VPC Usermanual

Virtual Private Cloud
User Guide
Issue 41
Date 2023-02-25
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2023. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. i

User Guide Contents
Contents
1 VPC and Subnet....................................................................................................................... 1

1.1 Network Planning................................................................................................................................................................... 1
1.2 VPC............................................................................................................................................................................................... 4
1.2.1 Creating a VPC...................................................................................................................................................................... 4
1.2.2 Modifying a VPC................................................................................................................................................................ 11
1.2.3 Adding a Secondary CIDR Block to a VPC................................................................................................................ 12
1.2.4 Removing a Secondary CIDR Block from a VPC..................................................................................................... 14
1.2.5 Deleting a VPC................................................................................................................................................................... 15
1.2.6 Managing VPC Tags.......................................................................................................................................................... 15
1.2.7 Exporting VPC List............................................................................................................................................................. 17
1.2.8 Obtaining a VPC ID........................................................................................................................................................... 17
1.2.9 Viewing a VPC Topology................................................................................................................................................. 18
1.3 Subnet....................................................................................................................................................................................... 19
1.3.1 Creating a Subnet for the VPC...................................................................................................................................... 19
1.3.2 Modifying a Subnet.......................................................................................................................................................... 22
1.3.3 Managing Subnet Tags.................................................................................................................................................... 25
1.3.4 Exporting Subnet List....................................................................................................................................................... 27
1.3.5 Viewing and Deleting Resources in a Subnet.......................................................................................................... 28
1.3.6 Viewing IP Addresses in a Subnet................................................................................................................................ 30
1.3.7 Deleting a Subnet..............................................................................................................................................................31
1.4 IPv4 and IPv6 Dual-Stack Network................................................................................................................................ 32
2 Security.................................................................................................................................... 37
2.1 Differences Between Security Groups and Network ACLs......................................................................................37
2.2 Security Group....................................................................................................................................................................... 38
2.2.1 Security Group Overview................................................................................................................................................ 38
2.2.2 Default Security Groups and Security Group Rules............................................................................................... 43
2.2.3 Security Group Configuration Examples....................................................................................................................44
2.2.4 Creating a Security Group.............................................................................................................................................. 48
2.2.5 Adding a Security Group Rule....................................................................................................................................... 51
2.2.6 Fast-Adding Security Group Rules............................................................................................................................... 56
2.2.7 Replicating a Security Group Rule............................................................................................................................... 60
2.2.8 Modifying a Security Group Rule................................................................................................................................. 60
2.2.9 Deleting a Security Group Rule.................................................................................................................................... 60
Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. ii

User Guide Contents
2.2.10 Importing and Exporting Security Group Rules.................................................................................................... 61

2.2.11 Deleting a Security Group............................................................................................................................................ 63
2.2.12 Adding Instances to and Removing Them from a Security Group................................................................ 64
2.2.13 Cloning a Security Group............................................................................................................................................. 65
2.2.14 Modifying a Security Group........................................................................................................................................ 66
2.2.15 Viewing the Security Group of an ECS.................................................................................................................... 67
2.2.16 Changing the Security Group of an ECS................................................................................................................. 67
2.2.17 Common Ports Used by ECSs...................................................................................................................................... 68
2.3 Network ACL.......................................................................................................................................................................... 70
2.3.1 Network ACL Overview................................................................................................................................................... 70
2.3.2 Network ACL Configuration Examples.......................................................................................................................73
2.3.3 Creating a Network ACL................................................................................................................................................. 76
2.3.4 Adding a Network ACL Rule.......................................................................................................................................... 77
2.3.5 Associating Subnets with a Network ACL................................................................................................................. 79
2.3.6 Disassociating a Subnet from a Network ACL........................................................................................................ 80
2.3.7 Changing the Sequence of a Network ACL Rule.................................................................................................... 81
2.3.8 Modifying a Network ACL Rule.................................................................................................................................... 81
2.3.9 Enabling or Disabling a Network ACL Rule..............................................................................................................83
2.3.10 Deleting a Network ACL Rule..................................................................................................................................... 84
2.3.11 Exporting and Importing Network ACL Rules....................................................................................................... 84
2.3.12 Viewing a Network ACL................................................................................................................................................ 85
2.3.13 Modifying a Network ACL........................................................................................................................................... 86
2.3.14 Enabling or Disabling a Network ACL..................................................................................................................... 86
2.3.15 Deleting a Network ACL............................................................................................................................................... 87
3 IP Address Group................................................................................................................... 88
3.1 IP Address Group Overview............................................................................................................................................... 88
3.2 Creating an IP Address Group.......................................................................................................................................... 88
3.3 Associating an IP Address Group with Resources...................................................................................................... 90
3.4 Modifying an IP Address Group....................................................................................................................................... 91
4 Elastic IP.................................................................................................................................. 92
4.1 EIP Overview........................................................................................................................................................................... 92
4.2 Assigning an EIP and Binding It to an ECS...................................................................................................................93
4.3 Unbinding an EIP from an ECS and Releasing the EIP.............................................................................................97
4.4 Modifying an EIP Bandwidth............................................................................................................................................ 98
4.5 Exporting EIP Information............................................................................................................................................... 101
4.6 Managing EIP Tags............................................................................................................................................................ 101
4.7 IPv6 EIP ................................................................................................................................................................................. 102
5 Shared Bandwidth...............................................................................................................109
5.1 Shared Bandwidth Overview.......................................................................................................................................... 109
5.2 Assigning a Shared Bandwidth...................................................................................................................................... 110
5.3 Adding EIPs to a Shared Bandwidth............................................................................................................................ 112
Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. iii

