg-AB | + | | | | + | | Enter the security group name. | | + | | | | + | | The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + | | | | + | | .. note:: | | + | | | | + | | You can change the security group name after a security group is created. It is recommended that you give each security group a different name. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + | Enterprise Project | Mandatory | default | + | | | | + | | When creating a security group, you can add the security group to an enabled enterprise project. | | + | | | | + | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + | Template | Mandatory | General-purpose web server | + | | | | + | | A template comes with default security group rules, helping you quickly create security groups. The following templates are provided: | | + | | | | + | | - **Custom**: This template allows you to create security groups with custom security group rules. | | + | | - **General-purpose web server** (default value): The security group that you create using this template is for general-purpose web servers and includes default rules that allow all inbound ICMP traffic and allow inbound traffic on ports 22, 80, 443, and 3389. | | + | | - **All ports open**: The security group that you create using this template includes default rules that allow inbound traffic on any port. Note that allowing inbound traffic on any port poses security risks. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + | Description | Optional | N/A | + | | | | + | | Supplementary information about the security group. This parameter is optional. | | + | | | | + | | The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ -#. Click **OK**. +#. Confirm the inbound and outbound rules of the template and click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001627054062.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst index a27fa52..b984ecf 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst @@ -8,14 +8,27 @@ Step 5: Add a Security Group Rule Scenarios --------- -A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, to control inbound and outbound traffic. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. +A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules. -If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specified TCP port, you can add an inbound rule. +Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group. -- Inbound rules control incoming traffic to cloud resources in the security group. -- Outbound rules control outgoing traffic from cloud resources in the security group. +Like whitelists, security group rules work as follows: -For details about the default security group rules, see :ref:`Default Security Groups and Security Group Rules `. For details about security group rule configuration examples, see :ref:`Security Group Configuration Examples `. +- Inbound rules control incoming traffic to instances in the security group. + + If an inbound request matches the source in an inbound security group rule, the request is allowed and other requests are denied. + + By default, you do not need to configure deny rules in the inbound direction because requests that do not match allow rules will be denied. + +- Outbound rules control outgoing traffic from instances in the security group. + + If the destination of an outbound security group rule is 0.0.0.0/0, all outbound requests are allowed. + + 0.0.0.0/0 represents all IPv4 addresses. + + ::/0 represents all IPv6 addresses. + +If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specific TCP port, you can add an inbound rule to allow traffic on the TCP port. Procedure --------- @@ -26,11 +39,21 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, locate the target security group and click **Manage Rule** in the **Operation** column to switch to the page for managing inbound and outbound rules. + The security group list is displayed. -#. On the **Inbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an inbound rule. +#. Locate the row that contains the target security group, and click **Manage Rule** in the **Operation** column. + + The page for configuring security group rules is displayed. + +#. On the **Inbound Rules** tab, click **Add Rule**. + + The **Add Inbound Rule** dialog box is displayed. + +#. Configure required parameters. You can click **+** to add more inbound rules. @@ -45,11 +68,16 @@ Procedure +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+==========================================================================================================================================================================+=======================+ - | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | + | | | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | **Port**: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + | | **Port**: The port or port range over which traffic can reach your ECS. The value can be from 1 to 65535. | 22, or 22-30 | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Type | IPv4 | IPv4 | + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Source | Source of the security group rule. The value can be an IP address or a security group to allow access from IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | | | | @@ -68,7 +96,15 @@ Procedure | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ -#. On the **Outbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an outbound rule. +#. Click **OK**. + + The inbound rule list is displayed. + +#. On the **Outbound Rules** tab, click **Add Rule**. + + The **Add Outbound Rule** dialog box is displayed. + +#. Configure required parameters. You can click **+** to add more outbound rules. @@ -83,11 +119,16 @@ Procedure +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+=============================================================================================================================================================================+=======================+ - | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | + | | | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | **Port**: The port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Type | IPv4 | IPv4 | + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | | | | @@ -106,5 +147,7 @@ Procedure #. Click **OK**. + The outbound rule list is displayed. + .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626734166.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/overview.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/overview.rst index 1a336aa..8bd2e53 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/overview.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/overview.rst @@ -20,26 +20,26 @@ If your ECSs do not require Internet access or need to access the Internet using .. table:: **Table 1** Configuration process description - +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Task | Description | - +====================================+=================================================================================================================================================================================+ - | Create a VPC. | This task is mandatory. | - | | | - | | After the VPC is created, you can create other required network resources in the VPC based on your service requirements. | - +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Create another subnet for the VPC. | This task is optional. | - | | | - | | If the default subnet cannot meet your requirements, you can create one. | - | | | - | | The new subnet is used to assign IP addresses to NICs added to the ECS. | - +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Create a security group. | This task is mandatory. | - | | | - | | You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. | - | | | - | | After a security group is created, it has a default rule, which allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. | - +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Add a security group rule. | This task is optional. | - | | | - | | If the default rule meets your service requirements, you do not need to add rules to the security group. | - +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +------------------------------------+--------------------------------------------------------------------------------------------------------------------------+ + | Task | Description | + +====================================+==========================================================================================================================+ + | Create a VPC. | This task is mandatory. | + | | | + | | After the VPC is created, you can create other required network resources in the VPC based on your service requirements. | + +------------------------------------+--------------------------------------------------------------------------------------------------------------------------+ + | Create another subnet for the VPC. | This task is optional. | + | | | + | | If the default subnet cannot meet your requirements, you can create one. | + | | | + | | The new subnet is used to assign IP addresses to NICs added to the ECS. | + +------------------------------------+--------------------------------------------------------------------------------------------------------------------------+ + | Create a security group. | This task is mandatory. | + | | | + | | You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. | + | | | + | | After a security group is created, it has default rules. | + +------------------------------------+--------------------------------------------------------------------------------------------------------------------------+ + | Add a security group rule. | This task is optional. | + | | | + | | If the default rule meets your service requirements, you do not need to add rules to the security group. | + +------------------------------------+--------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_1_create_a_vpc.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_1_create_a_vpc.rst index 159554b..c0f7f98 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_1_create_a_vpc.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_1_create_a_vpc.rst @@ -21,6 +21,8 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. Click **Create VPC**. #. On the **Create VPC** page, set parameters as prompted. @@ -29,91 +31,89 @@ Procedure .. table:: **Table 1** VPC parameter descriptions - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Category | Parameter | Description | Example Value | - +=====================================+========================+=========================================================================================================================================================================================================================================================================================================+=====================+ - | Basic Information | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information | Name | The VPC name. | VPC-001 | - | | | | | - | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information | CIDR Block | The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). | 192.168.0.0/16 | - | | | | | - | | | The following CIDR blocks are supported: | | - | | | | | - | | | 10.0.0.0/8-24 | | - | | | | | - | | | 172.16.0.0/12-24 | | - | | | | | - | | | 192.168.0.0/16-24 | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information | Enterprise Project | The enterprise project to which the VPC belongs. | default | - | | | | | - | | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | - | | | | | - | | | For details about creating and managing enterprise projects, see the *Enterprise Management User Guide*. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information/Advanced Settings | Tag | The VPC tag, which consists of a key and value pair. You can add a maximum of 20 tags to each VPC. | - Key: vpc_key1 | - | | | | - Value: vpc-01 | - | | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information/Advanced Settings | Description | Supplementary information about the VPC. This parameter is optional. | N/A | - | | | | | - | | | The VPC description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet | Name | The subnet name. | Subnet | - | | | | | - | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | Gateway | The gateway address of the subnet. | 192.168.0.1 | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | - | | | | | - | | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | - | | | | | - | | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | - | | | | - Value: subnet-01 | - | | | The tag key and value must meet the requirements listed in :ref:`Table 3 `. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | Description | Supplementary information about the subnet. This parameter is optional. | N/A | - | | | | | - | | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Category | Parameter | Description | Example Value | + +=====================================+========================+=============================================================================================================================================================================================================================================================+=====================+ + | Basic Information | Region | Select the region nearest to you to ensure the lowest latency possible. | eu-de | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | Name | The VPC name. | VPC-001 | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | IPv4 CIDR Block | The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). | 192.168.0.0/16 | + | | | | | + | | | The following CIDR blocks are supported: | | + | | | | | + | | | 10.0.0.0/8-24 | | + | | | | | + | | | 172.16.0.0/12-24 | | + | | | | | + | | | 192.168.0.0/16-24 | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | Enterprise Project | The enterprise project to which the VPC belongs. | default | + | | | | | + | | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information/Advanced Settings | Tag | The VPC tag, which consists of a key and value pair. You can add a maximum of 20 tags to each VPC. | - Key: vpc_key1 | + | | | | - Value: vpc-01 | + | | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information/Advanced Settings | Description | Supplementary information about the VPC. This parameter is optional. | N/A | + | | | | | + | | | The VPC description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Name | The subnet name. | Subnet | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Gateway | The gateway address of the subnet. | 192.168.0.1 | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | | + | | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If you do not specify this parameter, no additional NTP server IP addresses will be added. | | + | | | | | + | | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | | - Value: subnet-01 | + | | | The tag key and value must meet the requirements listed in :ref:`Table 3 `. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Description | Supplementary information about the subnet. This parameter is optional. | N/A | + | | | | | + | | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ .. _vpc_qs_0005__en-us_topic_0013935842_table248245914136: .. table:: **Table 2** VPC tag key and value requirements - +-----------------------+----------------------------------------------------------------------------+-----------------------+ - | Parameter | Requirements | Example Value | - +=======================+============================================================================+=======================+ - | Key | - Cannot be left blank. | vpc_key1 | - | | - Must be unique for the same VPC and can be the same for different VPCs. | | - | | - Can contain a maximum of 36 characters. | | - | | - Can contain only the following character types: | | - | | | | - | | - Uppercase letters | | - | | - Lowercase letters | | - | | - Digits | | - | | - Special characters, including hyphens (-) and underscores (_) | | - +-----------------------+----------------------------------------------------------------------------+-----------------------+ - | Value | - Can contain a maximum of 43 characters. | vpc-01 | - | | - Can contain only the following character types: | | - | | | | - | | - Uppercase letters | | - | | - Lowercase letters | | - | | - Digits | | - | | - Special characters, including hyphens (-) and underscores (_) | | - +-----------------------+----------------------------------------------------------------------------+-----------------------+ + +-----------------------+------------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+========================================================================+=======================+ + | Key | - Cannot be left blank. | vpc_key1 | + | | - Must be unique for each VPC and can be the same for different VPCs. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+------------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | vpc-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+------------------------------------------------------------------------+-----------------------+ .. _vpc_qs_0005__en-us_topic_0013935842_table6536185812515: diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_2_create_a_subnet_for_the_vpc.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_2_create_a_subnet_for_the_vpc.rst index 3350c1b..686be34 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_2_create_a_subnet_for_the_vpc.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_2_create_a_subnet_for_the_vpc.rst @@ -21,6 +21,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. 5. Click **Create Subnet**. @@ -37,33 +39,37 @@ Procedure .. table:: **Table 1** Parameter descriptions - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +========================+=============================================================================================================================================================================================================================================+=======================+ - | VPC | The VPC for which you want to create a subnet. | ``-`` | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Name | The subnet name. | Subnet | - | | | | - | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Gateway | The gateway address of the subnet. | 192.168.0.1 | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | DNS Server Address | By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | - | | | | - | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | - | | | | - | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | - | | | - Value: subnet-01 | - | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +======================================+=============================================================================================================================================================================================================================================================+=======================+ + | VPC | The VPC for which you want to create a subnet. | ``-`` | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Name | The subnet name. | Subnet | + | | | | + | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/Gateway | The gateway address of the subnet. | 192.168.0.1 | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/DNS Server Address | By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | + | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If you do not specify this parameter, no additional NTP server IP addresses will be added. | | + | | | | + | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | - Value: subnet-01 | + | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/Description | Supplementary information about the subnet. This parameter is optional. | ``-`` | + | | | | + | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ .. _vpc_qs_0006__en-us_topic_0013748726_table42131827173915: @@ -107,4 +113,4 @@ When a subnet is created, there are five reserved IP addresses, which cannot be If you configured the default settings under **Advanced Settings** during subnet creation, the reserved IP addresses may be different from the default ones, but there will still be five of them. The specific addresses depend on your subnet settings. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675254021.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_3_create_a_security_group.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_3_create_a_security_group.rst index 06740e7..325e7c6 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_3_create_a_security_group.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_3_create_a_security_group.rst @@ -8,11 +8,11 @@ Step 3: Create a Security Group Scenarios --------- -You can create security groups and add ECSs in a VPC to different security groups to improve ECS access security. We recommend that you allocate ECSs that have different Internet access requirements to different security groups. +A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules. -Each ECS must be associated with at least one security group. If you have no security group when creating an ECS, the system provides a default security group. +If your instances have different Internet access requirements, you can allocate them to different security groups when creating them. -You have an option to create a new security group for the ECS. This section describes how to create a security group on the management console. +Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group. Procedure --------- @@ -23,11 +23,17 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, click **Create Security Group**. + The security group list is displayed. -#. In the **Create Security Group** area, set the parameters as prompted. :ref:`Table 1 ` lists the parameters to be configured. +#. In the upper right corner, click **Create Security Group**. + + The **Create Security Group** page is displayed. + +#. Configure the parameters as prompted. .. figure:: /_static/images/en-us_image_0000001197426329.png @@ -35,39 +41,43 @@ Procedure **Figure 1** Create Security Group - .. _vpc_qs_0007__en-us_topic_0013748715_table65377617111335: - .. table:: **Table 1** Parameter description - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ - | Parameter | Description | Example Value | - +=======================+=======================================================================================================================================================================================================================================================+============================+ - | Name | The security group name. This parameter is mandatory. | sg-318b | - | | | | - | | The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - | | | | - | | .. note:: | | - | | | | - | | You can change the security group name after a security group is created. It is recommended that you give each security group a different name. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ - | Enterprise Project | When creating a security group, you can add the security group to an enabled enterprise project. | default | - | | | | - | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | - | | | | - | | For details about creating and managing enterprise projects, see the *Enterprise Management User Guide*. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ - | Template | A template comes with default security group rules, helping you quickly create security groups. The following templates are provided: | General-purpose web server | - | | | | - | | - **Custom**: This template allows you to create security groups with custom security group rules. | | - | | - **General-purpose web server**: The security group that you create using this template is for general-purpose web servers and includes default rules that allow all inbound ICMP traffic and allow inbound traffic on ports 22, 80, 443, and 3389. | | - | | - **All ports open**: The security group that you create using this template includes default rules that allow inbound traffic on any port. Note that allowing inbound traffic on any port poses security risks. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ - | Description | Supplementary information about the security group. This parameter is optional. | N/A | - | | | | - | | The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + | Parameter | Description | Example Value | + +=======================+=======================================================================================================================================================================================================================================================================+============================+ + | Name | Mandatory | sg-AB | + | | | | + | | Enter the security group name. | | + | | | | + | | The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + | | | | + | | .. note:: | | + | | | | + | | You can change the security group name after a security group is created. It is recommended that you give each security group a different name. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + | Enterprise Project | Mandatory | default | + | | | | + | | When creating a security group, you can add the security group to an enabled enterprise project. | | + | | | | + | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + | Template | Mandatory | General-purpose web server | + | | | | + | | A template comes with default security group rules, helping you quickly create security groups. The following templates are provided: | | + | | | | + | | - **Custom**: This template allows you to create security groups with custom security group rules. | | + | | - **General-purpose web server** (default value): The security group that you create using this template is for general-purpose web servers and includes default rules that allow all inbound ICMP traffic and allow inbound traffic on ports 22, 80, 443, and 3389. | | + | | - **All ports open**: The security group that you create using this template includes default rules that allow inbound traffic on any port. Note that allowing inbound traffic on any port poses security risks. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ + | Description | Optional | N/A | + | | | | + | | Supplementary information about the security group. This parameter is optional. | | + | | | | + | | The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ -#. Click **OK**. +#. Confirm the inbound and outbound rules of the template and click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001627054062.png diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst index 63f0ed4..2b023a7 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst @@ -8,14 +8,27 @@ Step 4: Add a Security Group Rule Scenarios --------- -A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, to control inbound and outbound traffic. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. +A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules. -If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specified TCP port, you can add an inbound rule. +Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group. -- Inbound rules control incoming traffic to cloud resources in the security group. -- Outbound rules control outgoing traffic from cloud resources in the security group. +Like whitelists, security group rules work as follows: -For details about the default security group rules, see :ref:`Default Security Groups and Security Group Rules `. For details about security group rule configuration examples, see :ref:`Security Group Configuration Examples `. +- Inbound rules control incoming traffic to instances in the security group. + + If an inbound request matches the source in an inbound security group rule, the request is allowed and other requests are denied. + + By default, you do not need to configure deny rules in the inbound direction because requests that do not match allow rules will be denied. + +- Outbound rules control outgoing traffic from instances in the security group. + + If the destination of an outbound security group rule is 0.0.0.0/0, all outbound requests are allowed. + + 0.0.0.0/0 represents all IPv4 addresses. + + ::/0 represents all IPv6 addresses. + +If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specific TCP port, you can add an inbound rule to allow traffic on the TCP port. Procedure --------- @@ -26,11 +39,21 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, locate the target security group and click **Manage Rule** in the **Operation** column to switch to the page for managing inbound and outbound rules. + The security group list is displayed. -#. On the **Inbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an inbound rule. +#. Locate the row that contains the target security group, and click **Manage Rule** in the **Operation** column. + + The page for configuring security group rules is displayed. + +#. On the **Inbound Rules** tab, click **Add Rule**. + + The **Add Inbound Rule** dialog box is displayed. + +#. Configure required parameters. You can click **+** to add more inbound rules. @@ -45,11 +68,16 @@ Procedure +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+==========================================================================================================================================================================+=======================+ - | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | + | | | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | **Port**: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + | | **Port**: The port or port range over which traffic can reach your ECS. The value can be from 1 to 65535. | 22, or 22-30 | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Type | IPv4 | IPv4 | + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Source | Source of the security group rule. The value can be an IP address or a security group to allow access from IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | | | | @@ -68,7 +96,15 @@ Procedure | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ -#. On the **Outbound Rules** tab, click **Add Rule**. In the displayed dialog box, set required parameters to add an outbound rule. +#. Click **OK**. + + The inbound rule list is displayed. + +#. On the **Outbound Rules** tab, click **Add Rule**. + + The **Add Outbound Rule** dialog box is displayed. + +#. Configure required parameters. You can click **+** to add more outbound rules. @@ -83,11 +119,16 @@ Procedure +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+=============================================================================================================================================================================+=======================+ - | Protocol & Port | **Protocol**: The network protocol. Currently, the value can be **All**, **TCP**, **UDP**, **ICMP**, **GRE**, or others. | TCP | + | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | + | | | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | **Port**: The port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535. | 22, or 22-30 | + | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Type | IPv4 | IPv4 | + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | | | | @@ -106,5 +147,7 @@ Procedure #. Click **OK**. + The outbound rule list is displayed. + .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626734166.png diff --git a/umn/source/getting_started/typical_application_scenarios.rst b/umn/source/getting_started/typical_application_scenarios.rst index c56e2e0..ffa4f8a 100644 --- a/umn/source/getting_started/typical_application_scenarios.rst +++ b/umn/source/getting_started/typical_application_scenarios.rst @@ -9,5 +9,4 @@ A VPC provides an isolated virtual network for ECSs. You can configure and manag - If any of your ECSs, for example, ECSs that function as the database of server nodes for website deployment, do not need to access the Internet or need to access the Internet specific IP addresses on the default network with limited bandwidth, you can configure a VPC for the ECSs by following the instructions described in :ref:`Configuring a VPC for ECSs That Do Not Require Internet Access `. - If your ECSs need to access the Internet, you can configure EIPs for them. For example, the ECSs functioning as the service nodes for deploying a website need to be accessed by users over the Internet. Then, you can configure a VPC for these ECSs by following the instructions provided in :ref:`Configuring a VPC for ECSs That Access the Internet Using EIPs `. -- If your ECSs need to access the Internet, you can configure EIPs for them. For example, the ECSs functioning as the service nodes for deploying a website need to be accessed by users over the Internet. For details, see :ref:`Configuring a VPC for ECSs That Access the Internet Using EIPs `. - When you need to access the IPv6 services on the Internet or provide services accessible from users using an IPv6 client, you need to enable the IPv6 function. After the IPv6 function is enabled, you can provide services for users using an IPv4 or IPv6 client. diff --git a/umn/source/index.rst b/umn/source/index.rst index 25cf7f3..0d67998 100644 --- a/umn/source/index.rst +++ b/umn/source/index.rst @@ -8,7 +8,7 @@ Virtual Private Cloud - User Guide service_overview/index getting_started/index vpc_and_subnet/index - security/index + access_control/index elastic_ip/index shared_bandwidth/index route_tables/index diff --git a/umn/source/monitoring/creating_an_alarm_rule.rst b/umn/source/monitoring/creating_an_alarm_rule.rst index 73c022e..5c86995 100644 --- a/umn/source/monitoring/creating_an_alarm_rule.rst +++ b/umn/source/monitoring/creating_an_alarm_rule.rst @@ -17,7 +17,7 @@ Procedure 2. Click |image1| in the upper left corner and select the desired region and project. -3. Hover on the upper left corner to display **Service List** and choose **Management & Deployment** > **Cloud Eye**. +3. In the upper left corner of the page, click |image2| to open the service list and choose **Management & Deployment** > **Cloud Eye**. 4. In the left navigation pane on the left, choose **Alarm Management** > **Alarm Rules**. @@ -32,3 +32,4 @@ Procedure For more information about alarm rules, see the *Cloud Eye User Guide*. .. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001675258889.png diff --git a/umn/source/monitoring/viewing_metrics.rst b/umn/source/monitoring/viewing_metrics.rst index 2e014aa..e99b41c 100644 --- a/umn/source/monitoring/viewing_metrics.rst +++ b/umn/source/monitoring/viewing_metrics.rst @@ -8,19 +8,31 @@ Viewing Metrics Scenarios --------- -View related metrics to see bandwidth and EIP usage information. +You can view the bandwidth and EIP usage on the **Elastic IP and Bandwidth** or **Cloud Eye** console. You can view the inbound bandwidth, outbound bandwidth, inbound bandwidth usage, outbound bandwidth usage, inbound traffic, and outbound traffic in a specified period. -Procedure ---------- +Procedure (**Elastic IP and Bandwidth** Console) +------------------------------------------------ + +#. Log in to the management console. +#. Click |image1| in the upper left corner and select the desired region and project. +#. Click |image2| in the upper left corner and choose **Network** > **Elastic IP**. +#. On the **EIPs** page, search for the EIP, click **More** in the **Operation** column, and click **View Metric** to view the monitoring metric details. +#. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. +#. On the **Shared Bandwidths** page, locate the shared bandwidth, click **More** in the **Operation** column, and click **View Metric** to view the monitoring metric details. + +Procedure (**Cloud Eye** Console) +--------------------------------- #. Log in to the management console. -2. Click |image1| in the upper left corner and select the desired region and project. -3. Hover on the upper left corner to display **Service List** and choose **Management & Deployment** > **Cloud Eye**. +2. Click |image3| in the upper left corner and select the desired region and project. +3. In the upper left corner of the page, click |image4| to open the service list and choose **Management & Deployment** > **Cloud Eye**. 4. Click **Cloud Service Monitoring** on the left of the page, and choose **Elastic IP and Bandwidth**. -5. Select the EIP, click **More** in the **Operation** column, and click **View Metric** to view monitoring metric details. -6. Select the shared bandwidth, click **More** in the **Operation** column, and click **View Metric** to view monitoring metric details. +5. Locate the row that contains the target bandwidth or EIP and click **View Metric** in the **Operation** column to check the bandwidth or EIP monitoring information. .. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001572300492.png +.. |image3| image:: /_static/images/en-us_image_0141273034.png +.. |image4| image:: /_static/images/en-us_image_0000001675418673.png diff --git a/umn/source/permissions_management/creating_a_user_and_granting_vpc_permissions.rst b/umn/source/permissions_management/creating_a_user_and_granting_vpc_permissions.rst index 7b16bb6..25e9972 100644 --- a/umn/source/permissions_management/creating_a_user_and_granting_vpc_permissions.rst +++ b/umn/source/permissions_management/creating_a_user_and_granting_vpc_permissions.rst @@ -8,19 +8,19 @@ Creating a User and Granting VPC Permissions This section describes how to use IAM to implement fine-grained permissions control for your VPC resources. With IAM, you can: - Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing VPC resources. -- Grant only the permissions required for users to perform a specific task. +- Grant users only the permissions required to perform a given task based on their job responsibilities. - Entrust a cloud account or cloud service to perform efficient O&M on your VPC resources. -If your cloud account does not require individual IAM users, skip this section. +If your cloud account meets your permissions requirements, you can skip this section. -This section describes the procedure for granting permissions (see :ref:`Figure 1 `). +:ref:`Figure 1 ` shows the process flow for granting permissions. Prerequisites ------------- -Learn about the permissions (:ref:`Permissions `) supported by VPC and choose policies or roles according to your requirements. +Learn about the permissions (see :ref:`Permissions `) supported by VPC and choose policies or roles according to your requirements. -For permissions of other services, see . +To grant permissions for other services, learn about all `permissions `__ supported by IAM. Process Flow ------------ @@ -32,19 +32,13 @@ Process Flow **Figure 1** Process for granting VPC permissions -#. .. _permission_0003__li8447183891715: +#. On the IAM console, `create a user group and assign permissions to it `__ (**VPC ReadOnlyAccess** as an example). - `Create a user group and assign permissions to it `__. +#. `Create an IAM user and add it to the created user group `__. - Create a user group on the IAM console, and assign the **VPC ReadOnlyAccess** policy to the group. +#. `Log in as the IAM user `__ and verify permissions. -#. `Create an IAM user and add it to the user group `__. + In the authorized region, perform the following operations: - Create a user on the IAM console and add the user to the group created in :ref:`1 `. - -#. `Log in `__ and verify permissions. - - Log in to the VPC console by using the user created in 2, and verify that the user only has read permissions for VPC. - - - Choose **Service List** > **Virtual Private Cloud**. Then click **Create VPC** on the VPC console. If a message appears indicating that you have insufficient permissions to perform the operation, the **VPC ReadOnlyAccess** policy has already taken effect. - - Choose any other service in **Service List**. If a message appears indicating that you have insufficient permissions to access the service, the **VPC ReadOnlyAccess** policy has already taken effect. + - Choose **Service List** > **Virtual Private Cloud**. Then click **Create VPC** on the VPC console. If a message appears indicating that you have insufficient permissions to perform the operation, the **VPCReadOnlyAccess** policy is in effect. + - Choose another service from **Service List**. If a message appears indicating that you have insufficient permissions to access the service, the **VPCReadOnlyAccess** policy is in effect. diff --git a/umn/source/permissions_management/vpc_custom_policies.rst b/umn/source/permissions_management/vpc_custom_policies.rst index 5d0a6a8..242655d 100644 --- a/umn/source/permissions_management/vpc_custom_policies.rst +++ b/umn/source/permissions_management/vpc_custom_policies.rst @@ -29,7 +29,7 @@ Example Custom Policies "Action": [ " vpc:vpcs:create - vpc:svpcs:list + vpc:vpcs:list " ] } diff --git a/umn/source/route_tables/adding_a_custom_route.rst b/umn/source/route_tables/adding_a_custom_route.rst index 291bf51..394b31a 100644 --- a/umn/source/route_tables/adding_a_custom_route.rst +++ b/umn/source/route_tables/adding_a_custom_route.rst @@ -24,6 +24,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. 5. In the route table list, click the name of the route table to which you want to add a route. @@ -51,7 +53,7 @@ Procedure +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ | Next Hop Type | Mandatory | VPC peering connection | | | | | - | | Set the type of the next hop. For details about the supported resource types, see :ref:`Table 1 `. | | + | | Set the type of the next hop. | | | | | | | | .. note:: | | | | | | @@ -69,4 +71,4 @@ Procedure 7. Click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675255405.png diff --git a/umn/source/route_tables/associating_a_route_table_with_a_subnet.rst b/umn/source/route_tables/associating_a_route_table_with_a_subnet.rst index c661936..7731dc7 100644 --- a/umn/source/route_tables/associating_a_route_table_with_a_subnet.rst +++ b/umn/source/route_tables/associating_a_route_table_with_a_subnet.rst @@ -8,12 +8,19 @@ Associating a Route Table with a Subnet Scenarios --------- -After a route table is associated with a subnet, its routes control the routing for the subnet and apply to all cloud resources in the subnet. +After a subnet is created, the system associates the subnet with the default route table of its VPC. If you want to use specific routes for a subnet, you can associate the subnet with a custom route table. + +The custom route table associated with a subnet affects only the outbound traffic. The default route table determines the inbound traffic. + +.. important:: + + After a route table is associated with a subnet, the routes in the route table control the routing for the subnet and apply to all cloud resources in the subnet. Notes and Constraints --------------------- -A subnet can only be associated with one route table. +- A subnet must have a route table associated and can only be associated with one route table. +- A route table can be associated with multiple subnets. Procedure --------- @@ -24,6 +31,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. 5. In the route table list, locate the row that contains the target route table and click **Associate Subnet** in the **Operation** column. @@ -39,4 +48,4 @@ Procedure 7. Click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626735570.png diff --git a/umn/source/route_tables/changing_the_route_table_associated_with_a_subnet.rst b/umn/source/route_tables/changing_the_route_table_associated_with_a_subnet.rst index f45845b..dbe8d59 100644 --- a/umn/source/route_tables/changing_the_route_table_associated_with_a_subnet.rst +++ b/umn/source/route_tables/changing_the_route_table_associated_with_a_subnet.rst @@ -19,6 +19,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. 5. Click the name of the target route table. @@ -30,4 +32,4 @@ Procedure After the route table for a subnet is changed, routes in the new route table will apply to all cloud resources in the subnet. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626575750.png diff --git a/umn/source/route_tables/configuring_an_snat_server.rst b/umn/source/route_tables/configuring_an_snat_server.rst index 0426160..2b7c6f5 100644 --- a/umn/source/route_tables/configuring_an_snat_server.rst +++ b/umn/source/route_tables/configuring_an_snat_server.rst @@ -69,7 +69,7 @@ Procedure **cat /proc/sys/net/ipv4/ip_forward** - In the command output, **1** indicates it is enabled, and **0** indicates it is disabled. The default value is **0**. + In the command output, **1** indicates that IP forwarding is enabled, and **0** indicates that IP forwarding is disabled. The default value is **0**. - If IP forwarding in Linux is enabled, go to step :ref:`14 `. - If IP forwarding in Linux is disabled, go to :ref:`12 ` to enable IP forwarding in Linux. diff --git a/umn/source/route_tables/creating_a_custom_route_table.rst b/umn/source/route_tables/creating_a_custom_route_table.rst index 2c6970b..ff8a46f 100644 --- a/umn/source/route_tables/creating_a_custom_route_table.rst +++ b/umn/source/route_tables/creating_a_custom_route_table.rst @@ -8,12 +8,12 @@ Creating a Custom Route Table Scenarios --------- -If your default route table cannot meet your service requirements, you can create a custom route table by following the instructions provided in this section. +A VPC automatically comes with a default route table. If your default route table cannot meet your service requirements, you can create a custom route table. Notes and Constraints --------------------- -- Each VPC can have a maximum of 10 route tables, including the default route table. +By default, each VPC can have up to 10 route tables, including the default route table. Procedure --------- @@ -24,6 +24,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. 5. In the upper right corner, click **Create Route Table**. On the displayed page, configure parameters as prompted. @@ -65,4 +67,4 @@ Procedure c. Click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001627055454.png diff --git a/umn/source/route_tables/deleting_a_route.rst b/umn/source/route_tables/deleting_a_route.rst index 8bc625f..95d2d57 100644 --- a/umn/source/route_tables/deleting_a_route.rst +++ b/umn/source/route_tables/deleting_a_route.rst @@ -31,6 +31,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. 5. Locate the target route table and click its name. @@ -44,4 +46,4 @@ Procedure 7. Confirm the information and click **Yes**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675375405.png diff --git a/umn/source/route_tables/deleting_a_route_table.rst b/umn/source/route_tables/deleting_a_route_table.rst index 54060dc..fde7885 100644 --- a/umn/source/route_tables/deleting_a_route_table.rst +++ b/umn/source/route_tables/deleting_a_route_table.rst @@ -24,17 +24,17 @@ Procedure #. Log in to the management console. -#. Click |image1| in the upper left corner and select the desired region and project. +2. Click |image1| in the upper left corner and select the desired region and project. -#. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. +3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. The **Virtual Private Cloud** page is displayed. -#. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. +4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. -#. Locate the row that contains the route table you want to delete and click **Delete** in the **Operation** column. +5. Locate the row that contains the route table you want to delete and click **Delete** in the **Operation** column. A confirmation dialog box is displayed. -#. Click **Yes**. +6. Click **Yes**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675615337.png diff --git a/umn/source/route_tables/exporting_route_table_information.rst b/umn/source/route_tables/exporting_route_table_information.rst index e24001f..bb686e4 100644 --- a/umn/source/route_tables/exporting_route_table_information.rst +++ b/umn/source/route_tables/exporting_route_table_information.rst @@ -19,6 +19,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. 5. On the displayed page, click |image3| in the upper right of the route table list. @@ -26,5 +28,5 @@ Procedure The system will automatically export information about all route tables under your account in the current region as an Excel file to a local directory. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626895486.png .. |image3| image:: /_static/images/en-us_image_0214585307.png diff --git a/umn/source/route_tables/index.rst b/umn/source/route_tables/index.rst index 9fdae4f..68c4a94 100644 --- a/umn/source/route_tables/index.rst +++ b/umn/source/route_tables/index.rst @@ -5,7 +5,7 @@ Route Tables ============ -- :ref:`Route Table Overview ` +- :ref:`Route Tables and Routes ` - :ref:`Creating a Custom Route Table ` - :ref:`Associating a Route Table with a Subnet ` - :ref:`Changing the Route Table Associated with a Subnet ` @@ -23,7 +23,7 @@ Route Tables :maxdepth: 1 :hidden: - route_table_overview + route_tables_and_routes creating_a_custom_route_table associating_a_route_table_with_a_subnet changing_the_route_table_associated_with_a_subnet diff --git a/umn/source/route_tables/modifying_a_route.rst b/umn/source/route_tables/modifying_a_route.rst index 2162ac2..6d3aa4a 100644 --- a/umn/source/route_tables/modifying_a_route.rst +++ b/umn/source/route_tables/modifying_a_route.rst @@ -22,10 +22,17 @@ Procedure #. Log in to the management console. 2. Click |image1| in the upper left corner and select the desired region and project. + 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. + 5. In the route table list, click the name of the target route table. + 6. Locate the row that contains the route to be modified and click **Modify** in the **Operation** column. + 7. Modify the route information in the displayed dialog box. .. table:: **Table 1** Parameter descriptions @@ -41,7 +48,7 @@ Procedure +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ | Next Hop Type | Mandatory | VPC peering connection | | | | | - | | Set the type of the next hop. For details about the supported resource types, see :ref:`Table 1 `. | | + | | Set the type of the next hop. | | | | | | | | .. note:: | | | | | | @@ -59,4 +66,4 @@ Procedure 8. Click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001627055450.png diff --git a/umn/source/route_tables/replicating_a_route.rst b/umn/source/route_tables/replicating_a_route.rst index ac3643c..9537378 100644 --- a/umn/source/route_tables/replicating_a_route.rst +++ b/umn/source/route_tables/replicating_a_route.rst @@ -52,19 +52,21 @@ Procedure #. Log in to the management console. -#. Click |image1| in the upper left corner and select the desired region and project. +2. Click |image1| in the upper left corner and select the desired region and project. -#. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. +3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. -#. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. + The **Virtual Private Cloud** page is displayed. -#. In the route table list, locate the row that contains the route table you want to replicate routes from and click **Replicate Route** in the **Operation** column. +4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. -#. Select the target route table that you want to replicate route to and the routes to be replicated as prompted. +5. In the route table list, locate the row that contains the route table you want to replicate routes from and click **Replicate Route** in the **Operation** column. + +6. Select the target route table that you want to replicate route to and the routes to be replicated as prompted. The listed routes are those that do not exist in the target route table. You can select one or more routes to replicate to the target route table. -#. Click **OK**. +7. Click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626735566.png diff --git a/umn/source/route_tables/route_table_overview.rst b/umn/source/route_tables/route_tables_and_routes.rst similarity index 80% rename from umn/source/route_tables/route_table_overview.rst rename to umn/source/route_tables/route_tables_and_routes.rst index 6bcad36..66519e9 100644 --- a/umn/source/route_tables/route_table_overview.rst +++ b/umn/source/route_tables/route_tables_and_routes.rst @@ -2,32 +2,33 @@ .. _vpc_route01_0001: -Route Table Overview -==================== +Route Tables and Routes +======================= -Route Table ------------ +Route Tables +------------ -A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. Each subnet must be associated with a route table. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table. +A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. Each subnet must be associated with a route table. A subnet can only be associated with one route table, but you can associate multiple subnets with the same route table. -Default Route Table and Custom Route Table ------------------------------------------- -When you create a VPC, the system automatically generates a default route table for the VPC. If you create a subnet in the VPC, the subnet automatically associates with the default route table. +.. figure:: /_static/images/en-us_image_0000001650535960.png + :alt: **Figure 1** Route tables -- You can add routes to, delete routes from, and modify routes in the default route table, but cannot delete the table. -- When you create a VPC endpoint, VPN or Direct Connect connection, the default route table automatically delivers a route that cannot be deleted or modified. + **Figure 1** Route tables -If you do not want to use the default route table, you can now create a custom route table and associate it with the subnet. You can delete the custom route table if it is no longer required. +- Default route table: When you create a VPC, the system automatically generates a default route table for the VPC. If you create a subnet in the VPC, the subnet automatically associates with the default route table. The default route table ensures that subnets in a VPC can communicate with each other. -.. note:: + - You can add routes to, delete routes from, and modify routes in the default route table, but cannot delete the table. + - When you create a VPC endpoint, VPN or Direct Connect connection, the default route table automatically delivers a route that cannot be deleted or modified. - The custom route table associated with a subnet affects only the outbound traffic. The default route table determines the inbound traffic. +- Custom route table: If you do not want to use the default route table, you can create a custom route table and associate it with the subnet. Custom route tables can be deleted if they are no longer required. + + The custom route table associated with a subnet affects only the outbound traffic. The default route table controls the inbound traffic. Route ----- -A route is configured with the destination, next hop type, and next hop to determine where network traffic is directed. Routes are classified into system routes and custom routes. +You can add routes to default and custom route tables and configure the destination, next hop type, and next hop in the routes to determine where network traffic is directed. Routes are classified into system routes and custom routes. - System routes: These routes are automatically added by the system and cannot be modified or deleted. @@ -42,11 +43,11 @@ A route is configured with the destination, next hop type, and next hop to deter - Custom routes: These are routes that you can add, modify, and delete. The destination of a custom route cannot overlap with that of a system route. - You can add a custom route and configure the destination, next hop type, and next hop in the route to determine where network traffic is directed. :ref:`Table 1 ` lists the supported types of next hops. + You can add a custom route and configure the destination, next hop type, and next hop in the route to determine where network traffic is directed. :ref:`Table 1 ` lists the supported types of next hops. - You cannot add two routes with the same destination to a VPC route table even if their next hop types are different, because the destination determines the route priority. According to the longest match routing rule, the destination with a higher matching degree is preferentially selected for packet forwarding. + You cannot add two routes with the same destination to a VPC route table even if their next hop types are different. The route priority depends on the destination. According to the longest match routing rule, the destination with a higher matching degree is preferentially selected for packet forwarding. - .. _vpc_route01_0001__table1727714140542: + .. _vpc_route01_0001__en-us_topic_0038263963_route_0001_table1727714140542: .. table:: **Table 1** Next hop type @@ -85,14 +86,14 @@ A route is configured with the destination, next hop type, and next hop to deter Custom Route Table Configuration Process ---------------------------------------- -:ref:`Figure 1 ` shows the process of creating and configuring a custom route table. +:ref:`Figure 2 ` shows the process of creating and configuring a custom route table. .. _vpc_route01_0001__en-us_topic_0212076956_fig16862186152219: .. figure:: /_static/images/en-us_image_0214585341.png - :alt: **Figure 1** Route table configuration process + :alt: **Figure 2** Route table configuration process - **Figure 1** Route table configuration process + **Figure 2** Route table configuration process #. For details about how to create a custom route table, see :ref:`Creating a Custom Route Table `. #. For details about how to add a custom route, see :ref:`Adding a Custom Route `. diff --git a/umn/source/route_tables/viewing_route_table_information.rst b/umn/source/route_tables/viewing_route_table_information.rst index a44e820..5642fed 100644 --- a/umn/source/route_tables/viewing_route_table_information.rst +++ b/umn/source/route_tables/viewing_route_table_information.rst @@ -23,6 +23,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. 5. Click the name of the target route table. @@ -33,4 +35,4 @@ Procedure b. On the **Associated Subnets** tab page, view the subnets associated with the route table. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675415213.png diff --git a/umn/source/route_tables/viewing_the_route_table_associated_with_a_subnet.rst b/umn/source/route_tables/viewing_the_route_table_associated_with_a_subnet.rst index b8ceb6a..d10d0bf 100644 --- a/umn/source/route_tables/viewing_the_route_table_associated_with_a_subnet.rst +++ b/umn/source/route_tables/viewing_the_route_table_associated_with_a_subnet.rst @@ -19,6 +19,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. The **Subnets** page is displayed. @@ -34,4 +36,4 @@ Procedure The route table details page is displayed. You can further view the route information. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675375297.png diff --git a/umn/source/security/security_group/adding_instances_to_and_removing_them_from_a_security_group.rst b/umn/source/security/security_group/adding_instances_to_and_removing_them_from_a_security_group.rst deleted file mode 100644 index 5516826..0000000 --- a/umn/source/security/security_group/adding_instances_to_and_removing_them_from_a_security_group.rst +++ /dev/null @@ -1,52 +0,0 @@ -:original_name: SecurityGroup_0017.html - -.. _SecurityGroup_0017: - -Adding Instances to and Removing Them from a Security Group -=========================================================== - -Scenarios ---------- - -After a security group is created, you can add instances to the security group to protect the instances. You can also remove them from the security group as required. - -You can add multiple instances to or remove them from a security group. - -Adding Instances to a Security Group ------------------------------------- - -#. Log in to the management console. -#. Click |image1| in the upper left corner and select the desired region and project. -#. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. -#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, click **Manage Instance** in the **Operation** column. -#. On the **Servers** tab, click **Add** and add one or more servers to the current security group. -#. On the **Extension NICs** tab, click **Add** and add one or more extension NICs to the current security group. -#. Click **OK**. - -Removing Instances from a Security Group ----------------------------------------- - -#. Log in to the management console. -#. Click |image3| in the upper left corner and select the desired region and project. -#. Click |image4| in the upper left corner and choose **Network** > **Virtual Private Cloud**. -#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, click **Manage Instance** in the **Operation** column. -#. On the **Servers** tab, locate the target server and click **Remove** in the **Operation** column to remove the server from current security group. -#. On the **Extension NICs** tab, locate the target extension NIC and click **Remove** in the **Operation** column to remove the NIC from the current security group. -#. Click **Yes**. - -**Removing multiple instances from a security group** - -- Select multiple servers and click **Remove** above the server list to remove the selected servers from the current security group all at once. -- Select multiple extension NICs and click **Remove** above the extension NIC list to remove the selected extension NICs from the current security group all at once. - -Follow-Up Operations --------------------- - -You can delete the security groups that you no longer need. Deleting a security group will also delete all security group rules in the security group. For details, see :ref:`Deleting a Security Group `. - -.. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png -.. |image3| image:: /_static/images/en-us_image_0141273034.png -.. |image4| image:: /_static/images/en-us_image_0000001500905066.png diff --git a/umn/source/security/security_group/deleting_a_security_group_rule.rst b/umn/source/security/security_group/deleting_a_security_group_rule.rst deleted file mode 100644 index c943cb5..0000000 --- a/umn/source/security/security_group/deleting_a_security_group_rule.rst +++ /dev/null @@ -1,38 +0,0 @@ -:original_name: vpc_SecurityGroup_0006.html - -.. _vpc_SecurityGroup_0006: - -Deleting a Security Group Rule -============================== - -Scenarios ---------- - -If the source of an inbound security group rule or destination of an outbound security group rule needs to be changed, you need to first delete the security group rule and add a new one. - -Notes and Constraints ---------------------- - -Security group rules use whitelists. Deleting a security group rule may result in ECS access failures. Security group rules work as follows: - -- If an inbound request matches the source in an inbound security group rule with **Action** set to **Allow**, the request is allowed. -- If the destination of an outbound security group rule with **Action** set to **Allow** is 0.0.0.0/0, all outbound requests are allowed. - -Procedure ---------- - -#. Log in to the management console. - -2. Click |image1| in the upper left corner and select the desired region and project. -3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. -4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -5. On the **Security Groups** page, click the security group name. -6. If you do not need a security group rule, locate the row that contains the target rule, and click **Delete**. -7. Click **Yes** in the displayed dialog box. - -**Deleting multiple security group rules at once** - -You can also select multiple security group rules and click **Delete** above the security group rule list to delete multiple rules at a time. - -.. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png diff --git a/umn/source/security/security_group/fast-adding_security_group_rules.rst b/umn/source/security/security_group/fast-adding_security_group_rules.rst deleted file mode 100644 index a137e4e..0000000 --- a/umn/source/security/security_group/fast-adding_security_group_rules.rst +++ /dev/null @@ -1,93 +0,0 @@ -:original_name: SecurityGroup_0004.html - -.. _SecurityGroup_0004: - -Fast-Adding Security Group Rules -================================ - -Scenarios ---------- - -You can add multiple security group rules with different protocols and ports at the same time. - -Procedure ---------- - -#. Log in to the management console. - -2. Click |image1| in the upper left corner and select the desired region and project. - -3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. - -4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. - -5. On the **Security Groups** page, locate the target security group and click **Manage Rule** in the **Operation** column to switch to the page for managing inbound and outbound rules. - -6. On the **Inbound Rules** tab, click **Fast-Add Rule**. In the displayed dialog box, select the protocols and ports you wish to add all at once. - - - .. figure:: /_static/images/en-us_image_0211552164.png - :alt: **Figure 1** Fast-Add Inbound Rule - - **Figure 1** Fast-Add Inbound Rule - - .. table:: **Table 1** Inbound rule parameter description - - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +=======================+==========================================================================================================================================================================+=======================+ - | Protocols and Ports | Common protocols and ports are provided for: | SSH (22) | - | | | | - | | - Remote login and ping | | - | | - Web services | | - | | - Databases | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source | Source of the security group rule. The value can be an IP address or a security group to allow access from IP addresses or instances in the security group. For example: | 0.0.0.0/0 | - | | | | - | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | - | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | - | | - 0.0.0.0/0 (all IPv4 addresses) | | - | | - sg-abc (security group) | | - | | | | - | | If the source is a security group, this rule will apply to all instances associated with the selected security group. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Description | (Optional) Supplementary information about the security group rule. | ``-`` | - | | | | - | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - -7. On the **Outbound Rules** tab, click **Fast-Add Rule**. In the displayed dialog box, select required protocols and ports to add multiple rules at a time. - - - .. figure:: /_static/images/en-us_image_0211560998.png - :alt: **Figure 2** Fast-Add Outbound Rule - - **Figure 2** Fast-Add Outbound Rule - - .. table:: **Table 2** Outbound rule parameter description - - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +=======================+=============================================================================================================================================================================+=======================+ - | Protocols and Ports | Common protocols and ports are provided for: | SSH (22) | - | | | | - | | - Remote login and ping | | - | | - Web services | | - | | - Databases | | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | - | | | | - | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | - | | - xxx.xxx.xxx.0/24 (IPv4 address range) | | - | | - 0.0.0.0/0 (all IPv4 addresses) | | - | | - sg-abc (security group) | | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Description | (Optional) Supplementary information about the security group rule. | ``-`` | - | | | | - | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - -8. Click **OK**. - -.. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png diff --git a/umn/source/security/security_group/modifying_a_security_group.rst b/umn/source/security/security_group/modifying_a_security_group.rst deleted file mode 100644 index 143b226..0000000 --- a/umn/source/security/security_group/modifying_a_security_group.rst +++ /dev/null @@ -1,43 +0,0 @@ -:original_name: vpc_SecurityGroup_0010.html - -.. _vpc_SecurityGroup_0010: - -Modifying a Security Group -========================== - -**Scenarios** -------------- - -Modify the name and description of a created security group. - -Procedure ---------- - -**Method 1** - -#. Log in to the management console. -#. Click |image1| in the upper left corner and select the desired region and project. -#. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. -#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, locate the target security group and choose **More** > **Modify** in the **Operation** column. -#. Modify the name and description of the security group as required. -#. Click **OK**. - -**Method 2** - -#. Log in to the management console. -#. Click |image3| in the upper left corner and select the desired region and project. -#. Click |image4| in the upper left corner and choose **Network** > **Virtual Private Cloud**. -#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, click the security group name. -#. On the displayed page, click |image5| on the right of **Name** and edit the security group name. -#. Click **Y** to save the security group name. -#. Click |image6| on the right of **Description** and edit the security group description. -#. Click **Y** to save the security group description. - -.. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png -.. |image3| image:: /_static/images/en-us_image_0141273034.png -.. |image4| image:: /_static/images/en-us_image_0000001500905066.png -.. |image5| image:: /_static/images/en-us_image_0239476777.png -.. |image6| image:: /_static/images/en-us_image_0239476777.png diff --git a/umn/source/security/security_group/replicating_a_security_group_rule.rst b/umn/source/security/security_group/replicating_a_security_group_rule.rst deleted file mode 100644 index 7dcc70d..0000000 --- a/umn/source/security/security_group/replicating_a_security_group_rule.rst +++ /dev/null @@ -1,33 +0,0 @@ -:original_name: vpc_SecurityGroup_0004.html - -.. _vpc_SecurityGroup_0004: - -Replicating a Security Group Rule -================================= - -**Scenarios** -------------- - -Replicate an existing security group rule to generate a new rule. When replicating a security group rule, you can make changes so that it is not a perfect copy. - -Procedure ---------- - -#. Log in to the management console. - -#. Click |image1| in the upper left corner and select the desired region and project. - -#. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. - -#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. - -#. On the **Security Groups** page, click the security group name. - -#. On the displayed page, locate the row that contains the security group rule to be replicated, and click **Replicate** in the **Operation** column. - - You can also modify the security group rule as required to quickly generate a new rule. - -#. Click **OK**. - -.. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png diff --git a/umn/source/security/security_group/security_group_configuration_examples.rst b/umn/source/security/security_group/security_group_configuration_examples.rst deleted file mode 100644 index 628c72b..0000000 --- a/umn/source/security/security_group/security_group_configuration_examples.rst +++ /dev/null @@ -1,199 +0,0 @@ -:original_name: en-us_topic_0081124350.html - -.. _en-us_topic_0081124350: - -Security Group Configuration Examples -===================================== - -Common security group configurations are presented here. The examples in this section allow all outgoing data packets by default. This section will only describe how to configure inbound rules. - -- .. _en-us_topic_0081124350__li2921164192410: - - :ref:`Allowing External Access to a Specified Port ` - -- :ref:`Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network ` - -- :ref:`Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group ` - -- :ref:`Remotely Connecting to Linux ECSs Using SSH ` - -- :ref:`Remotely Connecting to Windows ECSs Using RDP ` - -- :ref:`Enabling Communication Between ECSs ` - -- :ref:`Hosting a Website on ECSs ` - -- :ref:`Enabling an ECS to Function as a DNS Server ` - -- :ref:`Uploading or Downloading Files Using FTP ` - -You can use the default security group or create a security group in advance. For details, see sections :ref:`Creating a Security Group ` and :ref:`Adding a Security Group Rule `. - -Allowing External Access to a Specified Port --------------------------------------------- - -- Example scenario: - - After services are deployed, you can add security group rules to allow external access to a specified port (for example, 1100). - -- Security group rule: - - ========= ======== ==== ========= - Direction Protocol Port Source - ========= ======== ==== ========= - Inbound TCP 1100 0.0.0.0/0 - ========= ======== ==== ========= - -.. _en-us_topic_0081124350__section14197522283: - -Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network ------------------------------------------------------------------------------------------------------ - -- Example scenario: - - Resources on an ECS in a security group need to be copied to an ECS associated with another security group. The two ECSs are in the same VPC. We recommend that you enable private network communication between the ECSs and then copy the resources. - -- Security group configuration: - - Within a given VPC, ECSs in the same security group can communicate with one another by default. However, ECSs in different security groups cannot communicate with each other by default. To enable these ECSs to communicate with each other, you need to add certain security group rules. - - You can add an inbound rule to the security groups containing the ECSs to allow access from ECSs in the other security group. The required rule is as follows. - - +-----------------+--------------------------------------------------------------------------+-----------------+------------------------------------+ - | Direction | Protocol | Port | Source | - +=================+==========================================================================+=================+====================================+ - | Inbound | TCP | All | ID of another security group | - | | | | | - | | .. note:: | | Example: 014d7278-XXX-530c95350d43 | - | | | | | - | | Select a protocol used for communication through an internal network. | | | - +-----------------+--------------------------------------------------------------------------+-----------------+------------------------------------+ - -.. _en-us_topic_0081124350__section17693183118306: - -Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group ---------------------------------------------------------------------------- - -- Example scenario: - - To prevent ECSs from being attacked, you can change the port for remote login and configure security group rules that allow only specified IP addresses to remotely access the ECSs. - -- Security group configuration: - - To allow IP address **192.168.20.2** to remotely access Linux ECSs in a security group over the SSH protocol (port 22), you can configure the following security group rule. - - +-----------------+-----------------+-----------------+-------------------------------------------------+ - | Direction | Protocol | Port | Source | - +=================+=================+=================+=================================================+ - | Inbound | SSH | 22 | IPv4 CIDR block or ID of another security group | - | | | | | - | | | | For example, 192.168.20.2/32 | - +-----------------+-----------------+-----------------+-------------------------------------------------+ - -.. _en-us_topic_0081124350__section115069253338: - -Remotely Connecting to Linux ECSs Using SSH -------------------------------------------- - -- Example scenario: - - After creating Linux ECSs, you can add a security group rule to enable remote SSH access to the ECSs. - -- Security group rule: - - ========= ======== ==== ========= - Direction Protocol Port Source - ========= ======== ==== ========= - Inbound SSH 22 0.0.0.0/0 - ========= ======== ==== ========= - -.. _en-us_topic_0081124350__section168046312349: - -Remotely Connecting to Windows ECSs Using RDP ---------------------------------------------- - -- Example scenario: - - After creating Windows ECSs, you can add a security group rule to enable remote RDP access to the ECSs. - -- Security group rule: - - ========= ======== ==== ========= - Direction Protocol Port Source - ========= ======== ==== ========= - Inbound RDP 3389 0.0.0.0/0 - ========= ======== ==== ========= - -.. _en-us_topic_0081124350__section34721049193411: - -Enabling Communication Between ECSs ------------------------------------ - -- Example scenario: - - After creating ECSs, you need to add a security group rule so that you can run the **ping** command to test communication between the ECSs. - -- Security group rule: - - ========= ======== ==== ========= - Direction Protocol Port Source - ========= ======== ==== ========= - Inbound ICMP All 0.0.0.0/0 - ========= ======== ==== ========= - -.. _en-us_topic_0081124350__section1517991516357: - -Hosting a Website on ECSs -------------------------- - -- Example scenario: - - If you deploy a website on your ECSs and require that your website be accessed over HTTP or HTTPS, you can add rules to the security group used by the ECSs that function as the web servers. - -- Security group rule: - - ========= ======== ==== ========= - Direction Protocol Port Source - ========= ======== ==== ========= - Inbound HTTP 80 0.0.0.0/0 - Inbound HTTPS 443 0.0.0.0/0 - ========= ======== ==== ========= - -.. _en-us_topic_0081124350__section2910346123520: - -Enabling an ECS to Function as a DNS Server -------------------------------------------- - -- Example scenario: - - If you need to use an ECS as a DNS server, you must allow TCP and UDP access from port 53 to the DNS server. You can add the following rules to the security group associated with the ECS. - -- Security group rules: - - ========= ======== ==== ========= - Direction Protocol Port Source - ========= ======== ==== ========= - Inbound TCP 53 0.0.0.0/0 - Inbound UDP 53 0.0.0.0/0 - ========= ======== ==== ========= - -.. _en-us_topic_0081124350__section5964121693610: - -Uploading or Downloading Files Using FTP ----------------------------------------- - -- Example scenario: - - If you want to use File Transfer Protocol (FTP) to upload files to or download files from ECSs, you need to add a security group rule. - - .. note:: - - You must first install the FTP server program on the ECSs and check whether ports 20 and 21 are working properly. - -- Security group rule: - - ========= ======== ===== ========= - Direction Protocol Port Source - ========= ======== ===== ========= - Inbound TCP 20-21 0.0.0.0/0 - ========= ======== ===== ========= diff --git a/umn/source/security/security_group/security_group_overview.rst b/umn/source/security/security_group/security_group_overview.rst deleted file mode 100644 index f470b83..0000000 --- a/umn/source/security/security_group/security_group_overview.rst +++ /dev/null @@ -1,75 +0,0 @@ -:original_name: en-us_topic_0073379079.html - -.. _en-us_topic_0073379079: - -Security Group Overview -======================= - -Security Group --------------- - -A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, that have the same security protection requirements and that are mutually trusted. After a security group is created, you can create various access rules for the security group, these rules will apply to all cloud resources added to this security group. - -Like whitelists, security group rules work as follows: - -- Inbound rule: If an inbound request matches the source in an inbound security group rule with **Action** set to **Allow**, the request is allowed. - - Unless otherwise specified, you do not need to configure deny rules in the inbound direction because requests that do not match allow rules will be denied. - -- Outbound rule: If the destination of an outbound security group rule with **Action** set to **Allow** is 0.0.0.0/0, all outbound requests are allowed. - - IPv4 default route: 0.0.0.0/0 - - IPv6 default route: ::/0 - -:ref:`Table 1 ` shows the inbound and outbound rules in security group sg-AB. - -.. _en-us_topic_0073379079__table102261597217: - -.. table:: **Table 1** Rules in security group sg-AB - - +-----------+--------+-----------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+ - | Direction | Action | Protocol & Port | Source or Destination | Description | - +===========+========+=================+========================+===========================================================================================================================================+ - | Inbound | Allow | All | Source: sg-AB | Allows access requests from security group sg-AB. This rule ensures that instances in the security group can communicate with each other. | - +-----------+--------+-----------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+ - | Outbound | Allow | All | Destination: 0.0.0.0/0 | Allows all requests in the security group to be sent out. | - +-----------+--------+-----------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+ - -The system automatically creates a default security group for each account. If the default security group does not meet your requirements, you can :ref:`modify security group rules ` or :ref:`create a custom security group `. - -Security Group Basics ---------------------- - -- You can associate instances, such as servers and extension NICs, with one or more security groups. - - You can change the security groups that are associated with instances, such as servers or extension NICs. By default, when you create an instance, it is associated with the default security group of its VPC unless you specify another security group. - -- You need to add security group rules to allow instances in the same security group to communicate with each other. - -- Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. - - Security groups use connection tracking to track traffic to and from instances that they contain and security group rules are applied based on the connection status of the traffic to determine whether to allow or deny traffic. If you add, modify, or delete a security group rule, or create or delete an instance in the security group, the connection tracking of all instances in the security group will be automatically cleared. In this case, the inbound or outbound traffic of the instance will be considered as new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and the security of incoming traffic. - - In addition, if the inbound or outbound traffic of an instance has no packets for a long time, the traffic will be considered as new connections after the connection tracking times out, and the connections need to match the outbound and inbound rules. The timeout period of connection tracking varies according to the protocol. The timeout period of a TCP connection in the established state is 600s, and the timeout period of an ICMP connection is 30s. For other protocols, if packets are received in both directions, the connection tracking timeout period is 180s. If one or more packets are received in one direction but no packet is received in the other direction, the connection tracking timeout period is 30s. For protocols other than TCP, UDP, and ICMP, only the IP address and protocol number are tracked. - -.. note:: - - If two ECSs are in the same security group but in different VPCs, the ECSs cannot communicate with each other. To enable communications between the ECSs, use a VPC peering connection to connect the two VPCs. - -Security Group Rules --------------------- - -After you create a security group, you can add rules to the security group. A rule applies either to inbound traffic or outbound traffic. After you add cloud resources to the security group, they are protected by the rules of the group. - -Each security group has its default rules. For details, see :ref:`Table 1 `. You can also customize security group rules. For details, see :ref:`Adding a Security Group Rule `. - -Security Group Constraints --------------------------- - -- By default, you can create a maximum of 100 security groups in your cloud account. -- By default, you can add up to 50 security group rules to a security group. -- When creating a private network load balancer, you need to select a desired security group. Do not delete the default security group rules or ensure that the following requirements are met: - - - Outbound rules: only allow data packets to the selected security group or only data packets from the peer load balancer. - - Inbound rules: only allow data packets from the selected security group or only data packets from the peer load balancer. diff --git a/umn/source/service_overview/basic_concepts/route_table.rst b/umn/source/service_overview/basic_concepts/route_table.rst index e4d01a3..02588c9 100644 --- a/umn/source/service_overview/basic_concepts/route_table.rst +++ b/umn/source/service_overview/basic_concepts/route_table.rst @@ -8,32 +8,27 @@ Route Table Route Tables ------------ -A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. Each subnet must be associated with a route table. You can associate a subnet with only one route table at a time, but you can associate multiple subnets with the same route table. +A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. Each subnet must be associated with a route table. A subnet can only be associated with one route table, but you can associate multiple subnets with the same route table. -.. figure:: /_static/images/en-us_image_0000001229959315.png - :alt: **Figure 1** Route Table +.. figure:: /_static/images/en-us_image_0000001650535960.png + :alt: **Figure 1** Route tables - **Figure 1** Route Table + **Figure 1** Route tables -Default Route Table and Custom Route Table ------------------------------------------- +- Default route table: When you create a VPC, the system automatically generates a default route table for the VPC. If you create a subnet in the VPC, the subnet automatically associates with the default route table. The default route table ensures that subnets in a VPC can communicate with each other. -When you create a VPC, the system automatically generates a default route table for the VPC. If you create a subnet in the VPC, the subnet automatically associates with the default route table. + - You can add routes to, delete routes from, and modify routes in the default route table, but cannot delete the table. + - When you create a VPC endpoint, VPN or Direct Connect connection, the default route table automatically delivers a route that cannot be deleted or modified. -- You can add routes to, delete routes from, and modify routes in the default route table, but cannot delete the table. -- When you create a VPC endpoint, VPN or Direct Connect connection, the default route table automatically delivers a route that cannot be deleted or modified. +- Custom route table: If you do not want to use the default route table, you can create a custom route table and associate it with the subnet. Custom route tables can be deleted if they are no longer required. -If you do not want to use the default route table, you can now create a custom route table and associate it with the subnet. You can delete the custom route table if it is no longer required. - -.. note:: - - The custom route table associated with a subnet affects only the outbound traffic. The default route table determines the inbound traffic. + The custom route table associated with a subnet affects only the outbound traffic. The default route table controls the inbound traffic. Route ----- -A route is configured with the destination, next hop type, and next hop to determine where network traffic is directed. Routes are classified into system routes and custom routes. +You can add routes to default and custom route tables and configure the destination, next hop type, and next hop in the routes to determine where network traffic is directed. Routes are classified into system routes and custom routes. - System routes: These routes are automatically added by the system and cannot be modified or deleted. diff --git a/umn/source/service_overview/basic_concepts/security_group.rst b/umn/source/service_overview/basic_concepts/security_group.rst index 657250c..aa59a7c 100644 --- a/umn/source/service_overview/basic_concepts/security_group.rst +++ b/umn/source/service_overview/basic_concepts/security_group.rst @@ -9,26 +9,38 @@ A security group is a collection of access control rules for cloud resources, su Like whitelists, security group rules work as follows: -- Inbound rule: If an inbound request matches the source in an inbound security group rule with **Action** set to **Allow**, the request is allowed. +- Inbound rules control incoming traffic to instances in the security group. - Unless otherwise specified, you do not need to configure deny rules in the inbound direction because requests that do not match allow rules will be denied. + If an inbound request matches the source in an inbound security group rule, the request is allowed and other requests are denied. -- Outbound rule: If the destination of an outbound security group rule with **Action** set to **Allow** is 0.0.0.0/0, all outbound requests are allowed. + By default, you do not need to configure deny rules in the inbound direction because requests that do not match allow rules will be denied. - IPv4 default route: 0.0.0.0/0 +- Outbound rules control outgoing traffic from instances in the security group. - IPv6 default route: ::/0 + If the destination of an outbound security group rule is 0.0.0.0/0, all outbound requests are allowed. -:ref:`Table 1 ` shows the inbound and outbound rules in security group sg-AB. + 0.0.0.0/0 represents all IPv4 addresses. + + ::/0 represents all IPv6 addresses. + +:ref:`Table 1 ` uses custom security group sg-AB as an example to describe its inbound and outbound rules in detail. .. _vpc_concepts_0005__en-us_topic_0073379079_table102261597217: .. table:: **Table 1** Rules in security group sg-AB - +-----------+--------+-----------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+ - | Direction | Action | Protocol & Port | Source or Destination | Description | - +===========+========+=================+========================+===========================================================================================================================================+ - | Inbound | Allow | All | Source: sg-AB | Allows access requests from security group sg-AB. This rule ensures that instances in the security group can communicate with each other. | - +-----------+--------+-----------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+ - | Outbound | Allow | All | Destination: 0.0.0.0/0 | Allows all requests in the security group to be sent out. | - +-----------+--------+-----------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+ + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Direction | Type | Protocol & Port | Source/Destination | Description | + +===========+======+=================+========================+==============================================================================================================================+ + | Inbound | IPv4 | All | Source: sg-AB | Allows ECSs in the security group to communicate with each other. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 22 | Source: 0.0.0.0/0 | Allows all IPv4 addresses to access ECSs in the security group over port 22 (SSH) for remotely logging in to Linux ECSs. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 3389 | Source: 0.0.0.0/0 | Allows all IPv4 addresses to access ECSs in the security group over port 3389 (RDP) for remotely logging in to Windows ECSs. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 80 | Source: 10.5.6.30/32 | Allows IP address 10.5.6.30 to access ECSs in the security group over port 80. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Outbound | IPv4 | All | Destination: 0.0.0.0/0 | Allows access from ECSs in the security group to any IPv4 address over any port. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Outbound | IPv6 | All | Destination: ::/0 | Allows access from ECSs in the security group to any IPv6 address over any port. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/service_overview/basic_concepts/shared_snat.rst b/umn/source/service_overview/basic_concepts/shared_snat.rst index 3821599..483ed29 100644 --- a/umn/source/service_overview/basic_concepts/shared_snat.rst +++ b/umn/source/service_overview/basic_concepts/shared_snat.rst @@ -16,13 +16,19 @@ The VPC service provides free SNAT function, which allows ECSs to use a limited **Figure 1** SNAT function -- To enable shared SNAT using the API, set **enable_snat** to **true** by following the instructions provided in **Neutron** > **Routers** > **Update router** in the *Native OpenStack API Reference*. +- To enable shared SNAT using the API, refer to `Updating a Router `__ and set **enable_snat** to **true**. - To enable shared SNAT on the management console: #. Log in to the management console. - #. On the console homepage, under **Network**, click **Virtual Private Cloud**. + + #. Click |image1| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + #. On the **Virtual Private Cloud** page, locate the VPC for which shared SNAT is to be enabled, and click **Modify**. + #. In the displayed dialog box, enable **Shared SNAT**. + #. Click **OK**. After being configured for a VPC, shared SNAT takes effect for the whole VPC. If EIPs are bound to ECSs in a VPC for which shared SNAT is configured, Internet traffic is preferentially forwarded using the EIPs. If you want to prevent an ECS from connecting to the Internet, you can configure an outbound rule for the security group associated with the ECS. @@ -57,3 +63,5 @@ To prevent an ECS from connecting to the Internet but allow the ECS to access 19 - A custom route enables ECSs to access the Internet through an SNAT server that has an EIP bound. The ECSs' access requests are routed to the SNAT server based on the route table. - Shared SNAT takes effect for the whole VPC by default, while a custom route takes effect for the VPC or subnet for which routes have been configured. - A custom route has a higher priority than a shared SNAT. + +.. |image1| image:: /_static/images/en-us_image_0000001675619157.png diff --git a/umn/source/service_overview/basic_concepts/subnet.rst b/umn/source/service_overview/basic_concepts/subnet.rst index 60cb03f..d34d26a 100644 --- a/umn/source/service_overview/basic_concepts/subnet.rst +++ b/umn/source/service_overview/basic_concepts/subnet.rst @@ -7,14 +7,14 @@ Subnet A subnet is a unique CIDR block with a range of IP addresses in a VPC. All resources in a VPC must be deployed on subnets. -- By default, ECSs in all subnets of the same VPC can communicate with one another, but ECSs in different VPCs cannot. +- By default, all instances in different subnets of the same VPC can communicate with each other and the subnets can be located in different AZs. For example, VPC-A has subnet A01 in AZ A and subnet A02 in AZ B. Subnet A01 and subnet B01 can communicate with each other by default. - You can create VPC peering connections to enable ECSs in different VPCs but in the same region to communicate with one another. For details, see :ref:`VPC Peering Connection Overview `. +- After a subnet is created, its CIDR block cannot be modified. Subnets in the same VPC cannot overlap. -- After a subnet is created, its CIDR block cannot be modified. + A subnet mask can be between the netmask of its VPC CIDR block and /29 netmask. If a VPC CIDR block is 10.0.0.0/16, its subnet mask can between 16 to 29. - The subnets used to deploy your resources must reside within your VPC, and the subnet masks used to define them can be between the netmask of its VPC CIDR block and /29 netmask. + For example, if the CIDR block of VPC-A is 10.0.0.0/16, you can specify 10.0.0.0/24 for subnet A01, 10.0.1.0/24 for subnet A02, and 10.0.3.0/24 for subnet A03. - - 10.0.0.0 - 10.255.255.255 - - 172.16.0.0 - 172.31.255.255 - - 192.168.0.0 - 192.168.255.255 + .. note:: + + By default, you can create a maximum of 100 subnets in each region. If this cannot meet your service requirements, request a quota increase by referring to :ref:`What Is a Quota? ` diff --git a/umn/source/service_overview/index.rst b/umn/source/service_overview/index.rst index a09d654..13643f5 100644 --- a/umn/source/service_overview/index.rst +++ b/umn/source/service_overview/index.rst @@ -9,7 +9,6 @@ Service Overview - :ref:`Product Advantages ` - :ref:`Application Scenarios ` - :ref:`VPC Connectivity ` -- :ref:`Notes and Constraints ` - :ref:`VPC and Other Services ` - :ref:`Permissions ` - :ref:`Basic Concepts ` @@ -23,7 +22,6 @@ Service Overview product_advantages application_scenarios vpc_connectivity - notes_and_constraints vpc_and_other_services permissions basic_concepts/index diff --git a/umn/source/service_overview/notes_and_constraints.rst b/umn/source/service_overview/notes_and_constraints.rst deleted file mode 100644 index 2209681..0000000 --- a/umn/source/service_overview/notes_and_constraints.rst +++ /dev/null @@ -1,69 +0,0 @@ -:original_name: overview_0003.html - -.. _overview_0003: - -Notes and Constraints -===================== - -Security Group --------------- - -- By default, you can create a maximum of 100 security groups in your cloud account. -- By default, you can add up to 50 security group rules to a security group. -- When creating a private network load balancer, you need to select a desired security group. Do not delete the default security group rules or ensure that the following requirements are met: - - - Outbound rules: only allow data packets to the selected security group or only data packets from the peer load balancer. - - Inbound rules: only allow data packets from the selected security group or only data packets from the peer load balancer. - -Firewall --------- - -- By default, you can create a maximum of 200 firewalls in your cloud account. -- You can associate a firewall with multiple subnets. However, a subnet can only be associated with one firewall at a time. -- A firewall can contain no more than 20 rules in one direction, or performance will deteriorate. -- For optimal performance, import no more than 40 firewall rules at a time. Existing rules will still be available after new rules are imported. Each rule can be imported only once. - -Route Table ------------ - -- You can add routes to, delete routes from, and modify routes in the default route table, but cannot delete the table. -- When you create a VPC endpoint, VPN or Direct Connect connection, the default route table automatically delivers a route that cannot be deleted or modified. - -VPC Peering Connection ----------------------- - -- A VPC peering connection can only connect VPCs in the same region. -- If the local and peer VPCs have overlapping CIDR blocks, the VPC peering connection may not take effect. -- A VPC cannot use EIPs of its peered VPC for Internet access. For example, if VPC A is peered with VPC B that has EIPs, VPC A cannot use EIPs in VPC B to access the Internet. - -VPC Flow Log ------------- - -- Currently, only C3, M3, and S2 ECSs support VPC flow logs. -- By default, you can create a maximum of 10 VPC flow logs. -- By default, a maximum of 400,000 flow log records are supported. - -Virtual IP Address ------------------- - -- Virtual IP addresses are not recommended when multiple NICs in the same subnet are configured on an ECS. It is too easy for there to be route conflicts on the ECS, which would cause communication failure using the virtual IP address. - -EIP ---- - -- Each EIP can only be bound to one cloud resource. -- An EIP that has already been bound to a cloud resource cannot be bound to another resource without first being unbound from the current resource. -- You can only release EIPs that are not bound to any resources. -- The system preferentially assigns EIPs to you from the ones you released, if any. However, if any of these EIPs is already assigned to another user, it cannot be re-assigned to you. -- EIPs cannot be transferred across accounts. - -Bandwidth ---------- - -- A dedicated bandwidth can control how much data can be transferred using a single EIP. -- A shared bandwidth cannot control how much data can be transferred using a single EIP. Data transfer rate on EIPs cannot be customized. -- A shared bandwidth or dedicated bandwidth can only be used by resources owned by the same account. - -.. note:: - - - Inbound bandwidth is the bandwidth consumed when data is transferred from the Internet to the cloud. Outbound bandwidth is the bandwidth consumed when data is transferred from the cloud to the Internet. diff --git a/umn/source/service_overview/permissions.rst b/umn/source/service_overview/permissions.rst index 0a478cf..905be36 100644 --- a/umn/source/service_overview/permissions.rst +++ b/umn/source/service_overview/permissions.rst @@ -23,7 +23,7 @@ VPC is a project-level service deployed for specific regions. When you set **Sco You can grant permissions by using roles and policies. - Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. When you grant permissions using roles, you also need to attach dependent roles. Roles are not ideal for fine-grained authorization and least privilege access. -- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only permission to manage VPCs of a certain type. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions. For the API actions supported by VPC, see `Permissions Policies and Supported Actions `__. +- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant VPC users only the permissions for managing a certain type of resources. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions. For the API actions supported by VPC, see `Permissions Policies and Supported Actions `__. :ref:`Table 1 ` lists all the system-defined permissions for VPC. @@ -34,7 +34,7 @@ You can grant permissions by using roles and policies. +--------------------+-------------------------------------------------------------------------------------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------------------------------+ | Policy Name | Description | Policy Type | Dependencies | +====================+=========================================================================================================================+=======================+==============================================================================================================================+ - | VPC FullAccess | Full permissions for VPC | System-defined policy | None | + | VPC FullAccess | Full permissions for VPC | System-defined policy | To use the VPC flow log function, users must also have the **LTS ReadOnlyAccess** permission. | +--------------------+-------------------------------------------------------------------------------------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------------------------------+ | VPC ReadOnlyAccess | Read-only permissions on VPC. | System-defined policy | None | +--------------------+-------------------------------------------------------------------------------------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------------------------------+ @@ -49,79 +49,89 @@ You can grant permissions by using roles and policies. .. table:: **Table 2** Common operations supported by system-defined permissions - +--------------------------------------+--------------------+-------------------+----------------+ - | Operation | VPC ReadOnlyAccess | VPC Administrator | VPC FullAccess | - +======================================+====================+===================+================+ - | Creating a VPC | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Modifying a VPC | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Deleting a VPC | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Viewing VPC information | Y | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Creating a subnet | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Viewing subnet information | Y | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Modifying a subnet | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Deleting a subnet | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Creating a security group | x | x | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Viewing security group information | Y | x | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Modifying a security group | x | x | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Deleting a security group | x | x | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Adding a security group rule | x | x | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Viewing a security group rule | Y | x | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Modifying a security group rule | x | x | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Deleting a security group rule | x | x | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Creating a firewall | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Viewing a firewall | Y | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Modifying a firewall | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Deleting a firewall | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Adding a firewall rule | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Modifying a firewall rule | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Deleting a firewall rule | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Creating a VPC peering connection | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Modifying a VPC peering connection | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Deleting a VPC peering connection | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Creating a route table | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Deleting a route table | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Adding a route | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Modifying a route | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Deleting a route | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Creating a VPC flow log | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Viewing a VPC flow log | Y | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Enabling or disabling a VPC flow log | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ - | Deleting a VPC flow log | x | Y | Y | - +--------------------------------------+--------------------+-------------------+----------------+ + +--------------------------------------------+--------------------+-------------------+----------------+ + | Operation | VPC ReadOnlyAccess | VPC Administrator | VPC FullAccess | + +============================================+====================+===================+================+ + | Creating a VPC | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Modifying a VPC | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Deleting a VPC | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Viewing VPC information | Y | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Creating a subnet | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Viewing subnet information | Y | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Modifying a subnet | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Deleting a subnet | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Creating a security group | x | x | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Viewing security group information | Y | x | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Modifying a security group | x | x | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Deleting a security group | x | x | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Adding a security group rule | x | x | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Viewing a security group rule | Y | x | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Modifying a security group rule | x | x | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Deleting a security group rule | x | x | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Creating a firewall | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Viewing a firewall | Y | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Modifying a firewall | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Deleting a firewall | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Adding a firewall rule | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Modifying a firewall rule | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Deleting a firewall rule | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Creating a VPC peering connection | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Modifying a VPC peering connection | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Deleting a VPC peering connection | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Querying a VPC peering connection | Y | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Accepting a VPC peering connection request | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Rejecting a VPC peering connection request | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Creating a route table | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Deleting a route table | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Modifying a route table | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Associating a route table with a subnet | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Adding a route | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Modifying a route | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Deleting a route | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Creating a VPC flow log | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Viewing a VPC flow log | Y | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Enabling or disabling a VPC flow log | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ + | Deleting a VPC flow log | x | Y | Y | + +--------------------------------------------+--------------------+-------------------+----------------+ Helpful Links ------------- diff --git a/umn/source/shared_bandwidth/adding_eips_to_a_shared_bandwidth.rst b/umn/source/shared_bandwidth/adding_eips_to_a_shared_bandwidth.rst index ab03f9d..e42c400 100644 --- a/umn/source/shared_bandwidth/adding_eips_to_a_shared_bandwidth.rst +++ b/umn/source/shared_bandwidth/adding_eips_to_a_shared_bandwidth.rst @@ -13,8 +13,7 @@ Add EIPs to a shared bandwidth and the EIPs can then share that bandwidth. You c Notes and Constraints --------------------- -- After an EIP is added to a shared bandwidth, the original bandwidth used by the EIP will become invalid and the EIP will start to use the shared bandwidth. -- The EIP's original dedicated bandwidth will be deleted. +- The type of EIPs must be the same as that of the shared bandwidth the EIPs to be added to. - Do not add EIPs of the dedicated load balancer type (**5_gray**) and other types to the same shared bandwidth. Otherwise, the bandwidth limit policy will not take effect. Procedure @@ -30,6 +29,10 @@ Procedure 5. In the shared bandwidth list, locate the row that contains the shared bandwidth that you want to add EIPs to. In the **Operation** column, choose **Add EIP**, and select the EIPs to be added. + .. note:: + + - After an EIP is added to a shared bandwidth, the dedicated bandwidth used by the EIP will become invalid and the EIP will start to use the shared bandwidth. The EIP's dedicated bandwidth will be deleted and will no longer be billed. + .. figure:: /_static/images/en-us_image_0000001211006359.png :alt: **Figure 1** Add EIP diff --git a/umn/source/shared_bandwidth/assigning_a_shared_bandwidth.rst b/umn/source/shared_bandwidth/assigning_a_shared_bandwidth.rst index 1faaa88..444ee65 100644 --- a/umn/source/shared_bandwidth/assigning_a_shared_bandwidth.rst +++ b/umn/source/shared_bandwidth/assigning_a_shared_bandwidth.rst @@ -43,11 +43,9 @@ Procedure | Enterprise Project | The enterprise project that the EIP belongs to. | default | | | | | | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | - | | | | - | | For details about creating and managing enterprise projects, see the *Enterprise Management User Guide*. | | +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ -#. Click **Create Now**. +#. Click **Assign Now**. .. |image1| image:: /_static/images/en-us_image_0141273034.png .. |image2| image:: /_static/images/en-us_image_0000001454059512.png diff --git a/umn/source/shared_bandwidth/deleting_a_shared_bandwidth.rst b/umn/source/shared_bandwidth/deleting_a_shared_bandwidth.rst index d2eae01..0ddff4a 100644 --- a/umn/source/shared_bandwidth/deleting_a_shared_bandwidth.rst +++ b/umn/source/shared_bandwidth/deleting_a_shared_bandwidth.rst @@ -23,9 +23,10 @@ Procedure 2. Click |image1| in the upper left corner and select the desired region and project. 3. Click |image2| in the upper left corner and choose **Network** > **Elastic IP**. + 4. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. 5. In the shared bandwidth list, locate the row that contains the shared bandwidth you want to delete, click **More** in the **Operation** column, and then click **Delete**. -6. In the displayed dialog box, click **Yes**. +6. In the displayed dialog box, click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png .. |image2| image:: /_static/images/en-us_image_0000001454059512.png diff --git a/umn/source/shared_bandwidth/shared_bandwidth_overview.rst b/umn/source/shared_bandwidth/shared_bandwidth_overview.rst index 8be79a2..50704cc 100644 --- a/umn/source/shared_bandwidth/shared_bandwidth_overview.rst +++ b/umn/source/shared_bandwidth/shared_bandwidth_overview.rst @@ -7,6 +7,10 @@ Shared Bandwidth Overview A shared bandwidth can be shared by multiple EIPs and controls the data transfer rate on these EIPs in a centralized manner. All ECSs, BMSs, and load balancers that have EIPs bound in the same region can share a bandwidth. +.. note:: + + - A shared bandwidth cannot control how much data can be transferred using a single EIP. Data transfer rate on EIPs cannot be customized. + When you host a large number of applications on the cloud, if each EIP uses a bandwidth, a lot of bandwidths are required, increasing O&M workload. If all EIPs share the same bandwidth, VPCs and the region-level bandwidth can be managed in a unified manner, simplifying O&M statistics and network operations cost settlement. - Easy to Manage diff --git a/umn/source/virtual_ip_address/assigning_a_virtual_ip_address.rst b/umn/source/virtual_ip_address/assigning_a_virtual_ip_address.rst index b2dde32..7ee8266 100644 --- a/umn/source/virtual_ip_address/assigning_a_virtual_ip_address.rst +++ b/umn/source/virtual_ip_address/assigning_a_virtual_ip_address.rst @@ -14,20 +14,29 @@ Procedure --------- #. Log in to the management console. + #. Click |image1| in the upper left corner and select the desired region and project. + #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. + #. In the subnet list, click the name of the subnet where a virtual IP address is to be assigned. + #. Click the **IP Addresses** tab and click **Assign Virtual IP Address**. + #. Select a virtual IP address assignment mode. - **Automatic**: The system assigns an IP address automatically. - **Manual**: You can specify an IP address. #. Select **Manual** and enter a virtual IP address. + #. Click **OK**. You can then query the assigned virtual IP address in the IP address list. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001554010645.png +.. |image2| image:: /_static/images/en-us_image_0000001626897562.png diff --git a/umn/source/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip.rst b/umn/source/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip.rst index 2cf1b8c..a10a09a 100644 --- a/umn/source/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip.rst +++ b/umn/source/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip.rst @@ -19,10 +19,18 @@ Procedure --------- #. Log in to the management console. + #. Click |image1| in the upper left corner and select the desired region and project. -#. On the console homepage, under **Network**, click **Elastic IP**. + +#. Click |image2| in the upper left corner and choose **Network** > **Elastic IP**. + + The EIP list page is displayed. + #. Locate the row that contains the EIP to be bound to the virtual IP address, and click **Bind** in the **Operation** column. + #. In the **Bind EIP** dialog box, set **Instance Type** to **Virtual IP address**. + #. In the virtual IP address list, select the virtual IP address to be bound and click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001626578706.png diff --git a/umn/source/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst b/umn/source/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst index 2edbaf5..e67f597 100644 --- a/umn/source/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst +++ b/umn/source/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst @@ -10,20 +10,32 @@ Scenarios You can bind a virtual IP address to an EIP so that you can access the ECSs bound with the same virtual IP address from the Internet. These ECSs can work in the active/standby mode to improve fault tolerance. +Notes and Constraints +--------------------- + +- Each virtual IP address can be bound to only one EIP. + Procedure --------- #. Log in to the management console. + #. Click |image1| in the upper left corner and select the desired region and project. + #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. + #. In the subnet list, click the name of the subnet that the virtual IP address belongs to. + #. Click the **IP Addresses** tab. - To bind a virtual IP address to an EIP, locate the row that contains the virtual IP address and click **Bind to EIP** in the **Operation** column. - To bind a virtual IP address to an ECS, locate the row that contains the virtual IP address and click **Bind to Server** in the **Operation** column. -#. Select the desired EIP, or ECS and its NIC. +#. Select the EIP or ECS to be bound. .. note:: @@ -129,7 +141,7 @@ Procedure In the command output, **IPv4 Address** is the virtual IP address 10.0.0.154, indicating that the virtual IP address of the ECS NIC has been correctly configured. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001553930581.png +.. |image2| image:: /_static/images/en-us_image_0000001626738526.png .. |image3| image:: /_static/images/en-us_image_0000001281210233.png .. |image4| image:: /_static/images/en-us_image_0000001237328110.png .. |image5| image:: /_static/images/en-us_image_0000001237013856.png diff --git a/umn/source/virtual_ip_address/disabling_ip_forwarding_on_the_standby_ecs.rst b/umn/source/virtual_ip_address/disabling_ip_forwarding_on_the_standby_ecs.rst new file mode 100644 index 0000000..02c7785 --- /dev/null +++ b/umn/source/virtual_ip_address/disabling_ip_forwarding_on_the_standby_ecs.rst @@ -0,0 +1,61 @@ +:original_name: vpc_vip_0007.html + +.. _vpc_vip_0007: + +Disabling IP Forwarding on the Standby ECS +========================================== + +Scenarios +--------- + +If a virtual IP address is used in an active/standby scenario, disable IP forwarding on the standby ECS. + +Linux +----- + +#. Log in to the ECS. + +#. Run the following command to switch to user **root**: + + **su root** + +#. Check whether IP forwarding is enabled: + + **cat /proc/sys/net/ipv4/ip_forward** + + In the command output, **1** indicates it is enabled, and **0** indicates it is disabled. The default value is **0**. + + - If **1** is displayed, go to :ref:`4 `. + - If **0** is displayed, no further action is required. + +#. .. _vpc_vip_0007__en-us_topic_0206027322_li97125518364: + + Use either of the following methods to modify the configuration file: + + - Method 1: Use the vi editor to open the **/etc/sysctl.conf** file, change the value of **net.ipv4.ip_forward** to **0**, and enter **:wq** to save the change and exit. + + - Method 2: Use the **sed** command. An example command is as follows: + + **sed -i '/net.ipv4.ip_forward/s/1/0/g' /etc/sysctl.conf** + +#. Make the modification take effect: + + **sysctl -p /etc/sysctl.conf** + +Windows +------- + +#. Log in to the ECS. + +#. Open **Command Prompt** and run the following command: + + **ipconfig/all** + + In the command output, if the value of **IP Routing Enabled** is **No**, the IP forwarding function is disabled. + +#. Press **Windows** and **R** keys together to open the **Run** box, and enter **regedit** to open the **Registry Editor**. + +#. Set the value of **IPEnableRouter** under **HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters** to **0**. + + - If the value is set to **0**, IP forwarding will be disabled. + - If the value is set to **1**, IP forwarding will be enabled. diff --git a/umn/source/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst b/umn/source/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst index d8c4e5a..6b1756c 100644 --- a/umn/source/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst +++ b/umn/source/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst @@ -5,12 +5,21 @@ Disabling Source and Destination Check (HA Load Balancing Cluster Scenario) =========================================================================== +Scenarios +--------- + +If a virtual IP address is used in an HA load balancing cluster, you need to disable source/destination check for ECS NICs. + +Procedure +--------- + #. Log in to the management console. #. Click |image1| in the upper left corner and select the desired region and project. -#. Under **Computing**, click **Elastic Cloud Server**. +#. In the upper left corner of the page, click |image2|. In the service list, choose **Computing** > **Elastic Cloud Server**. #. In the ECS list, click the ECS name. #. On the displayed ECS details page, click the **NICs** tab. #. Click the IP address to view the NIC details. #. Check that **Source/Destination Check** is disabled. .. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001681512581.png diff --git a/umn/source/virtual_ip_address/index.rst b/umn/source/virtual_ip_address/index.rst index fb460b4..92b626f 100644 --- a/umn/source/virtual_ip_address/index.rst +++ b/umn/source/virtual_ip_address/index.rst @@ -12,6 +12,7 @@ Virtual IP Address - :ref:`Using a VPN to Access a Virtual IP Address ` - :ref:`Using a Direct Connect Connection to Access the Virtual IP Address ` - :ref:`Using a VPC Peering Connection to Access the Virtual IP Address ` +- :ref:`Disabling IP Forwarding on the Standby ECS ` - :ref:`Disabling Source and Destination Check (HA Load Balancing Cluster Scenario) ` - :ref:`Unbinding a Virtual IP Address from an Instance ` - :ref:`Unbinding a Virtual IP Address from an EIP ` @@ -28,6 +29,7 @@ Virtual IP Address using_a_vpn_to_access_a_virtual_ip_address using_a_direct_connect_connection_to_access_the_virtual_ip_address using_a_vpc_peering_connection_to_access_the_virtual_ip_address + disabling_ip_forwarding_on_the_standby_ecs disabling_source_and_destination_check_ha_load_balancing_cluster_scenario unbinding_a_virtual_ip_address_from_an_instance unbinding_a_virtual_ip_address_from_an_eip diff --git a/umn/source/virtual_ip_address/releasing_a_virtual_ip_address.rst b/umn/source/virtual_ip_address/releasing_a_virtual_ip_address.rst index 3a6b52b..3f65990 100644 --- a/umn/source/virtual_ip_address/releasing_a_virtual_ip_address.rst +++ b/umn/source/virtual_ip_address/releasing_a_virtual_ip_address.rst @@ -22,7 +22,9 @@ If you want to release a virtual IP address that is being used by a resource, re +-----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------+ | Prompts | Cause Analysis and Solution | +===================================================================================================================================+=====================================================================================================================================+ - | This operation cannot be performed because the IP address is bound to an instance or an EIP. Unbind the IP address and try again. | This virtual IP address is being by an EIP or an ECS. Unbind the virtual IP address first. | + | This operation cannot be performed because the IP address is bound to an instance or an EIP. Unbind the IP address and try again. | This virtual IP address is being by an EIP or an ECS. | + | | | + | | Unbind the virtual IP address first. | | | | | | - EIP: :ref:`Unbinding a Virtual IP Address from an EIP ` | | | - ECS: :ref:`Unbinding a Virtual IP Address from an Instance ` | @@ -41,6 +43,8 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. #. Click the name of the subnet that the virtual IP address belongs to. @@ -52,4 +56,4 @@ Procedure #. Confirm the information and click **Yes**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001553650753.png +.. |image2| image:: /_static/images/en-us_image_0000001675378241.png diff --git a/umn/source/virtual_ip_address/unbinding_a_virtual_ip_address_from_an_eip.rst b/umn/source/virtual_ip_address/unbinding_a_virtual_ip_address_from_an_eip.rst index 5478db5..7b0881d 100644 --- a/umn/source/virtual_ip_address/unbinding_a_virtual_ip_address_from_an_eip.rst +++ b/umn/source/virtual_ip_address/unbinding_a_virtual_ip_address_from_an_eip.rst @@ -19,6 +19,8 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. The **Subnets** page is displayed. @@ -38,4 +40,4 @@ Procedure #. Confirm the information and click **Yes**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001503170970.png +.. |image2| image:: /_static/images/en-us_image_0000001675258381.png diff --git a/umn/source/virtual_ip_address/unbinding_a_virtual_ip_address_from_an_instance.rst b/umn/source/virtual_ip_address/unbinding_a_virtual_ip_address_from_an_instance.rst index dd550d6..44b9790 100644 --- a/umn/source/virtual_ip_address/unbinding_a_virtual_ip_address_from_an_instance.rst +++ b/umn/source/virtual_ip_address/unbinding_a_virtual_ip_address_from_an_instance.rst @@ -19,6 +19,8 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. The **Subnets** page is displayed. @@ -52,4 +54,4 @@ Procedure c. Confirm the information and click **Yes**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001503170974.png +.. |image2| image:: /_static/images/en-us_image_0000001675618277.png diff --git a/umn/source/virtual_ip_address/virtual_ip_address_overview.rst b/umn/source/virtual_ip_address/virtual_ip_address_overview.rst index 79fff81..ea261d6 100644 --- a/umn/source/virtual_ip_address/virtual_ip_address_overview.rst +++ b/umn/source/virtual_ip_address/virtual_ip_address_overview.rst @@ -64,27 +64,4 @@ Notes and Constraints --------------------- - Virtual IP addresses are not recommended when multiple NICs in the same subnet are configured on an ECS. It is too easy for there to be route conflicts on the ECS, which would cause communication failure using the virtual IP address. -- IP forwarding must be disabled on the standby ECS. Perform the following operations to confirm whether the IP forwarding is disabled on the standby ECS: - - #. Log in to standby ECS and run the following command to check whether the IP forwarding is enabled: - - cat /proc/sys/net/ipv4/ip_forward - - In the command output, **1** indicates it is enabled, and **0** indicates it is disabled. The default value is **0**. - - - If the command output is **1**, perform :ref:`2 ` and :ref:`3 ` to disable the IP forwarding. - - If the command output is **0**, no further action is required. - - #. .. _vpc_vip_0001__en-us_topic_0206027322_en-us_topic_0095139658_li1473585332417: - - Use the vi editor to open the **/etc/sysctl.conf** file, change the value of **net.ipv4.ip_forward** to **0**, and enter **:wq** to save the change and exit. You can also use the **sed** command to modify the configuration. A command example is as follows: - - sed -i '/net.ipv4.ip_forward/s/1/0/g' /etc/sysctl.conf - - #. .. _vpc_vip_0001__en-us_topic_0206027322_en-us_topic_0095139658_li88984711254: - - Run the following command to make the change take effect: - - sysctl -p /etc/sysctl.conf - -- Each virtual IP address can be bound to only one EIP. +- If a virtual IP address is used in an active/standby scenario, disable IP forwarding on the standby ECS. For details, see :ref:`Disabling IP Forwarding on the Standby ECS `. diff --git a/umn/source/vpc_and_subnet/subnet/creating_a_subnet_for_the_vpc.rst b/umn/source/vpc_and_subnet/subnet/creating_a_subnet_for_the_vpc.rst index bef9943..0f6214d 100644 --- a/umn/source/vpc_and_subnet/subnet/creating_a_subnet_for_the_vpc.rst +++ b/umn/source/vpc_and_subnet/subnet/creating_a_subnet_for_the_vpc.rst @@ -21,6 +21,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. 5. Click **Create Subnet**. @@ -37,33 +39,37 @@ Procedure .. table:: **Table 1** Parameter descriptions - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +========================+=============================================================================================================================================================================================================================================+=======================+ - | VPC | The VPC for which you want to create a subnet. | ``-`` | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Name | The subnet name. | Subnet | - | | | | - | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Gateway | The gateway address of the subnet. | 192.168.0.1 | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | DNS Server Address | By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | - | | | | - | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | - | | | | - | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | - | | | - Value: subnet-01 | - | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +======================================+=============================================================================================================================================================================================================================================================+=======================+ + | VPC | The VPC for which you want to create a subnet. | ``-`` | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Name | The subnet name. | Subnet | + | | | | + | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/Gateway | The gateway address of the subnet. | 192.168.0.1 | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/DNS Server Address | By default, two DNS server addresses are configured. You can change them if necessary. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | + | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If you do not specify this parameter, no additional NTP server IP addresses will be added. | | + | | | | + | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | - Value: subnet-01 | + | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Advanced Settings/Description | Supplementary information about the subnet. This parameter is optional. | ``-`` | + | | | | + | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ .. _en-us_topic_0013748726__table42131827173915: @@ -107,4 +113,4 @@ When a subnet is created, there are five reserved IP addresses, which cannot be If you configured the default settings under **Advanced Settings** during subnet creation, the reserved IP addresses may be different from the default ones, but there will still be five of them. The specific addresses depend on your subnet settings. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675254021.png diff --git a/umn/source/vpc_and_subnet/subnet/deleting_a_subnet.rst b/umn/source/vpc_and_subnet/subnet/deleting_a_subnet.rst index 4e7e0c7..56af1cd 100644 --- a/umn/source/vpc_and_subnet/subnet/deleting_a_subnet.rst +++ b/umn/source/vpc_and_subnet/subnet/deleting_a_subnet.rst @@ -26,6 +26,8 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. The **Subnets** page is displayed. @@ -41,4 +43,4 @@ Procedure If a VPC cannot be deleted, a message will be displayed on the console. Delete the resources that are in the VPC by referring to :ref:`Why Can't I Delete My VPCs and Subnets? ` .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626574366.png diff --git a/umn/source/vpc_and_subnet/subnet/exporting_subnet_list.rst b/umn/source/vpc_and_subnet/subnet/exporting_subnet_list.rst index 4b99717..edab6d6 100644 --- a/umn/source/vpc_and_subnet/subnet/exporting_subnet_list.rst +++ b/umn/source/vpc_and_subnet/subnet/exporting_subnet_list.rst @@ -19,6 +19,8 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. The **Subnets** page is displayed. @@ -28,5 +30,5 @@ Procedure The system will automatically export information about all subnets under your account in the current region as an Excel file to a local directory. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675613941.png .. |image3| image:: /_static/images/en-us_image_0000001221842468.png diff --git a/umn/source/vpc_and_subnet/subnet/managing_subnet_tags.rst b/umn/source/vpc_and_subnet/subnet/managing_subnet_tags.rst index 519f58f..81a6a3e 100644 --- a/umn/source/vpc_and_subnet/subnet/managing_subnet_tags.rst +++ b/umn/source/vpc_and_subnet/subnet/managing_subnet_tags.rst @@ -8,7 +8,9 @@ Managing Subnet Tags Scenarios --------- -A subnet tag identifies a subnet. Tags can be added to subnets to facilitate subnet identification and administration. You can add a tag to a subnet when creating the subnet, or you can add a tag to a created subnet on the subnet details page. A maximum of 20 tags can be added to each subnet. +You can add tags to subnets to help you identify and organize them. + +You can add a tag to a subnet when creating the subnet, or you can add a tag to a created subnet on the subnet details page. A maximum of 20 tags can be added to each subnet. A tag consists of a key and value pair. :ref:`Table 1 ` lists the tag key and value requirements. @@ -49,23 +51,19 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. The **Subnets** page is displayed. -#. In the upper right corner of the subnet list, click **Search by Tag**. - -#. Enter the tag key of the subnet to be queried. - - Both the tag key and value must be specified. The system automatically displays the subnets you are looking for if both the tag key and value are matched. - #. Click **+** to add another tag key and value. You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for subnets, the subnets containing all specified tags will be displayed. -#. Click **Search**. +#. In the search box above the subnet list, click the search box. - The system displays the subnets you are looking for based on the entered tag keys and values. + Click the tag key and then the value as required. The system filters resources based on the tag you select. **Add, delete, edit, and view tags on the Tags tab of a subnet.** @@ -75,6 +73,8 @@ Procedure #. Click |image4| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. The **Subnets** page is displayed. @@ -100,6 +100,6 @@ Procedure Locate the row that contains the tag you want to delete, and click **Delete** in the **Operation** column. In the displayed dialog box, click **Yes**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675373909.png .. |image3| image:: /_static/images/en-us_image_0141273034.png -.. |image4| image:: /_static/images/en-us_image_0000001500905066.png +.. |image4| image:: /_static/images/en-us_image_0000001626894094.png diff --git a/umn/source/vpc_and_subnet/subnet/modifying_a_subnet.rst b/umn/source/vpc_and_subnet/subnet/modifying_a_subnet.rst index 5b64a38..923f7a4 100644 --- a/umn/source/vpc_and_subnet/subnet/modifying_a_subnet.rst +++ b/umn/source/vpc_and_subnet/subnet/modifying_a_subnet.rst @@ -19,7 +19,9 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. -4. Locate the row that contains the target VPC and click the number in the **Subnets** column. + The **Virtual Private Cloud** page is displayed. + +4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. The **Subnets** page is displayed. @@ -44,7 +46,7 @@ Procedure +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | | | | | - | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, you do not add an NTP server IP address. | | + | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If you do not specify this parameter, no additional NTP server IP addresses will be added. | | | | | | | | A maximum of four unique NTP server IP addresses can be configured. Multiple IP addresses must be separated by a comma (,). If you add or change the NTP server addresses of a subnet, you need to renew the DHCP lease for or restart all the ECSs in the subnet to make the change take effect immediately. If the NTP server addresses have been cleared out, restarting the ECSs will not help. You must renew the DHCP lease for all ECSs to make the change take effect immediately. | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ @@ -56,5 +58,5 @@ Procedure 7. Click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626574370.png .. |image3| image:: /_static/images/en-us_image_0000001337710801.png diff --git a/umn/source/vpc_and_subnet/subnet/viewing_and_deleting_resources_in_a_subnet.rst b/umn/source/vpc_and_subnet/subnet/viewing_and_deleting_resources_in_a_subnet.rst index 6aa0cce..059ca5a 100644 --- a/umn/source/vpc_and_subnet/subnet/viewing_and_deleting_resources_in_a_subnet.rst +++ b/umn/source/vpc_and_subnet/subnet/viewing_and_deleting_resources_in_a_subnet.rst @@ -25,6 +25,8 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. The **Subnets** page is displayed. @@ -35,8 +37,14 @@ Procedure #. On the **Summary** page, view the resources in the subnet. - a. In the **Resources** area, view the ECSs, BMSs, network interfaces, and load balancers in the subnet. - b. In the **Networking Components** area, view the NAT gateways in the subnet. + a. In the **VPC Resources** area, view the quantities of resources, such as ECSs, BMSs, network interfaces, and load balancers, in the subnet. Click the resource quantity with a hyperlink to view the resources in the subnet. + b. In the **Networking Components** area on the right of the page, view the NAT gateway, route table, and subnet. + + + .. figure:: /_static/images/en-us_image_0000001678437642.png + :alt: **Figure 1** Viewing resources in a subnet + + **Figure 1** Viewing resources in a subnet #. Delete resources from the subnet. @@ -63,7 +71,7 @@ Procedure +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+ | Load balancer | You can directly switch to load balancers from the subnet details page. | | | | - | | a. Click the load balancer quantity in the **Resources** area. | + | | a. Click the load balancer quantity. | | | | | | The load balancer list is displayed. | | | | @@ -81,5 +89,5 @@ Procedure +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+ .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675413829.png .. |image3| image:: /_static/images/en-us_image_0000001461263993.png diff --git a/umn/source/vpc_and_subnet/subnet/viewing_ip_addresses_in_a_subnet.rst b/umn/source/vpc_and_subnet/subnet/viewing_ip_addresses_in_a_subnet.rst index 562b384..2707ded 100644 --- a/umn/source/vpc_and_subnet/subnet/viewing_ip_addresses_in_a_subnet.rst +++ b/umn/source/vpc_and_subnet/subnet/viewing_ip_addresses_in_a_subnet.rst @@ -31,6 +31,8 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **Subnets**. The **Subnets** page is displayed. @@ -50,4 +52,4 @@ Follow-up Operations If you want to view and delete the resources in a subnet, refer to :ref:`Why Can't I Delete My VPCs and Subnets? ` .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675254017.png diff --git a/umn/source/vpc_and_subnet/vpc/creating_a_vpc.rst b/umn/source/vpc_and_subnet/vpc/creating_a_vpc.rst index e013768..fe8e312 100644 --- a/umn/source/vpc_and_subnet/vpc/creating_a_vpc.rst +++ b/umn/source/vpc_and_subnet/vpc/creating_a_vpc.rst @@ -21,6 +21,8 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. Click **Create VPC**. #. On the **Create VPC** page, set parameters as prompted. @@ -29,91 +31,89 @@ Procedure .. table:: **Table 1** VPC parameter descriptions - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Category | Parameter | Description | Example Value | - +=====================================+========================+=========================================================================================================================================================================================================================================================================================================+=====================+ - | Basic Information | Region | Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you. | eu-de | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information | Name | The VPC name. | VPC-001 | - | | | | | - | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information | CIDR Block | The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). | 192.168.0.0/16 | - | | | | | - | | | The following CIDR blocks are supported: | | - | | | | | - | | | 10.0.0.0/8-24 | | - | | | | | - | | | 172.16.0.0/12-24 | | - | | | | | - | | | 192.168.0.0/16-24 | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information | Enterprise Project | The enterprise project to which the VPC belongs. | default | - | | | | | - | | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | - | | | | | - | | | For details about creating and managing enterprise projects, see the *Enterprise Management User Guide*. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information/Advanced Settings | Tag | The VPC tag, which consists of a key and value pair. You can add a maximum of 20 tags to each VPC. | - Key: vpc_key1 | - | | | | - Value: vpc-01 | - | | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Basic Information/Advanced Settings | Description | Supplementary information about the VPC. This parameter is optional. | N/A | - | | | | | - | | | The VPC description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet | Name | The subnet name. | Subnet | - | | | | | - | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | Gateway | The gateway address of the subnet. | 192.168.0.1 | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | - | | | | | - | | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If this parameter is left empty, no IP address of the NTP server is added. | | - | | | | | - | | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | - | | | | - Value: subnet-01 | - | | | The tag key and value must meet the requirements listed in :ref:`Table 3 `. | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ - | Default Subnet/Advanced Settings | Description | Supplementary information about the subnet. This parameter is optional. | N/A | - | | | | | - | | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-------------------------------------+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Category | Parameter | Description | Example Value | + +=====================================+========================+=============================================================================================================================================================================================================================================================+=====================+ + | Basic Information | Region | Select the region nearest to you to ensure the lowest latency possible. | eu-de | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | Name | The VPC name. | VPC-001 | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | IPv4 CIDR Block | The CIDR block of the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset of the CIDR block for the VPC (for multiple subnets in the VPC). | 192.168.0.0/16 | + | | | | | + | | | The following CIDR blocks are supported: | | + | | | | | + | | | 10.0.0.0/8-24 | | + | | | | | + | | | 172.16.0.0/12-24 | | + | | | | | + | | | 192.168.0.0/16-24 | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information | Enterprise Project | The enterprise project to which the VPC belongs. | default | + | | | | | + | | | An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is **default**. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information/Advanced Settings | Tag | The VPC tag, which consists of a key and value pair. You can add a maximum of 20 tags to each VPC. | - Key: vpc_key1 | + | | | | - Value: vpc-01 | + | | | The tag key and value must meet the requirements listed in :ref:`Table 2 `. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Basic Information/Advanced Settings | Description | Supplementary information about the VPC. This parameter is optional. | N/A | + | | | | | + | | | The VPC description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Name | The subnet name. | Subnet | + | | | | | + | | | The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | CIDR Block | The CIDR block for the subnet. This value must be within the VPC CIDR block. | 192.168.0.0/24 | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet | Associated Route Table | The default route table to which the subnet will be associated. You can change the route table to a custom route table on the **Subnets** page. | Default | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Gateway | The gateway address of the subnet. | 192.168.0.1 | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | DNS Server Address | By default, two DNS server addresses are configured. You can change them as required. A maximum of five DNS server addresses can be configured. Multiple IP addresses must be separated using commas (,). | 100.125.x.x | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | NTP Server Address | The IP address of the NTP server. This parameter is optional. | 192.168.2.1 | + | | | | | + | | | You can configure the NTP server IP addresses to be added to the subnet as required. The IP addresses are added in addition to the default NTP server addresses. If you do not specify this parameter, no additional NTP server IP addresses will be added. | | + | | | | | + | | | A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,). | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Tag | The subnet tag, which consists of a key and value pair. You can add a maximum of 20 tags to each subnet. | - Key: subnet_key1 | + | | | | - Value: subnet-01 | + | | | The tag key and value must meet the requirements listed in :ref:`Table 3 `. | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ + | Default Subnet/Advanced Settings | Description | Supplementary information about the subnet. This parameter is optional. | N/A | + | | | | | + | | | The subnet description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-------------------------------------+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ .. _en-us_topic_0013935842__table248245914136: .. table:: **Table 2** VPC tag key and value requirements - +-----------------------+----------------------------------------------------------------------------+-----------------------+ - | Parameter | Requirements | Example Value | - +=======================+============================================================================+=======================+ - | Key | - Cannot be left blank. | vpc_key1 | - | | - Must be unique for the same VPC and can be the same for different VPCs. | | - | | - Can contain a maximum of 36 characters. | | - | | - Can contain only the following character types: | | - | | | | - | | - Uppercase letters | | - | | - Lowercase letters | | - | | - Digits | | - | | - Special characters, including hyphens (-) and underscores (_) | | - +-----------------------+----------------------------------------------------------------------------+-----------------------+ - | Value | - Can contain a maximum of 43 characters. | vpc-01 | - | | - Can contain only the following character types: | | - | | | | - | | - Uppercase letters | | - | | - Lowercase letters | | - | | - Digits | | - | | - Special characters, including hyphens (-) and underscores (_) | | - +-----------------------+----------------------------------------------------------------------------+-----------------------+ + +-----------------------+------------------------------------------------------------------------+-----------------------+ + | Parameter | Requirements | Example Value | + +=======================+========================================================================+=======================+ + | Key | - Cannot be left blank. | vpc_key1 | + | | - Must be unique for each VPC and can be the same for different VPCs. | | + | | - Can contain a maximum of 36 characters. | | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+------------------------------------------------------------------------+-----------------------+ + | Value | - Can contain a maximum of 43 characters. | vpc-01 | + | | - Can contain only the following character types: | | + | | | | + | | - Uppercase letters | | + | | - Lowercase letters | | + | | - Digits | | + | | - Special characters, including hyphens (-) and underscores (_) | | + +-----------------------+------------------------------------------------------------------------+-----------------------+ .. _en-us_topic_0013935842__table6536185812515: diff --git a/umn/source/vpc_and_subnet/vpc/deleting_a_vpc.rst b/umn/source/vpc_and_subnet/vpc/deleting_a_vpc.rst index bdc315a..821ac76 100644 --- a/umn/source/vpc_and_subnet/vpc/deleting_a_vpc.rst +++ b/umn/source/vpc_and_subnet/vpc/deleting_a_vpc.rst @@ -26,6 +26,8 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. On the **Virtual Private Cloud** page, locate the row that contains the VPC to be deleted and click **Delete** in the **Operation** column. A confirmation dialog box is displayed. @@ -37,4 +39,4 @@ Procedure If a VPC cannot be deleted, a message will be displayed on the console. Delete the resources that are in the VPC by referring to :ref:`Why Can't I Delete My VPCs and Subnets? ` .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626734174.png diff --git a/umn/source/vpc_and_subnet/vpc/exporting_vpc_list.rst b/umn/source/vpc_and_subnet/vpc/exporting_vpc_list.rst index 350fa18..5371b5a 100644 --- a/umn/source/vpc_and_subnet/vpc/exporting_vpc_list.rst +++ b/umn/source/vpc_and_subnet/vpc/exporting_vpc_list.rst @@ -8,7 +8,9 @@ Exporting VPC List Scenarios --------- -Information about all VPCs under your account can be exported as an Excel file to a local directory. This file records the names, ID, status, IP address ranges of VPCs, and the number of subnets. +Information about all VPCs under your account can be exported as an Excel file to a local directory. + +This file records the names, ID, status, CIDR blocks, and the number of subnets of your VPCs. Procedure --------- @@ -19,10 +21,12 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the upper right corner of the VPC list, click |image3|. - The system will automatically export information about all VPCs under your account in the current region. They will be exported in Excel format. + The system will automatically export information about all VPCs under your account in the current region as an Excel file to a local directory. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001626894098.png .. |image3| image:: /_static/images/en-us_image_0233469654.png diff --git a/umn/source/vpc_and_subnet/vpc/managing_vpc_tags.rst b/umn/source/vpc_and_subnet/vpc/managing_vpc_tags.rst index 26ca67e..de98619 100644 --- a/umn/source/vpc_and_subnet/vpc/managing_vpc_tags.rst +++ b/umn/source/vpc_and_subnet/vpc/managing_vpc_tags.rst @@ -8,7 +8,9 @@ Managing VPC Tags Scenarios --------- -A VPC tag identifies a VPC. Tags can be added to VPCs to facilitate VPC identification and management. You can add a tag to a VPC when creating the VPC, or you can add a tag to a created VPC on the VPC details page. A maximum of 20 tags can be added to each VPC. +You can add tags to VPCs to help you identify and organize them. + +You can add a tag to a VPC when creating the VPC, or you can add a tag to a created VPC on the VPC details page. A maximum of 20 tags can be added to each VPC. A tag consists of a key and value pair. :ref:`Table 1 ` lists the tag key and value requirements. @@ -16,27 +18,27 @@ A tag consists of a key and value pair. :ref:`Table 1 **Virtual Private Cloud**. -#. In the upper right corner of the VPC list, click **Search by Tag**. + The **Virtual Private Cloud** page is displayed. -#. In the displayed area, enter the tag key and value of the VPC you are looking for. +#. In the search box above the subnet list, click the search box. - Both the tag key and value must be specified. The system automatically displays the VPCs you are looking for if both the tag key and value are matched. + Click the tag key and then the value as required. The system filters resources based on the tag you select. -#. Click + to add more tag keys and values. + Click anywhere in the search box to add the next tag key and value. You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for VPCs, the VPCs containing all specified tags will be displayed. -#. Click **Search**. - - The system displays the VPCs you are looking for based on the entered tag keys and values. - **Add, delete, edit, and view tags on the Tags tab of a VPC.** #. Log in to the management console. @@ -71,6 +69,8 @@ Procedure #. Click |image4| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. On the **Virtual Private Cloud** page, locate the VPC whose tags are to be managed and click the VPC name. The page showing details about the particular VPC is displayed. @@ -94,6 +94,6 @@ Procedure Locate the row that contains the tag you want to delete, and click **Delete** in the **Operation** column. In the displayed dialog box, click **Yes**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001627052380.png .. |image3| image:: /_static/images/en-us_image_0141273034.png -.. |image4| image:: /_static/images/en-us_image_0000001500905066.png +.. |image4| image:: /_static/images/en-us_image_0000001675373913.png diff --git a/umn/source/vpc_and_subnet/vpc/modifying_a_vpc.rst b/umn/source/vpc_and_subnet/vpc/modifying_a_vpc.rst index ac5b612..21a58f3 100644 --- a/umn/source/vpc_and_subnet/vpc/modifying_a_vpc.rst +++ b/umn/source/vpc_and_subnet/vpc/modifying_a_vpc.rst @@ -8,27 +8,15 @@ Modifying a VPC Scenarios --------- -Change the VPC name and CIDR block. +You can modify the following information about a VPC: -If the VPC CIDR block conflicts with the CIDR block of a VPN created in the VPC, you can modify its CIDR block. +- :ref:`Modifying the Name and Description of a VPC ` +- :ref:`Modifying the CIDR Block of a VPC ` -Notes and Constraints ---------------------- +.. _en-us_topic_0030969462__section495418425354: -- When modifying the VPC CIDR block: - - - The VPC CIDR block to be modified must be in the supported CIDR blocks: 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255 - - If the VPC has subnets, the VPC CIDR block to be modified must contain all subnet CIDR blocks. - -When modifying the VPC CIDR block: - -- The VPC CIDR block to be modified must be in the supported CIDR blocks: 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255 -- If the VPC has subnets, the VPC CIDR block to be modified must contain all subnet CIDR blocks. - -Procedure ---------- - -**Modifying the VPC CIDR Block** +Modifying the Name and Description of a VPC +------------------------------------------- #. Log in to the management console. @@ -36,34 +24,68 @@ Procedure #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. -#. On the **Virtual Private Cloud** page, locate the row that contains the VPC to be modified and click **Edit CIDR Block** in the **Operation** column. + The **Virtual Private Cloud** page is displayed. -#. Set a new CIDR block. +#. Modify the name and description of a VPC using either of the following methods: + - Method 1: - .. figure:: /_static/images/en-us_image_0000001151300782.png - :alt: **Figure 1** Modify CIDR Block + a. In the VPC list, click |image3| on the right of the VPC name. + b. Enter the VPC name and click **OK**. - **Figure 1** Modify CIDR Block + - Method 2: -#. Click **OK**. + a. In the VPC list, click the VPC name with a hyperlink. -**Modifying a VPC** + The **Summary** page is displayed. + + b. Click |image4| on the right of the VPC name or description, enter the information, and click |image5|. + +.. _en-us_topic_0030969462__section696206193617: + +Modifying the CIDR Block of a VPC +--------------------------------- #. Log in to the management console. -#. Click |image3| in the upper left corner and select the desired region and project. -#. Click |image4| in the upper left corner and choose **Network** > **Virtual Private Cloud**. -#. Modify the basic information about a VPC using either of the following methods: - - In the VPC list, click |image5| on the right of the VPC name to change the VPC name. +#. Click |image6| in the upper left corner and select the desired region and project. - - In the VPC list, click the VPC name. +#. Click |image7| in the upper left corner and choose **Network** > **Virtual Private Cloud**. - On the VPC details page, click |image6| next to the VPC name or description to change the VPC name or description. + The **Virtual Private Cloud** page is displayed. + +4. In the VPC list, locate the row that contains the VPC and click **Edit CIDR Block** in the **Operation** column. + + The **Edit CIDR Block** dialog box is displayed. + +5. Modify the VPC CIDR block as prompted. + + .. important:: + + A VPC CIDR block must be from 10.0.0.0/8-24, 172.16.0.0/12-24, or 192.168.0.0/16-24. + + - If a VPC has no subnets, you can change both its network address and subnet mask. + + + .. figure:: /_static/images/en-us_image_0000001627653972.png + :alt: **Figure 1** Modifying network address and subnet mask + + **Figure 1** Modifying network address and subnet mask + + - If a VPC has subnets, you only can change its subnet mask. + + + .. figure:: /_static/images/en-us_image_0000001627493158.png + :alt: **Figure 2** Modifying subnet mask + + **Figure 2** Modifying subnet mask + +6. Click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001520717193.png -.. |image3| image:: /_static/images/en-us_image_0141273034.png -.. |image4| image:: /_static/images/en-us_image_0000001520717193.png -.. |image5| image:: /_static/images/en-us_image_0000001267230305.png -.. |image6| image:: /_static/images/en-us_image_0000001267350317.png +.. |image2| image:: /_static/images/en-us_image_0000001676063997.png +.. |image3| image:: /_static/images/en-us_image_0000001627174280.png +.. |image4| image:: /_static/images/en-us_image_0000001675813933.png +.. |image5| image:: /_static/images/en-us_image_0000001627334080.png +.. |image6| image:: /_static/images/en-us_image_0141273034.png +.. |image7| image:: /_static/images/en-us_image_0000001627744152.png diff --git a/umn/source/vpc_and_subnet/vpc/obtaining_a_vpc_id.rst b/umn/source/vpc_and_subnet/vpc/obtaining_a_vpc_id.rst index c2f22e1..7e22276 100644 --- a/umn/source/vpc_and_subnet/vpc/obtaining_a_vpc_id.rst +++ b/umn/source/vpc_and_subnet/vpc/obtaining_a_vpc_id.rst @@ -10,7 +10,7 @@ Scenarios This section describes how to view and obtain a VPC ID. -If you want to obtain the ID of the peer VPC when you create a VPC peering connection between two VPCs from different accounts, you can share this section with the owner of the peer account to obtain the VPC ID. +If you create a VPC peering connection between two VPCs in different accounts, you need to obtain the project ID of the region that the peer VPC resides. You can recommend this section to the user of the peer VPC to obtain the project ID. Procedure --------- @@ -21,14 +21,16 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. On the **Virtual Private Cloud** page, locate the VPC and click its name. The VPC details page is displayed. -5. In the **VPC Information area**, view the VPC ID. +5. In the **VPC Information** area, view the VPC ID. Click |image3| next to ID to copy the VPC ID. .. |image1| image:: /_static/images/en-us_image_0000001515644737.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675613945.png .. |image3| image:: /_static/images/en-us_image_0000001465124712.png diff --git a/umn/source/vpc_and_subnet/vpc/viewing_a_vpc_topology.rst b/umn/source/vpc_and_subnet/vpc/viewing_a_vpc_topology.rst index 5ab4043..71c6ee9 100644 --- a/umn/source/vpc_and_subnet/vpc/viewing_a_vpc_topology.rst +++ b/umn/source/vpc_and_subnet/vpc/viewing_a_vpc_topology.rst @@ -19,6 +19,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the VPC list, click the name of the VPC for which the topology is to be viewed. The VPC details page is displayed. @@ -33,4 +35,4 @@ Procedure - Add an ECS to a subnet, bind an EIP to the ECS, and change the security group of the ECS. .. |image1| image:: /_static/images/en-us_image_0000001221790501.png -.. |image2| image:: /_static/images/en-us_image_0000001500905066.png +.. |image2| image:: /_static/images/en-us_image_0000001675413833.png diff --git a/umn/source/vpc_flow_log/creating_a_vpc_flow_log.rst b/umn/source/vpc_flow_log/creating_a_vpc_flow_log.rst index 710dcbf..67a95c7 100644 --- a/umn/source/vpc_flow_log/creating_a_vpc_flow_log.rst +++ b/umn/source/vpc_flow_log/creating_a_vpc_flow_log.rst @@ -29,6 +29,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **VPC Flow Logs**. 5. In the upper right corner, click **Create VPC Flow Log**. On the displayed page, configure parameters as prompted. @@ -76,4 +78,4 @@ Procedure 6. Click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001553770733.png +.. |image2| image:: /_static/images/en-us_image_0000001675616561.png diff --git a/umn/source/vpc_flow_log/deleting_a_vpc_flow_log.rst b/umn/source/vpc_flow_log/deleting_a_vpc_flow_log.rst index 9742c64..bff6fff 100644 --- a/umn/source/vpc_flow_log/deleting_a_vpc_flow_log.rst +++ b/umn/source/vpc_flow_log/deleting_a_vpc_flow_log.rst @@ -23,6 +23,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **VPC Flow Logs**. 5. Locate the row that contains the VPC flow log to be deleted and click **Delete** in the **Operation** column. @@ -36,4 +38,4 @@ Procedure 6. Click **Yes** in the displayed dialog box. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001503330854.png +.. |image2| image:: /_static/images/en-us_image_0000001626736794.png diff --git a/umn/source/vpc_flow_log/enabling_or_disabling_vpc_flow_log.rst b/umn/source/vpc_flow_log/enabling_or_disabling_vpc_flow_log.rst index 112d518..ba414d1 100644 --- a/umn/source/vpc_flow_log/enabling_or_disabling_vpc_flow_log.rst +++ b/umn/source/vpc_flow_log/enabling_or_disabling_vpc_flow_log.rst @@ -19,9 +19,11 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **VPC Flow Logs**. 5. Locate the VPC flow log to be enabled or disabled, and choose **More** > **Enable** or **More** > **Disable** in the **Operation** column. 6. Click **Yes**. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001503011070.png +.. |image2| image:: /_static/images/en-us_image_0000001627056686.png diff --git a/umn/source/vpc_flow_log/viewing_a_vpc_flow_log.rst b/umn/source/vpc_flow_log/viewing_a_vpc_flow_log.rst index e677c2d..067e28c 100644 --- a/umn/source/vpc_flow_log/viewing_a_vpc_flow_log.rst +++ b/umn/source/vpc_flow_log/viewing_a_vpc_flow_log.rst @@ -25,6 +25,8 @@ Procedure 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **VPC Flow Logs**. 5. Locate the target VPC flow log and click **View Log Record** in the **Operation** column to view information about the flow log record in LTS. @@ -119,4 +121,4 @@ Procedure You can enter a keyword on the log topic details page on the LTS console to search for flow log records. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001503490746.png +.. |image2| image:: /_static/images/en-us_image_0000001675256657.png diff --git a/umn/source/vpc_flow_log/vpc_flow_log_overview.rst b/umn/source/vpc_flow_log/vpc_flow_log_overview.rst index 98dd76b..2a58ce2 100644 --- a/umn/source/vpc_flow_log/vpc_flow_log_overview.rst +++ b/umn/source/vpc_flow_log/vpc_flow_log_overview.rst @@ -19,6 +19,6 @@ VPC flow logs must be used together with the Log Tank Service (LTS). Before you Notes and Constraints --------------------- -- Currently, only C3, M3, and S2 ECSs support VPC flow logs. -- By default, you can create a maximum of 10 VPC flow logs. +- Currently, C3, M3, and S2 ECSs support VPC flow logs. +- Each account can have up to 10 VPC flow logs in a region. - By default, a maximum of 400,000 flow log records are supported. diff --git a/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst b/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst index f01e01d..4e3428b 100644 --- a/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst +++ b/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst @@ -35,13 +35,13 @@ Notes and Constraints - For a VPC peering connection between VPCs in different accounts: - - If account A initiates a request to create a VPC peering connection with a VPC in another B, the VPC peering connection takes effect only after account B accepts the request. + - If account A initiates a request to create a VPC peering connection with a VPC in account B, the VPC peering connection takes effect only after account B accepts the request. - To ensure network security, do not accept VPC peering connections from unknown accounts. Prerequisites ------------- -You have two VPCs in the same region. If you want to create one, see :ref:`Creating a VPC `. +You have two VPCs in the same region, but they are from different accounts. If you want to create one, see :ref:`Creating a VPC `. .. _en-us_topic_0046655038__section14616192294815: @@ -54,6 +54,8 @@ Step 1: Create a VPC Peering Connection 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **VPC Peering Connections**. The VPC peering connection list is displayed. @@ -76,34 +78,38 @@ Step 1: Create a VPC Peering Connection .. table:: **Table 1** Parameters for creating a VPC peering connection - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ - | Parameter | Description | Example Value | - +=======================+==================================================================================================================================================================================================+==================================+ - | Name | Mandatory | peering-AB | - | | | | - | | Enter a name for the VPC peering connection. | | - | | | | - | | The name can contain a maximum of 64 characters, including letters, digits, hyphens (-), and underscores (_). | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ - | Local VPC | Mandatory | VPC-A | - | | | | - | | VPC at one end of the VPC peering connection. You can select one from the drop-down list. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ - | Local VPC CIDR Block | CIDR block of the selected local VPC | 172.16.0.0/16 | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ - | Account | Mandatory | Another account | - | | | | - | | - Options: **My account** and **Another account** | | - | | - Select **Another account**. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ - | Peer Project ID | This parameter is mandatory because **Account** is set to **Another account**. | Project ID of VPC-B in region A: | - | | | | - | | The project ID of the region that the peer VPC resides. For details about how to obtain the project ID, see :ref:`Obtaining the Peer Project ID of a VPC Peering Connection `. | 067cf8aecf3XXX08322f13b | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ - | Peer VPC ID | This parameter is mandatory because **Account** is set to **Another account**. | VPC-B ID: | - | | | | - | | ID of the VPC at the other end of the VPC peering connection. For details about how to obtain the ID, see :ref:`Obtaining a VPC ID `. | 17cd7278-XXX-530c952dcf35 | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Parameter | Description | Example Value | + +=============================+==================================================================================================================================================================================================+======================================+ + | VPC Peering Connection Name | Mandatory | peering-AB | + | | | | + | | Enter a name for the VPC peering connection. | | + | | | | + | | The name can contain a maximum of 64 characters, including letters, digits, hyphens (-), and underscores (_). | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Local VPC | Mandatory | VPC-A | + | | | | + | | VPC at one end of the VPC peering connection. You can select one from the drop-down list. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Local VPC CIDR Block | CIDR block of the selected local VPC | 172.16.0.0/16 | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Account | Mandatory | Another account | + | | | | + | | - Options: **My account** and **Another account** | | + | | - Select **Another account**. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer Project ID | This parameter is mandatory because **Account** is set to **Another account**. | Project ID of VPC-B in region A: | + | | | | + | | The project ID of the region that the peer VPC resides. For details about how to obtain the project ID, see :ref:`Obtaining the Peer Project ID of a VPC Peering Connection `. | 067cf8aecf3XXX08322f13b | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer VPC ID | This parameter is mandatory because **Account** is set to **Another account**. | VPC-B ID: | + | | | | + | | ID of the VPC at the other end of the VPC peering connection. For details about how to obtain the ID, see :ref:`Obtaining a VPC ID `. | 17cd7278-XXX-530c952dcf35 | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Description | Optional | peering-AB connects VPC-A and VPC-B. | + | | | | + | | Enter the description of the VPC peering connection in the text box as required. The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ 7. Click **OK**. @@ -125,6 +131,8 @@ After you create a VPC peering connection with a VPC in another account, you nee #. Click |image3| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **VPC Peering Connections**. The VPC peering connection list is displayed. @@ -143,15 +151,13 @@ After you create a VPC peering connection with a VPC in another account, you nee #. Go to :ref:`Step 3: Add Routes for the VPC Peering Connection `. - .. important:: - - After a VPC peering connection is created, you must add routes to the route tables of the local and peer VPCs. Otherwise, the VPC peering connection does not take effect. - .. _en-us_topic_0046655038__section519111175712: Step 3: Add Routes for the VPC Peering Connection ------------------------------------------------- +To enable communications between VPCs connected by a VPC peering connection, you need to add forward and return routes to the route tables of the VPCs. For details, see :ref:`VPC Peering Connection Usage Examples `. + Both accounts need to add a route to the route table of their VPC. In this example, account A adds a route to the route table of VPC-A, and account B adds a route to the route table of VPC-B. #. Add routes to the route table of the local VPC: @@ -258,9 +264,9 @@ After you add routes for the VPC peering connection, verify the communication be .. important:: - - In this example, ECS-A01 and RDS-B01 are in the same security group. If the instances in different security groups, you need to add inbound rules to allow access from the peer security group. For details, see :ref:`Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network `. + - In this example, ECS-A01 and RDS-B01 are in the same security group. If the instances in different security groups, you need to add inbound rules to allow access from the peer security group. For details, see :ref:`Enabling ECSs In Different Security Groups to Communicate Through an Internal Network `. - If VPCs connected by a VPC peering connection cannot communicate with each other, refer to :ref:`Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection? `. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001503159042.png -.. |image3| image:: /_static/images/en-us_image_0000001503478818.png +.. |image2| image:: /_static/images/en-us_image_0000001675415841.png +.. |image3| image:: /_static/images/en-us_image_0000001626736198.png diff --git a/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst b/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst index c484625..ce77edf 100644 --- a/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst +++ b/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst @@ -30,11 +30,12 @@ Notes and Constraints - Only one VPC peering connection can be created between two VPCs at the same time. - A VPC peering connection can only connect VPCs in the same region. - If the local and peer VPCs have overlapping CIDR blocks, the VPC peering connection may not take effect. +- After a VPC peering connection is created, you must add routes to the route tables of the local and peer VPCs. Otherwise, the VPC peering connection does not take effect. Prerequisites ------------- -You have two VPCs in the same region. If you want to create one, see :ref:`Creating a VPC `. +You have two VPCs from the same account in the same region. If you want to create one, see :ref:`Creating a VPC `. .. _en-us_topic_0046655037__section143383585438: @@ -47,6 +48,8 @@ Step 1: Create a VPC Peering Connection 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **VPC Peering Connections**. The VPC peering connection list is displayed. @@ -69,38 +72,42 @@ Step 1: Create a VPC Peering Connection .. table:: **Table 1** Parameters for creating a VPC peering connection - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +=======================+==================================================================================================================================================================================================+=======================+ - | Name | Mandatory | peering-AB | - | | | | - | | Enter a name for the VPC peering connection. | | - | | | | - | | The name can contain a maximum of 64 characters, including letters, digits, hyphens (-), and underscores (_). | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Local VPC | Mandatory | VPC-A | - | | | | - | | VPC at one end of the VPC peering connection. You can select one from the drop-down list. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Local VPC CIDR Block | CIDR block of the selected local VPC | 172.16.0.0/16 | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Account | Mandatory | My account | - | | | | - | | - Options: **My account** and **Another account** | | - | | - Select **My account**. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Peer Project | The system fills in the corresponding project by default because **My account** is set to **Account**. | ab-cdef-1 | - | | | | - | | For example, if VPC-A and VPC-B are in account A and region A, the system fills in the correspond project of account A in region A by default. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Peer VPC | This parameter is mandatory if **Account** is set to **My account**. | VPC-B | - | | | | - | | VPC at the other end of the VPC peering connection. You can select one from the drop-down list. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Peer VPC CIDR Block | CIDR block of the selected peer VPC | 172.17.0.0/16 | - | | | | - | | If the local and peer VPCs have overlapping CIDR blocks, the VPC peering connection may not take effect. For details, see :ref:`VPC Peering Connection Usage Examples `. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Parameter | Description | Example Value | + +=============================+==================================================================================================================================================================================================+======================================+ + | VPC Peering Connection Name | Mandatory | peering-AB | + | | | | + | | Enter a name for the VPC peering connection. | | + | | | | + | | The name can contain a maximum of 64 characters, including letters, digits, hyphens (-), and underscores (_). | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Local VPC | Mandatory | VPC-A | + | | | | + | | VPC at one end of the VPC peering connection. You can select one from the drop-down list. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Local VPC CIDR Block | CIDR block of the selected local VPC | 172.16.0.0/16 | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Account | Mandatory | My account | + | | | | + | | - Options: **My account** and **Another account** | | + | | - Select **My account**. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer Project | The system fills in the corresponding project by default because **My account** is set to **Account**. | ab-cdef-1 | + | | | | + | | For example, if VPC-A and VPC-B are in account A and region A, the system fills in the correspond project of account A in region A by default. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer VPC | This parameter is mandatory if **Account** is set to **My account**. | VPC-B | + | | | | + | | VPC at the other end of the VPC peering connection. You can select one from the drop-down list. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer VPC CIDR Block | CIDR block of the selected peer VPC | 172.17.0.0/16 | + | | | | + | | If the local and peer VPCs have overlapping CIDR blocks, the VPC peering connection may not take effect. For details, see :ref:`VPC Peering Connection Usage Examples `. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Description | Optional | peering-AB connects VPC-A and VPC-B. | + | | | | + | | Enter the description of the VPC peering connection in the text box as required. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ 7. Click **OK**. @@ -111,15 +118,13 @@ Step 1: Create a VPC Peering Connection a. If you click **Add Route**, the **Local Routes** page is displayed. Then, go to :ref:`Step 2: Add Routes for the VPC Peering Connection `. b. If you click **Add Later**, the VPC peering connection list is displayed. - .. important:: - - After a VPC peering connection is created, you must add routes to the route tables of the local and peer VPCs. Otherwise, the VPC peering connection does not take effect. - .. _en-us_topic_0046655037__section19655123018712: Step 2: Add Routes for the VPC Peering Connection ------------------------------------------------- +To enable communications between VPCs connected by a VPC peering connection, you need to add forward and return routes to the route tables of the VPCs. For details, see :ref:`VPC Peering Connection Usage Examples `. + #. Add routes to the route table of the local VPC: a. On the **Local Routes** tab of the VPC peering connection, click the **Route Tables** hyperlink. @@ -216,8 +221,8 @@ After you add routes for the VPC peering connection, verify the communication be .. important:: - - In this example, ECS-A01 and RDS-B01 are in the same security group. If the instances in different security groups, you need to add inbound rules to allow access from the peer security group. For details, see :ref:`Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network `. + - In this example, ECS-A01 and RDS-B01 are in the same security group. If the instances in different security groups, you need to add inbound rules to allow access from the peer security group. For details, see :ref:`Enabling ECSs In Different Security Groups to Communicate Through an Internal Network `. - If VPCs connected by a VPC peering connection cannot communicate with each other, refer to :ref:`Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection? `. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001503318922.png +.. |image2| image:: /_static/images/en-us_image_0000001627056086.png diff --git a/umn/source/vpc_peering_connection/deleting_a_vpc_peering_connection.rst b/umn/source/vpc_peering_connection/deleting_a_vpc_peering_connection.rst index c56f0d9..325e8ac 100644 --- a/umn/source/vpc_peering_connection/deleting_a_vpc_peering_connection.rst +++ b/umn/source/vpc_peering_connection/deleting_a_vpc_peering_connection.rst @@ -24,7 +24,7 @@ Procedure 2. Click |image1| in the upper left corner and select the desired region and project. -3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. The **Virtual Private Cloud** page is displayed. @@ -39,3 +39,4 @@ Procedure 6. Click **Yes**. .. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001675416345.png diff --git a/umn/source/vpc_peering_connection/deleting_routes_configured_for_a_vpc_peering_connection.rst b/umn/source/vpc_peering_connection/deleting_routes_configured_for_a_vpc_peering_connection.rst index 4ad2cf0..1957805 100644 --- a/umn/source/vpc_peering_connection/deleting_routes_configured_for_a_vpc_peering_connection.rst +++ b/umn/source/vpc_peering_connection/deleting_routes_configured_for_a_vpc_peering_connection.rst @@ -24,6 +24,8 @@ Deleting Routes of a VPC Peering Connection Between VPCs in the Same Account #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **VPC Peering Connections**. The VPC peering connection list is displayed. @@ -71,6 +73,8 @@ Only the account owner of a VPC in a VPC peering connection can delete the route b. Click |image4| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + c. In the navigation pane on the left, choose **Virtual Private Cloud** > **VPC Peering Connections**. The VPC peering connection list is displayed. @@ -94,6 +98,6 @@ Only the account owner of a VPC in a VPC peering connection can delete the route #. Log in to the management console using the account of the peer VPC and delete the route of the peer VPC by referring to :ref:`1 `. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001503330858.png +.. |image2| image:: /_static/images/en-us_image_0000001626896590.png .. |image3| image:: /_static/images/en-us_image_0141273034.png -.. |image4| image:: /_static/images/en-us_image_0000001553770737.png +.. |image4| image:: /_static/images/en-us_image_0000001675616433.png diff --git a/umn/source/vpc_peering_connection/modifying_a_vpc_peering_connection.rst b/umn/source/vpc_peering_connection/modifying_a_vpc_peering_connection.rst index e6f3d76..0af6278 100644 --- a/umn/source/vpc_peering_connection/modifying_a_vpc_peering_connection.rst +++ b/umn/source/vpc_peering_connection/modifying_a_vpc_peering_connection.rst @@ -19,7 +19,7 @@ Procedure 2. Click |image1| in the upper left corner and select the desired region and project. -3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. The **Virtual Private Cloud** page is displayed. @@ -34,3 +34,4 @@ Procedure 6. Modify the VPC peering connection information and click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001626576382.png diff --git a/umn/source/vpc_peering_connection/modifying_routes_configured_for_a_vpc_peering_connection.rst b/umn/source/vpc_peering_connection/modifying_routes_configured_for_a_vpc_peering_connection.rst index 5004df6..13e1ecb 100644 --- a/umn/source/vpc_peering_connection/modifying_routes_configured_for_a_vpc_peering_connection.rst +++ b/umn/source/vpc_peering_connection/modifying_routes_configured_for_a_vpc_peering_connection.rst @@ -26,6 +26,8 @@ Modifying Routes of a VPC Peering Connection Between VPCs in the Same Account #. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + #. In the navigation pane on the left, choose **Virtual Private Cloud** > **VPC Peering Connections**. The VPC peering connection list is displayed. @@ -73,6 +75,8 @@ Only the account owner of a VPC can modify the routes added for the connection. b. Click |image4| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + c. In the navigation pane on the left, choose **Virtual Private Cloud** > **VPC Peering Connections**. The VPC peering connection list is displayed. @@ -96,6 +100,6 @@ Only the account owner of a VPC can modify the routes added for the connection. #. Log in to the management console using the account of the peer VPC and modify the route of the peer VPC by referring to :ref:`1 `. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001554010649.png +.. |image2| image:: /_static/images/en-us_image_0000001627056574.png .. |image3| image:: /_static/images/en-us_image_0141273034.png -.. |image4| image:: /_static/images/en-us_image_0000001553650757.png +.. |image4| image:: /_static/images/en-us_image_0000001626736678.png diff --git a/umn/source/vpc_peering_connection/obtaining_the_peer_project_id_of_a_vpc_peering_connection.rst b/umn/source/vpc_peering_connection/obtaining_the_peer_project_id_of_a_vpc_peering_connection.rst index dbcdf54..f73d923 100644 --- a/umn/source/vpc_peering_connection/obtaining_the_peer_project_id_of_a_vpc_peering_connection.rst +++ b/umn/source/vpc_peering_connection/obtaining_the_peer_project_id_of_a_vpc_peering_connection.rst @@ -17,5 +17,5 @@ Procedure The owner of the peer account logs in to the management console. -2. Select **My Credentials** from the username drop-down list. +2. In the upper right corner of the page, select **My Credentials** from the username drop-down list. 3. In the project list, obtain the project ID. diff --git a/umn/source/vpc_peering_connection/viewing_routes_configured_for_a_vpc_peering_connection.rst b/umn/source/vpc_peering_connection/viewing_routes_configured_for_a_vpc_peering_connection.rst index b8fb49f..d122d37 100644 --- a/umn/source/vpc_peering_connection/viewing_routes_configured_for_a_vpc_peering_connection.rst +++ b/umn/source/vpc_peering_connection/viewing_routes_configured_for_a_vpc_peering_connection.rst @@ -26,6 +26,8 @@ Viewing Routes of a VPC Peering Connection Between VPCs in the Same Account 3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **VPC Peering Connections**. The VPC peering connection list is displayed. @@ -54,6 +56,8 @@ Only the account owner of a VPC in a VPC peering connection can view the routes b. Click |image4| in the upper left corner and choose **Network** > **Virtual Private Cloud**. + The **Virtual Private Cloud** page is displayed. + c. In the navigation pane on the left, choose **Virtual Private Cloud** > **VPC Peering Connections**. The VPC peering connection list is displayed. @@ -67,6 +71,6 @@ Only the account owner of a VPC in a VPC peering connection can view the routes #. Log in to the management console using the account of the peer VPC and view the route of the peer VPC by referring to :ref:`1 `. .. |image1| image:: /_static/images/en-us_image_0141273034.png -.. |image2| image:: /_static/images/en-us_image_0000001503011074.png +.. |image2| image:: /_static/images/en-us_image_0000001626576858.png .. |image3| image:: /_static/images/en-us_image_0141273034.png -.. |image4| image:: /_static/images/en-us_image_0000001503490750.png +.. |image4| image:: /_static/images/en-us_image_0000001675256529.png diff --git a/umn/source/vpc_peering_connection/viewing_vpc_peering_connections.rst b/umn/source/vpc_peering_connection/viewing_vpc_peering_connections.rst index 5f7f8cc..fc9f207 100644 --- a/umn/source/vpc_peering_connection/viewing_vpc_peering_connections.rst +++ b/umn/source/vpc_peering_connection/viewing_vpc_peering_connections.rst @@ -19,7 +19,7 @@ Procedure 2. Click |image1| in the upper left corner and select the desired region and project. -3. On the console homepage, under **Network**, click **Virtual Private Cloud**. +3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. The **Virtual Private Cloud** page is displayed. @@ -32,3 +32,4 @@ Procedure On the displayed page, view details about the VPC peering connection. .. |image1| image:: /_static/images/en-us_image_0141273034.png +.. |image2| image:: /_static/images/en-us_image_0000001675256029.png diff --git a/umn/source/vpc_peering_connection/vpc_peering_connection_usage_examples.rst b/umn/source/vpc_peering_connection/vpc_peering_connection_usage_examples.rst index 7ea19dd..aff425b 100644 --- a/umn/source/vpc_peering_connection/vpc_peering_connection_usage_examples.rst +++ b/umn/source/vpc_peering_connection/vpc_peering_connection_usage_examples.rst @@ -5,7 +5,7 @@ VPC Peering Connection Usage Examples ===================================== -A VPC peering connection is a networking connection between two VPCs and enables them to communicate. :ref:`Table 1 ` lists different scenarios of using VPC peering connections. +A VPC peering connection is a networking connection between two VPCs in the same region and enables them to communicate. :ref:`Table 1 ` lists different scenarios of using VPC peering connections. .. _en-us_topic_0046809840__table18339193642913: @@ -191,7 +191,10 @@ As shown in :ref:`Figure 4 `, VPC-A and Peering ECSs in a Central VPC with ECSs in Two Other VPCs --------------------------------------------------------- -As shown in :ref:`Figure 5 `, VPC-B and VPC-C have overlapping CIDR blocks, and their Subnet-B01 and Subnet-BC01 have overlapping CIDR blocks. In this case, the VPC peering connection can connect ECSs in Subnet-B01 and Subnet-A01, and ECSs in Subnet-C01 and Subnet-A01. +As shown in :ref:`Figure 5 `, VPC-B and VPC-C have overlapping CIDR blocks, and their Subnet-B01 and Subnet-C01 have overlapping CIDR blocks. You can only create a VPC peering connection between ECSs. + +- Use VPC peering connection Peering-AB to connect ECSs in Subnet-B01 and Subnet-A01. +- Use VPC peering connection Peering-AC to connect ECSs in Subnet-C01 and Subnet-A01. .. _en-us_topic_0046809840__fig568511518481: