About VPC

A virtual private cloud (VPC) provides a secure and isolated virtual network environment for simple management and configuration of the internal network.

You can perform the following tasks in a VPC:

• Attach an external gateway to enable Internet access, and connect a firewall to provide advanced security protection for communication with the external network.

• Create security groups for cloud hosts and define intra-security group and inter-security group access rules to enhance cloud host security protection.

• Configure custom routes to design traffic forwarding between cloud hosts.

Service system isolation

To isolate services, deploy the services in different VPCs.

Figure-1 Service system isolation

 

Public network access from cloud hosts

For a cloud host to access the public network, configure an external gateway for the VPC in which the cloud host resides, and attach a gateway to the VPC. Then, all cloud hosts in the VPC can access the Internet through the external gateway.

Figure-2 Public network access

 

Cloud host access from the public network

To access a cloud host from the Internet, bind an elastic IP address to the host, configure an external gateway for the VPC in which the cloud host resides, and attach a firewall to the VPC.

Figure-3 Cloud host access from the public network

 

Cloud host security protection

Cloud host security is provided by VPC, security group, and firewall.

• By default, cloud hosts in the same VPC can reach each other. For cloud hosts in different VPCs to reach each other, firewall and elastic IP addresses must be configured.

• Security groups created in a VPC isolate cloud hosts from the same or different private networks in a VPC, providing cloud host-level protection. For cloud hosts in a security group, whether traffic can be received from a source or sent to a destination is controlled by the rules configured for the security group.

• Firewall provides network-level protection for inter-cloud host access communication and communication between cloud hosts and the external network. It is applicable to scenarios with high security requirements.

Figure-4 Cloud host security protection

 

Custom routes

You can add custom routes to the routing table to manage traffic forwarding, for example, configure cloud hosts in a VPC to access Internet through one cloud host in the VPC.

Figure-5 Customizing routes

 

Benefits

• Security—VPCs are isolated from each other. Together with security groups and firewalls, a VPC provides hierarchical protection to cloud hosts, enhancing network security.

• Support of dual stack—VPCs support both IPv4 and IPv6, reducing the number of vNICs and network maintenance complexity.

• Flexible configuration—VPCs support routing table customization, allowing users to flexibly control network traffic forwarding.

Relationship with other cloud services

• Cloud host

VPCs provide a secure and isolated private network environment for cloud hosts in a private cloud.

• vNIC

Cloud hosts communicate with each other in a private network through vNICs. At cloud host creation, the system creates a vNIC for the cloud host in the selected network. For a cloud host to communicate with different private networks or with different interfaces of one private network, you can attach multiple vNICs to the cloud host for refined network management and fast fault migration.

• Elastic network

An elastic network provides elastic IP addresses. You attach a VPC to an elastic network and configure an external gateway for the cloud hosts in the private network attached to the VPC to access the Internet. You attach cloud hosts to elastic IPs and configure an external gateway for cloud host access from the Internet.

• Security group

A security group contains a group of cloud hosts that have the same security protection requirements and trust each other.

• Firewall

A firewall controls communication between cloud hosts and the external network. For a cloud host to communicate with the external network, you must attach a firewall to the VPC in which the cloud host resides.

• VPN

Virtual private network (VPN) establishes an encrypted communication tunnel for two specific peers to achieve secure transmission. You can use VPN to connect cloud networks and traditional networks to safeguard communication between cloud resources and datacenter resources.

• Load balancing

Load balancing distributes private network traffic to multiple cloud hosts to balance loads.

Concepts

• Dual stack network

A dual stack network is a network in which all nodes support both IPv4 and IPv6 for both internal network and external network access.

• VPC private network

A VPC private network is a subnet of the VPC. Services in the system must associate with a VPC private network to provide services.

• Routing table

A routing table contains routing entries. The system creates an empty routing table at VPC creation for the VPC. By default, all private networks in a VPC can communicate with each other. You can configure routes manually to control traffic transmission between private networks in a VPC.