User Guide Contents
5.4 Removing EIPs from a Shared Bandwidth................................................................................................................. 112

5.5 Modifying a Shared Bandwidth..................................................................................................................................... 113
5.6 Deleting a Shared Bandwidth........................................................................................................................................ 114
6 Shared Data Package......................................................................................................... 116

6.1 Shared Data Package Overview.................................................................................................................................... 116
6.2 Buying a Shared Data Package..................................................................................................................................... 117
7 Route Tables......................................................................................................................... 119

7.1 Route Table Overview....................................................................................................................................................... 119
7.2 Creating a Custom Route Table.....................................................................................................................................122
7.3 Associating a Route Table with a Subnet...................................................................................................................124
7.4 Changing the Route Table Associated with a Subnet............................................................................................ 125
7.5 Viewing the Route Table Associated with a Subnet............................................................................................... 125
7.6 Viewing Route Table Information................................................................................................................................. 126
7.7 Exporting Route Table Information.............................................................................................................................. 127
7.8 Deleting a Route Table..................................................................................................................................................... 127
7.9 Adding a Custom Route................................................................................................................................................... 128
7.10 Modifying a Route........................................................................................................................................................... 129
7.11 Replicating a Route......................................................................................................................................................... 130
7.12 Deleting a Route.............................................................................................................................................................. 132
7.13 Configuring an SNAT Server........................................................................................................................................ 133
8 VPC Peering Connection.................................................................................................... 137

8.1 VPC Peering Connection Overview...............................................................................................................................137
8.2 VPC Peering Connection Usage Examples................................................................................................................. 139
8.3 Creating a VPC Peering Connection with Another VPC in Your Account........................................................ 150
8.4 Creating a VPC Peering Connection with a VPC in Another Account.............................................................. 157
8.5 Obtaining the Peer Project ID of a VPC Peering Connection.............................................................................. 165
8.6 Modifying a VPC Peering Connection......................................................................................................................... 166
8.7 Viewing VPC Peering Connections................................................................................................................................166
8.8 Deleting a VPC Peering Connection............................................................................................................................. 167
8.9 Modifying Routes Configured for a VPC Peering Connection.............................................................................168
8.10 Viewing Routes Configured for a VPC Peering Connection...............................................................................169
8.11 Deleting Routes Configured for a VPC Peering Connection..............................................................................171
9 VPC Flow Log....................................................................................................................... 173

9.1 VPC Flow Log Overview................................................................................................................................................... 173
9.2 Creating a VPC Flow Log................................................................................................................................................. 174
9.3 Viewing a VPC Flow Log.................................................................................................................................................. 176
9.4 Enabling or Disabling VPC Flow Log........................................................................................................................... 179
9.5 Deleting a VPC Flow Log................................................................................................................................................. 179
10 Virtual IP Address............................................................................................................. 180

10.1 Virtual IP Address Overview......................................................................................................................................... 180
Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. iv

User Guide Contents
10.2 Assigning a Virtual IP Address..................................................................................................................................... 182

10.3 Binding a Virtual IP Address to an EIP or ECS........................................................................................................183
10.4 Binding a Virtual IP Address to an EIP......................................................................................................................188
10.5 Using a VPN to Access a Virtual IP Address........................................................................................................... 188
10.6 Using a Direct Connect Connection to Access the Virtual IP Address........................................................... 188
10.7 Using a VPC Peering Connection to Access the Virtual IP Address................................................................ 189
10.8 Disabling IP Forwarding on the Standby ECS.........................................................................................................189
10.9 Disabling Source and Destination Check (HA Load Balancing Cluster Scenario)..................................... 190
10.10 Unbinding a Virtual IP Address from an Instance.............................................................................................. 190
10.11 Unbinding a Virtual IP Address from an EIP........................................................................................................ 191
10.12 Releasing a Virtual IP Address.................................................................................................................................. 192
11 Interconnecting with CTS............................................................................................... 194

