Networking Services

Foreword
⚫ Network resources play a vital role in setting up infrastructure on the cloud.
These resources enable communications between instances and between
applications. This lays a solid foundation for the rapid business growth.
⚫ In this chapter, we will discuss basic networking services provided by Huawei
Cloud. I hope you will acquire a better understanding of how to use these
services.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 2

 Objectives
⚫ Understand the basic concepts of Virtual Private Cloud (VPC) and be proficient in
configuring cloud networks using VPC.

⚫ Understand the concepts of security groups and network ACLs, and be proficient in using
them to secure simple networks.

⚫ Understand the basic functions of VPC peering connections and VPN connections, and be
able to use them to enable communications between VPCs.

⚫ Understand Elastic IP (EIP) and NAT Gateway, and be proficient in using them to connect a
cloud server to the Internet.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 3

 Contents
1. Cloud Network - VPC

2. Cloud Network Connectivity

3. Networking Service Best Practices

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 4

Quiz

⚫ Question: How do you create a private network

on Huawei Cloud to enable communications
between two ECSs?

⚫ Answer: Use Huawei Cloud VPC.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 5

VPC Overview
⚫ Virtual Private Cloud (VPC) allows you to provision logically isolated virtual private networks
for cloud resources, such as cloud servers, containers, and databases.

⚫ "LANs" on the cloud

 Resources in a VPC can
communicate with each other.
 Resources from different VPCs
are isolated from each other.
⚫ Custom IP address assignment
and route configuration
⚫ Core network security services

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 6

VPC Components
⚫ Each VPC consists of a private CIDR block, route tables, and at least one subnet.

192.168.0.0/16
VPC

Router
Subnet 1 Subnet 2
192.168.0.0/24 192.168.1.0/24

ECS ECS ECS RDS

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 7

Subnet

• You can divide a VPC into one or

more subnets.
• You can use subnets for refined
• You can define a CIDR block
network management.
for each VPC.
• Traffic can be controlled in and out
• Resources in a VPC can
of subnets.
communicate with each
• You can customize routes for
other.
different networks.
• All resources must be created in
subnets.
A VPC can have one or more Subnets can be used for more
subnets. refined network management.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 8

Route Table

• Each VPC comes with a default route

table.
• A route table contains a set of
• If you create a subnet in the VPC, the
routes that are used to control
subnet is automatically associated with
the traffic in and out of your
the default route table.
subnets in a VPC.
• You can add routes to, delete routes
• Each subnet can only be
from, and modify routes in the default
associated with one route table.
route table, but cannot delete the route
table.

A route table contains a set of routes that are used The default route table ensures that
to control the traffic in and out of your subnets in a subnets in a VPC can communicate
VPC. with each other.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 9

Exercise 1
⚫ Task 1: Use the following settings to create a VPC (vpc-demo-a) and two subnets (subnet-demo-0
and subnet-demo-1) and view the default route table configuration.

VPC Default Subnet

• Region: CN North-Beijing4 • AZ: AZ1
• Name: vpc-demo-a • Subnet Name: subnet-demo-0
• IPv4 CIDR Block: 192.168.0.0/16 • IPv4 CIDR Block: 192.168.0.0/24
Subnet Setting1
Retain default values for other parameters. • Subnet Name: subnet-demo-1
• IPv4 CIDR Block: 192.168.1.0/24

Retain default values for other parameters.

⚫ Task 2: Create two ECSs (ecs-demo-1 and ecs-demo-2) in subnet-demo-0 and subnet-demo-1,
respectively, and test network connectivity.
⚫ Question: What might happen that could prevent ecs-demo-1 and ecs-demo-2 from communicating
with each other?

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 10

Access Control
⚫ You can configure network ACLs and security groups to protect resources in a VPC.
 Security groups protect instances and check traffic to and from instances.
 Network ACLs protect subnets and only check traffic across subnets.

VPC
Router

Network ACL Network ACL

(Subnet 1) (Subnet 2)
Subnet 1 Subnet 2

Security Security
group group

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 11

Security Group
⚫ A security group is a logical group that you can use to configure access rules for, which will
then will apply to all instances associated with this security group.
⚫ A security group has inbound and outbound rules to control traffic that is allowed to reach
or leave the instances associated with the security group.

Inbound rules of security group Sg-A

Rules Priority Action Protocol & Port Source

Create a security
group. Rule A1 1 Allow ICMP: All 0.0.0.0/0

Configure a security What do

Rule A2 1 Allow All Sg-A these rules
group rule.
mean?
Outbound rules of Sg-A
Add instances to the
security group. Rules Priority Action Protocol & Port Source

Rule A3 1 Allow All 0.0.0.0/0

Security group Sg-A rules

configuration process
Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 12
Network ACL
⚫ A network ACL is an optional layer of security for your subnets. After you add inbound and outbound
rules to a network ACL and associate subnets with it, you can control traffic in and out of the subnets.
⚫ After a network ACL is associated with a subnet, the network ACL denies all traffic to and from this
subnet by default until you add rules to allow traffic.
⚫ A network ACL can be associated with multiple subnets. However, a subnet can be associated with only
one network ACL.