11.1 Supported VPC Operations........................................................................................................................................... 194
11.2 Viewing Traces...................................................................................................................................................................197
12 Monitoring..........................................................................................................................198
12.1 Supported Metrics............................................................................................................................................................198
12.2 Viewing Metrics................................................................................................................................................................ 200
12.3 Creating an Alarm Rule................................................................................................................................................. 200
13 Permissions Management...............................................................................................202
13.1 Creating a User and Granting VPC Permissions.................................................................................................... 202
13.2 VPC Custom Policies........................................................................................................................................................ 203
A Change History.................................................................................................................... 206
Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. v

User Guide 1 VPC and Subnet
1 VPC and Subnet
1.1 Network Planning

Before creating your VPCs, determine how many VPCs, the number of subnets,
and what IP address ranges or connectivity options you will need.
How Do I Determine How Many VPCs I Need?

VPCs are region-specific. By default, networks in VPCs in different regions or even
in the same region are not connected. Networks in different VPCs are completely
isolated from each other, this is not the case for networks in the same VPC but in
different AZs. Networks in the same VPC can communicate with each other even if
they are in different AZs.
One VPC
If your services do not require network isolation, a single VPC should be enough.
Multiple VPCs
If you have multiple service systems in a region and each service system requires
an isolated network, you can create a separate VPC for each service system. If you
require network connectivity between separate VPCs, you can use a VPC peering
connection as shown in Figure 1-1.
Figure 1-1 VPC peering connection
Default VPC Quota
Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. 1

By default, you can create a maximum of five VPCs in your account. If this cannot
meet your service requirements, request a quota increase. For details, see What Is
a Quota?
How Do I Plan Subnets?

A subnet is a unique CIDR block with a range of IP addresses in a VPC. All
resources in a VPC must be deployed on subnets.
● By default, ECSs in all subnets of the same VPC can communicate with one
another, but ECSs in different VPCs cannot.
You can create VPC peering connections to enable ECSs in different VPCs but
in the same region to communicate with one another. For details, see VPC
Peering Connection Overview.
● After a subnet is created, its CIDR block cannot be modified.
When you create a VPC, a default subnet will be created together. If you need
more subnets, see Creating a Subnet for the VPC.
The subnets used to deploy your resources must reside within your VPC, and
the subnet masks used to define them can be between the netmask of its VPC
CIDR block and /28 netmask.
– 10.0.0.0 – 10.255.255.255
– 172.16.0.0 – 172.31.255.255
– 192.168.0.0 – 192.168.255.255
NOTE
A subnet mask can be between the netmask of its VPC CIDR block and /28 netmask. If
a VPC CIDR block is 192.168.0.0/16, its subnet mask can between 16 to 28.
Subnet Planning
● We recommend that you create different subnets for different service
modules in a VPC. For example, you can create different subnets for web,
application, and database servers. A web server is in a publicly accessible
subnet, and application and database servers are in non-publically accessible
subnets. You can leverage network ACLs to help control access to the servers
in each subnet.
● If you only need to plan subnets for VPCs, and communication between VPCs
and on-premises data centers are not required, you can create subnets within
any of the CIDR blocks listed above.
● If your VPC needs to communicate with an on-premises data center through
VPN or Direct Connect, the VPC CIDR block cannot overlap with the CIDR
block of the on-premises data center. Therefore, when creating a VPC or
subnet, ensure that its CIDR block does not overlap with any CIDR block on
the data center.
● When determining the size of a VPC or subnet CIDR block, ensure that the
number of available IP addresses on the CIDR block meet your service
requirements.
Default Subnet Quota
By default, you can create up to 100 subnets in your account. If you need more,
request a quota increase. For details, see What Is a Quota?

How Do I Plan Routing Policies?

A route table contains a set of routes that are used to determine where network
traffic from your subnets in a VPC is directed. When you create a VPC, it
automatically has a default route table, which enables internal communication
within that VPC.
● If you do not need to explicitly control how each subnet routes inbound and
outbound traffic, you can use the default route table.
● If you need to explicitly control how each subnet routes inbound and
outbound traffic in a VPC, you can add custom routes to the route table.
How Do I Connect to an On-Premises Data Center?

If you require interconnection between a VPC and an on-premises data center,
ensure that the VPC does not have an overlapping IP address range with the on-
premises data center to be connected.
As shown in Figure 1-2, you have VPC 1 in region A and VPC 2 and VPC 3 in
region B. To connect to an on-premises data center, they can use a VPN, as VPC 1
does in Region A; or a Direct Connect connection, as VPC 2 does in Region B. VPC
2 connects to the data center through a Direct Connect connection, but to connect
to another VPC in that region, like VPC 3, a VPC peering connection must be
established.
Figure 1-2 Connections to on-premises data centers
When planning CIDR blocks for VPC 1, VPC 2, and VPC 3.

● The CIDR block of VPC 1 cannot overlap with the CIDR block of the on-
premises data center in Region A.
● The CIDR block of VPC 2 cannot overlap with the CIDR block of the on-
premises data center in Region B.
● The CIDR blocks of VPC 2 and VPC 3 cannot overlap.
How Do I Access the Internet?

Use EIPs to enable a small number of ECSs to access the Internet.
When only a few ECSs need to access the Internet, you can bind the EIPs to the
ECSs. This will provide them with Internet access. You can also dynamically unbind

the EIPs from the ECSs and bind them to NAT gateways and load balancers
instead, which will also provide Internet access. The process is not complicated.
For more information about EIP, see EIP Overview.
Use a NAT gateway to enable a large number of ECSs to access the Internet.
When a large number of ECSs need to access the Internet, the public cloud
provides NAT gateways for your ECSs. With NAT gateways, you do not need to
assign an EIP to each ECS. NAT gateways reduce costs as you do not need so
many EIPs. NAT gateways offer both source network address translation (SNAT)
and destination network address translation (DNAT). SNAT allows multiple ECSs
in the same VPC to share one or more EIPs to access the Internet. SNAT prevents
the EIPs of ECSs from being exposed to the Internet. DNAT can implement port-
level data forwarding. It maps EIP ports to ECS ports so that the ECSs in a VPC can
share the same EIP and bandwidth to provide Internet-accessible services.
For more information, see NAT Gateway User Guide.
Use ELB to access the Internet If there are a large number of concurrent
requests.
In high-concurrency scenarios, such as e-commerce, you can use load balancers

provided by the ELB service to evenly distribute incoming traffic across multiple
ECSs, allowing a large number of users to concurrently access your business
system or application. ELB is deployed in the cluster mode. It provides fault
tolerance for your applications by automatically balancing traffic across multiple
AZs. You can also take advantage of deep integration with Auto Scaling (AS),
which enables automatic scaling based on service traffic and ensures service
stability and reliability.
For more information, see Elastic Load Balance User Guide.
Helpful Links
● Application Scenarios
● Private Network Access
● Public Network Access
1.2 VPC
1.2.1 Creating a VPC
Scenarios
A VPC provides an isolated virtual network for ECSs. You can configure and
manage the network as required.
You can create a VPC by following the procedure provided in this section. Then,
create subnets, security groups, and assign EIPs by following the procedure
provided in subsequent sections based on your actual network requirements.

Procedure
1. Log in to the management console.
2. On the console homepage, under Networking, click Virtual Private Cloud.
3. Click Create VPC.
The Create VPC page is displayed.
4. On the Create VPC page, set parameters as prompted.
A default subnet will be created together with a VPC and you can also click
Add Subnet to create more subnets for the VPC.
Figure 1-3 Creating a VPC and subnet
Table 1-1 VPC parameter descriptions
Parameter Description Example Value
Region Regions are geographic areas CN-Hong Kong

that are physically isolated
from each other. The networks
inside different regions are not
connected to each other, so
resources cannot be shared
across different regions. For
lower network latency and
faster access to your resources,
select the region nearest you.

Name The VPC name. VPC-test

The name can contain a
maximum of 64 characters,
which may consist of letters,
digits, underscores (_),
hyphens (-), and periods (.).
The name cannot contain
spaces.
CIDR Block The CIDR block of the VPC. 192.168.0.0/16

or IPv4 CIDR The CIDR block of a subnet
Block can be the same as the CIDR
block for the VPC (for a single
subnet in the VPC) or a subset
of the CIDR block for the VPC
(for multiple subnets in the
VPC).
The following CIDR blocks are
supported:
● 10.0.0.0/8-24
● 172.16.0.0/12-24
● 192.168.0.0/16-24
This parameter will be CIDR
Block in regions where IPv4/
IPv6 dual stack is not
supported, and IPv4 CIDR
Block if IPv4/IPv6 dual stack is
supported.
Enterprise The enterprise project to default

Project which the VPC belongs.
An enterprise project
facilitates project-level
management and grouping of
cloud resources and users. The
name of the default project is
default.
For details about creating and
managing enterprise projects,
see the Enterprise
Management User Guide.
Tag The VPC tag, which consists of ● Key: vpc_key1

a key and value pair. You can ● Value: vpc-01
add a maximum of 10 tags to
each VPC.