Source Port Destination

Create a network ACL. Direction Action Protocol Source Destination
Range Port Range

Add a network ACL Inbound Allow TCP 0.0.0.0/0 1-65535 0.0.0.0/0 80

rule.
Inbound Allow TCP 0.0.0.0/0 1-65535 0.0.0.0/0 443
Associate the network
ACL with a subnet.
Outbound Allow All 0.0.0.0/0 All 0.0.0.0/0 All

Network ACL Network ACL rules

configuration process

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 13

VPC Application Scenario - Dedicated Networks
on Cloud
⚫ Each VPC represents a private network that is logically isolated from other VPCs. You can
deploy your service system in a VPC on Huawei Cloud. If you have multiple service systems,
for example, a production system and a test system, you can keep them isolated by
deploying them in separate VPCs.

Production VPC Test VPC

ECS ECS ECS

ECS ECS ECS

Tunneling technology
Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 14
Exercise 2
⚫ Task 1: Use the following settings to create a security group (sg-demo) and view its inbound and
outbound rules. Then, use the new security group to replace the security group of the two ECSs in
Exercise 1 and test network connectivity between the two ECSs.

Security group
• Name: sg-demo
• Template: Fast-add rule
• Inbound Rules: ICMP (All)

Retain default values for other parameters.

⚫ Task 2: Delete all rules except ICMP (All) from sg-demo and test network connectivity between the
two ECSs again.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 15

 Contents
1. Cloud Network - VPC

2. Cloud Network Connectivity

3. Networking Service Best Practices

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 16

Quiz

⚫ Question: Can two ECSs in different VPCs in

the same region communicate with each other
using private IP addresses?

⚫ Answer: Yes, they can. You can create a VPC

peering connection to connect the two VPCs.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 17

VPC Peering Connection Overview
⚫ A VPC peering connection is a network connection between two VPCs. Different VPCs cannot
communicate with each other by default, but you can connect them with a VPC peering
connection if needed.
Create a VPC peering
Select the local and peer VPCs. Region
connection.

Add routes for a VPC Add routes to the route tables VPC 1 VPC 2
peering connection. of local and peer VPCs.
192.168.0.0/16 10.0.0.0/16

Verify network Process for configuring a VPC

Subnet A Subnet C
connectivity. peering connection VPC peering
192.168.1.0/24 10.0.1.0/24
connection
• After a VPC peering connection is created, you need to
add routes for the local and peer VPCs to enable Subnet B Subnet D
communications between them. 192.168.2.0/24 10.0.2.0/24
• VPC peering connections are free and easy to
configure.
• VPCs connected by VPC peering connections can
communicate with each other over a private network
instead of the Internet.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 18

Exercise 3
⚫ Task 1: Use the following settings to create the second VPC (vpc-demo-b) and create the third ECS
(ecs-demo-3) in vpc-demo-b. Test network connectivity between ecs-demo-1 and ecs-demo-3. (Note:
ECSs are associated with the same security group and trust each other.)

VPC Default Subnet

• Region: CN North-Beijing4 • AZ: AZ1
• Name: vpc-demo-b • Subnet Name: subnet-demo-2
• IPv4 CIDR Block: 192.168.0.0/16 • IPv4 CIDR Block: 192.168.2.0/24

Retain default values for other parameters.

⚫ Task 2: Create a VPC peering connection between vpc-demo-a and vpc-demo-b, add routes to the
route tables of vpc-demo-a and vpc-demo-b, and test network connectivity between ecs-demo-1 and
ecs-demo-3 again.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 19

Quiz

⚫ Question: How can you enable an ECS to connect to the

Internet?
⚫ Answer: You can assign an EIP and bind it to the
ECS so that the ECS can access the Internet.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 20

Elastic IP (EIP) Overview
⚫ EIP provides static public IP addresses and scalable bandwidths that enable your cloud
resources to communicate with the Internet.

• EIPs can be bound to or unbound from

Internet
many cloud resources but only one cloud
EIP resource at any given time.
Public IP address: • Flexible billing modes: There are
19.205.67.7 yearly/monthly and pay-per-use billing
Bandwidth: 5 Mbit/s modes. Pay-per-use EIPs can be billed by
bandwidth or by traffic. 95th percentile
ECS Bind the EIP bandwidth billing (enhanced) and
Private IP address:
to the ECS. resource packages are also supported for
saving costs.
192.168.0.56
• Bandwidths can be flexibly adjusted.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 21

Exercise 4
⚫ Task 1: Test the connectivity between ecs-demo-0 and the Internet when no EIP is bound to
ecs-demo-0. (for example, ping www.huaweicloud.com to check network connectivity.)
⚫ Task 2: Assign an EIP using the following settings, bind it to ecs-demo-0, and test the
connectivity between ecs-demo-2 and the Internet.

• Billing Mode: Pay-per-use

• Region: CN North-Beijing4
• EIP Type: Dynamic BGP
• Billed By: Bandwidth
• Bandwidth (Mbit/s): 5
Retain default values for other parameters.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 22

Quiz

⚫ Question: If multiple ECSs need to connect to

the Internet, do I need to apply for multiple EIPs?

⚫ Answer: That is one solution, but you can also

try a public NAT gateway.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 23

NAT Gateway
⚫ Public and private NAT gateways are used to provide network address translation (NAT) in
different scenarios. Public NAT gateways support source network address translation (SNAT)
and destination network address translation (DNAT).
 SNAT enables multiple servers to share an EIP to access the Internet.
 DNAT enables multiple servers to share an EIP to provide services accessible from the Internet.

• Multiple servers can share the same EIP.

• A NAT gateway can be shared across subnets and AZs.
• Multiple specifications of NAT gateways are available.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 24

NAT Gateway - SNAT
⚫ SNAT only translates source IP addresses in packets. It is mainly used to
enable servers on a private network to access the Internet.

Mandatory parameters in an SNAT rule

Internet • Scenario: You can select VPC or Direct
Connect/Cloud Connect.
SNAT
• Subnet: You can select an existing subnet, customize
EIP: 122.9.73.203
a CIDR block, or enter a server IP address.
• EIP: You can select up to 20 EIPs.

192.168.1.11 192.168.1.12

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 25

NAT Gateway - DNAT
⚫ DNAT only translates destination IP addresses and ports in packets. This enables Internet
users to access services deployed on a private network.

Mandatory parameters in a DNAT rule

• Scenario: You can select VPC or Direct
Connect/Cloud Connect.
Internet
• Port Type: You can select Specific port or All ports.
DNAT
• Protocol: You can select TCP or UDP.

EIP: 122.9.73.203 • EIP: Select an EIP used for Internet access.

122.9.73.203:80 to 192.168.1.11:80 • Outside Port: This parameter is only available if
122.9.73.203:8080 to 192.168.1.12:80
Specific port is selected for Port Type.
• Private IP Address: Specify the private IP address of
an ECS in the same VPC of the NAT gateway.
192.168.1.11:80 192.168.1.12:80 • Inside Port: Specify a port of the ECS.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 26

Public NAT Gateway - Configuration Overview

VPC

2. Create an SNAT rule. ECS BMS

Buy EIPs. 1. Buy a NAT gateway. Direct Connect CCE

3. Create a DNAT rule.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 27

Exercise 5
⚫ Task 1: Create a public NAT gateway using the following settings:
• Billing Mode: Pay-per-use
• Region: CN North-Beijing4
• Name: nat-demo
• VPC: vpc-demo-a
• Subnet: subnet-demo-0
• Specifications: Small

Set Next Hop of the default route (0.0.0.0/0) of vpc-demo-a to the public NAT gateway.
⚫ Task 2: Unbind the EIP in exercise 4 and use the EIP to create an SNAT rule. Check whether
ecs-demo-1 and ecs-demo-2 can use the same EIP to access the Internet (by pinging
https://www.huaweicloud.com/intl/en-us/).

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 28

Extended Questions

⚫ Question 1: A VPC peering connection can connect two

VPCs in the same region, but how do I establish a
network connection between two VPCs in different
regions?

⚫ Question 2: How do I establish connections between an

on-premises data center and a virtual network on
Huawei Cloud?

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 29

How Networking Services Work Together
IDC

Internet VPN Direct Connect Internet

VPC 1 VPC 2

Router Router Internet

gateway
Network Network Network Network
ACL ACL ACL ACL
Internet VPC
gateway peering
Subnet 1 Subnet 2 Subnet 1 Subnet 2
connection EIP
Security group Security group Security group Security group

ECS ECS ECS RDS BMS BMS CCE CCE NAT

EIP
gateway

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 30

 Contents
1. Cloud Network - VPC

2. Cloud Network Connectivity

3. Networking Service Best Practices

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 31

Networking Service Best Practices

Region

Internet VPC VPN gateway

On-premises
data center
NAT
Gateway

Website server Application server Database

Frontend subnet Application subnet Database subnet

cn-east-3

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 32

 Summary
⚫ This chapter discussed what a VPC is and how to create one. We
covered how to enable communications between VPCs using VPC
peering connections and how to secure VPC using security groups
and network ACLs. This chapter also explained how to use EIP and
NAT Gateway to allow ECSs to access the Internet.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 33

 Quiz
1. (Single-answer question) Which of the following networking cloud services can enable an
ECS to access the Internet? ( )
A. Virtual Private Cloud (VPC)

B. VPC Peering Connection

C. Elastic IP (EIP)

D. NAT Gateway

2. (True or false) Two mutually trusted ECSs in the same security group cannot communicate
with each other. One possible cause is that they are in different VPCs.

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 34

 Recommendations
⚫ Huawei Cloud websites
 Huawei Cloud: https://www.huaweicloud.com/intl/en-us/
 Huawei Cloud Developer Institute: https://edu.huaweicloud.com/intl/en-us/

Huawei Cloud
Developer Institute

Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 35

Thank You.
Copyright © 2024 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information is
provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.