Description Supplementary information N/A

about the VPC. This parameter
is optional.
The VPC description can
contain a maximum of 255
characters and cannot contain
angle brackets (< or >).
Table 1-2 Subnet parameter descriptions

Name The subnet name. subnet-01

digits, underscores (_),
hyphens (-), and periods (.).
The name cannot contain
spaces.
CIDR Block The CIDR block for the subnet. 192.168.0.0/24

This value must be within the
VPC CIDR block.
This parameter is displayed
only in regions where IPv4/
IPv6 dual stack is not
supported.
IPv4 CIDR The CIDR block for the subnet. 192.168.0.0/24

Block This value must be within the
VPC CIDR block.
IPv6 dual stack is supported.

IPv6 CIDR Specifies whether to set IPv6 -

Block CIDR Block to Enable.
After the IPv6 function is
enabled, the system
automatically assigns an IPv6
CIDR block to the created
subnet. Currently, the IPv6
CIDR block cannot be
customized. IPv6 cannot be
disabled after the subnet is
created.
IPv6 dual stack is supported.
Associated The default route table to Default

Route Table which the subnet will be
associated. You can change
the route table to a custom
route table on the Subnets
page.
Advanced Click the drop-down arrow to Default

Settings set advanced settings for the
subnet, including Gateway
and DNS Server Address.
Gateway The gateway address of the 192.168.0.1

subnet.
This IP address is used to
communicate with other
subnets.

DNS Server Huawei Cloud private DNS 100.125.x.x

Address server addresses are entered
by default. This allows ECSs in
a VPC to communicate with
each other and also access
other cloud services using
private domain names without
exposing their IP addresses to
the Internet.
You can change the default
DNS server addresses if
needed. This may interrupt
your access to cloud services.
You can also click Reset on
the right to restore the DNS
server addresses to the default
value.
A maximum of two DNS
server IP addresses can be
configured. Multiple IP
addresses must be separated
using commas (,).
DHCP Lease The period during which a 365 days

Time client can use an IP address
automatically assigned by the
DHCP server. After the lease
time expires, a new IP address
will be assigned to the client.
● Limited: Set the DHCP lease
time. The unit can be day
or hour.
● Unlimited: The DHCP lease
time does not expire.
If a DHCP lease time is
changed, the new lease
automatically takes effect
when half of the current lease
time has passed. To make the
change take effect
immediately, restart the ECS or
log in to the ECS to cause the
DHCP lease to automatically
renew.

NTP Server The IP address of the NTP 192.168.2.1

Address server. This parameter is
optional.
You can configure the NTP
server IP addresses to be
added to the subnet as
required. The IP addresses are
added in addition to the
default NTP server addresses.
If this parameter is left empty,
no IP address of the NTP
server is added.
Enter a maximum of four valid
IP addresses, and separate
multiple IP addresses with
commas. Each IP address must
be unique. If you add or
change the NTP server
addresses of a subnet, you
need to renew the DHCP lease
for or restart all the ECSs in
the subnet to make the
change take effect
immediately. If the NTP server
addresses have been cleared
out, restarting the ECSs will
not help. You must renew the
DHCP lease for all ECSs to
make the change take effect
immediately.
Tag The subnet tag, which consists ● Key: subnet_key1

of a key and value pair. You ● Value: subnet-01
can add a maximum of 10
tags to each subnet.
Description Supplementary information N/A

about the subnet. This
parameter is optional.
The subnet description can
contain a maximum of 255

Table 1-3 VPC tag key and value requirements

Parameter Requirements Example
Value
Key ● Cannot be left blank. vpc_key1

● Must be unique for the same VPC and can be
the same for different VPCs.
● Can contain a maximum of 36 characters.
● Can contain letters, digits, underscores (_),
and hyphens (-).
Value ● Can contain a maximum of 43 characters. vpc-01

periods (.), and hyphens (-).
Table 1-4 Subnet tag key and value requirements

Parameter Requirements Example Value
Key ● Cannot be left blank. subnet_key1

● Must be unique for each subnet.
● Can contain a maximum of 36
characters.
● Can contain letters, digits,
underscores (_), and hyphens (-).
Value ● Can contain a maximum of 43 subnet-01

characters.
underscores (_), periods (.), and
hyphens (-).
5. Confirm the current configuration and click Create Now.
1.2.2 Modifying a VPC

Scenarios
Change the VPC name and CIDR block.
If the VPC CIDR block conflicts with the CIDR block of a VPN created in the VPC,
you can modify its CIDR block.
Notes and Constraints

● If adding a secondary IPv4 CIDR block to a VPC is supported, you cannot
modify the CIDR block of an existing VPC on the console. However, you can
use APIs to modify the CIDR block of an existing VPC. For details, see the
Virtual Private Cloud API Reference.

Currently, secondary IPv4 CIDR blocks for VPCs are available only in AP-
Singapore and CN North-Beijing4. For details, see Adding a Secondary
CIDR Block to a VPC.
NOTE
If a VPC has a subnet in its secondary CIDR block, the secondary CIDR block cannot be
modified on the console or using APIs.
● When modifying the VPC CIDR block:
– The VPC CIDR block to be modified must be in the supported CIDR
blocks: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, and
192.168.0.0 – 192.168.255.255
– If the VPC has subnets, the VPC CIDR block to be modified must contain
all subnet CIDR blocks.
Procedure
3. On the Virtual Private Cloud page, locate the row that contains the VPC to
be modified and click Modify or Edit CIDR Block in the Operation column.
4. On the displayed page, modify parameters as prompted. Figure 1-4 shows
the screenshot.
Figure 1-4 Modify VPC
5. Click OK.
1.2.3 Adding a Secondary CIDR Block to a VPC

Scenarios
When you create a VPC, you must specify a CIDR block for the VPC. This is the
primary CIDR block of your VPC, and it cannot be modified after the VPC is
created.
To extend the IP address range of your VPC, you can add a secondary CIDR block.
If you need to create a subnet in the VPC, you can select either the primary or the
secondary CIDR block. Similar to the primary CIDR block, if you create a subnet in
the secondary CIDR block, a route is automatically added to your VPC route table
to enable routing within the VPC.

NOTE
● Secondary CIDR blocks are now available only in regions CN-Hong Kong, AP-Bangkok,
AP-Singapore, AF-Johannesburg, LA-Mexico City1, LA-Mexico City2, LA-Sao Paulo1, and
LA-Santiago.
● If adding a secondary IPv4 CIDR block to a VPC is supported, you can only use APIs to
modify the CIDR block of an existing VPC. For details, see the Virtual Private Cloud API
Reference.

● By default, each VPC only can has one secondary IPv4 CIDR block associated.
● If a subnet in a secondary CIDR block of your VPC is the same as or overlaps
with the destination of an existing route in the VPC route table, the existing
route does not take effect.
If you create a subnet in a secondary CIDR block of your VPC, a route (the
destination is the subnet CIDR block and the next hop is Local) is
automatically added to your VPC route table. This route allows
communications within the VPC and has a higher priority than any other
routes in the VPC route table. For example, if a VPC route table has a route
with the VPC peering connection as the next hop and 100.20.0.0/24 as the
destination, and a route for the subnet in the secondary CIDR block has a
destination of 100.20.0.0/16, 100.20.0.0/16 and 100.20.0.0/24 overlaps and
traffic will be forwarded through the route of the subnet.
● Table 1-5 lists the secondary CIDR blocks that are not supported.
Table 1-5 Restricted secondary CIDR blocks

Type CIDR Block (Not Supported)
Primary CIDR blocks ● 10.0.0.0/8

and existing CIDR ● 172.16.0.0/12
blocks
● 192.168.0.0/16
Reserved system ● 100.64.0.0/10

CIDR blocks ● 214.0.0.0/7
● 198.18.0.0/15
● 169.254.0.0/16
Reserved public CIDR ● 0.0.0.0/8

blocks ● 127.0.0.0/8
● 240.0.0.0/4
● 255.255.255.255/32
Procedure
be modified and click Modify or Edit CIDR Block in the Operation column.

4. Click Add Secondary IPv4 CIDR Block.
Figure 1-5 Add Secondary IPv4 CIDR Block
5. Enter the secondary CIDR block and click OK.
1.2.4 Removing a Secondary CIDR Block from a VPC
Scenarios
You can remove a secondary CIDR block from a VPC if you no longer need it.
You cannot remove the primary IPv4 CIDR block.
NOTE
● Secondary CIDR blocks are now available only in regions CN-Hong Kong, AP-Bangkok,
AP-Singapore, AF-Johannesburg, LA-Mexico City1, LA-Mexico City2, LA-Sao Paulo1, and
LA-Santiago.
● If adding a secondary IPv4 CIDR block to a VPC is supported, you can only use APIs to
modify the CIDR block of an existing VPC. For details, see the Virtual Private Cloud API
Reference.
Prerequisites
All subnets in the secondary CIDR block have been deleted.
Procedure
3. In the navigation pane on the left, click Virtual Private Cloud.
4. In the VPC list, locate the row that contains the VPC from which you want to
delete a secondary CIDR block and click Edit CIDR Block in the Operation
column.
5. Locate the row that contains the secondary CIDR block to be deleted and click
Delete in the Operation column.

1.2.5 Deleting a VPC
Scenarios
This section describes how to delete a VPC.
NOTICE
VPCs are free of charge.

If you want to delete a VPC that has subnets, custom routes, or other resources,
you need to delete these resources as prompted on the console first and then
delete the VPC.
You can refer to Why Can't I Delete My VPCs and Subnets?
Procedure
be deleted and click Delete in the Operation column.
A confirmation dialog box is displayed.
5. Confirm the information and click Yes.
NOTICE
If a VPC cannot be deleted, a message will be displayed on the console.

Delete the resources that are in the VPC by referring to Why Can't I Delete
My VPCs and Subnets?
1.2.6 Managing VPC Tags
Scenarios
A VPC tag identifies a VPC. Tags can be added to VPCs to facilitate VPC
identification and management. You can add a tag to a VPC when creating the
VPC, or you can add a tag to a created VPC on the VPC details page. A maximum
of 10 tags can be added to each VPC.
A tag consists of a key and value pair. Table 1-6 lists the tag key and value
requirements.

Table 1-6 VPC tag key and value requirements

Parameter Requirements Example
Value
Key ● Cannot be left blank. vpc_key1

● Must be unique for the same VPC and can be
the same for different VPCs.
● Can contain a maximum of 36 characters.
● Can contain letters, digits, underscores (_), and
hyphens (-).
Value ● Can contain a maximum of 43 characters. vpc-01

periods (.), and hyphens (-).
Procedure
Search for VPCs by tag key and value on the page showing the VPC list.
2. Click in the upper left corner and select the desired region and project.
5. In the upper right corner of the VPC list, click Search by Tag.
6. In the displayed area, enter the tag key and value of the VPC you are looking
for.
Both the tag key and value must be specified. The system automatically
displays the VPCs you are looking for if both the tag key and value are
matched.
7. Click + to add more tag keys and values.
You can add multiple tag keys and values to refine your search results. If you
add more than one tag to search for VPCs, the VPCs containing all specified
tags will be displayed.
8. Click Search.
The system displays the VPCs you are looking for based on the entered tag
keys and values.
Add, delete, edit, and view tags on the Tags tab of a VPC.
5. On the Virtual Private Cloud page, locate the VPC whose tags are to be
managed and click the VPC name.
The page showing details about the particular VPC is displayed.

6. Click the Tags tab and perform desired operations on tags.

– View tags.
On the Tags tab, you can view details about tags added to the current
VPC, including the number of tags and the key and value of each tag.
– Add a tag.
Click Add Tag in the upper left corner. In the displayed Add Tag dialog
box, enter the tag key and value, and click OK.
– Edit a tag.
Locate the row that contains the tag you want to edit and click Edit in
the Operation column. In the Edit Tag dialog box, change the tag value
and click OK.
– Delete a tag.
Locate the row that contains the tag you want to delete, and click Delete
in the Operation column. In the displayed dialog box, click Yes.
1.2.7 Exporting VPC List
Scenarios
Information about all VPCs under your account can be exported as an Excel file to
a local directory. This file records the names, ID, status, IP address ranges of VPCs,
and the number of subnets.
Procedure
5. In the upper right corner of the VPC list, click .

The system will automatically export information about all VPCs under your
account in the current region. They will be exported in Excel format.
1.2.8 Obtaining a VPC ID
Scenarios
This section describes how to view and obtain a VPC ID.
If you want to obtain the ID of the peer VPC when you create a VPC peering
connection between two VPCs from different accounts, you can share this section
with the owner of the peer account to obtain the VPC ID.
Procedure

4. On the Virtual Private Cloud page, locate the VPC and click its name.
The VPC details page is displayed.
5. In the VPC Information area, view the VPC ID.
Click next to ID to copy the VPC ID.
Figure 1-6 VPC ID
1.2.9 Viewing a VPC Topology

Scenarios
This section describes how to view the topology of a VPC. The topology displays
the subnets in a VPC and the ECSs in the subnets.
Procedure
4. In the VPC list, click the name of the VPC for which the topology is to be
viewed.
The VPC details page is displayed.
5. Click the Topology tab to view the VPC topology.
The topology displays the subnets in the VPC and the ECSs in the subnets.
You can also perform the following operations on subnets and ECSs in the
topology:
– Modify or delete a subnet.
– Add an ECS to a subnet, bind an EIP to the ECS, and change the security
group of the ECS.

Figure 1-7 VPC topology
1.3 Subnet
1.3.1 Creating a Subnet for the VPC
Scenarios
A VPC comes with a default subnet. If the default subnet cannot meet your
requirements, you can create one.
A subnet is configured with DHCP by default. When an ECS in this subnet starts,
the ECS automatically obtains an IP address using DHCP.
Procedure
4. In the navigation pane on the left, choose Virtual Private Cloud > Subnets.
5. Click Create Subnet.
The Create Subnet page is displayed.
6. Set the parameters as prompted.

Table 1-7 Parameter descriptions

VPC The VPC for which you want to create a -

subnet.
Name The subnet name. Subnet

The name can contain a maximum of 64
characters, which may consist of letters,
digits, underscores (_), hyphens (-), and
periods (.). The name cannot contain
spaces.
IPv4 CIDR The CIDR block for the subnet. This value 192.168.0.0/24
Block must be within the VPC CIDR block.
This parameter is displayed only in
regions where IPv4/IPv6 dual stack is
supported.
IPv6 CIDR Specifies whether to set IPv6 CIDR Block -

Block to Enable.
This parameter is displayed only in
regions where IPv4/IPv6 dual stack is
supported.
If you select this option, the system
automatically assigns an IPv6 CIDR block
to the created subnet. Currently, the IPv6
CIDR block cannot be customized. IPv6
cannot be disabled after the subnet is
created.
Associated The default route table to which the Default

Route Table subnet will be associated. You can
change the route table to a custom route
table on the Subnets page.
Advanced The gateway address of the subnet. 192.168.0.1

Settings/ This IP address is used to communicate
Gateway with other subnets.

Advanced Huawei Cloud private DNS server 100.125.x.x

Settings/DN addresses are entered by default. This
S Server allows ECSs in a VPC to communicate
Address with each other and also access other
cloud services using private domain
names without exposing their IP
addresses to the Internet.
You can change the default DNS server
addresses if needed. This may interrupt
You can also click Reset on the right to
restore the DNS server addresses to the
default value.
A maximum of two DNS server IP
addresses can be configured. Multiple IP
addresses must be separated using
commas (,).
Advanced The IP address of the NTP server. This 192.168.2.1

Settings/NT parameter is optional.
P Server You can configure the NTP server IP
Address addresses to be added to the subnet as
required. The IP addresses are added in
addition to the default NTP server
addresses. If this parameter is left empty,
no IP address of the NTP server is added.
Enter a maximum of four valid IP
addresses, and separate multiple IP
addresses with commas. Each IP address
must be unique. If you add or change
the NTP server addresses of a subnet,
you need to renew the DHCP lease for or
restart all the ECSs in the subnet to
make the change take effect
immediately. If the NTP server addresses
have been cleared out, restarting the
ECSs will not help. You must renew the
DHCP lease for all ECSs to make the
change take effect immediately.

Advanced The period during which a client can use 365 days
Settings/ an IP address automatically assigned by
DHCP Lease the DHCP server. After the lease time
Time expires, a new IP address will be
assigned to the client.
● Limited: Set the DHCP lease time. The
unit can be day or hour.
● Unlimited: The DHCP lease time does
not expire.
If a DHCP lease time is changed, the new
lease automatically takes effect when
half of the current lease time has passed.
To make the change take effect
immediately, restart the ECS or log in to
the ECS to cause the DHCP lease to
automatically renew.
Advanced Supplementary information about the -

Settings/ subnet. This parameter is optional.
Description The subnet description can contain a
maximum of 255 characters and cannot
contain angle brackets (< or >).
7. Click OK.
Precautions
When a subnet is created, there are five reserved IP addresses, which cannot be
used. For example, in a subnet with CIDR block 192.168.0.0/24, the following IP
addresses are reserved:
● 192.168.0.0: Network ID. This address is the beginning of the private IP
address range and will not be assigned to any instance.
● 192.168.0.1: Gateway address.
● 192.168.0.253: Reserved for the system interface. This IP address is used by
the VPC for external communication.
● 192.168.0.254: DHCP service address.
● 192.168.0.255: Network broadcast address.
If you configured the default settings under Advanced Settings during subnet
creation, the reserved IP addresses may be different from the default ones, but
there will still be five of them. The specific addresses depend on your subnet
settings.
1.3.2 Modifying a Subnet

Scenarios
Modify the subnet name, NTP server address, and DNS server address.


After a subnet is created, its AZ cannot be changed.
Procedure
5. Locate the row that contains the target VPC and click the number in the
Subnets column.
The Subnets page is displayed.
6. In the subnet list, locate the target subnet and click its name.
The subnet details page is displayed.
7. On the Summary tab, click on the right of the parameter to be modified

and modify the parameter as prompted.

Name The subnet name. Subnet

digits, underscores (_), hyphens
(-), and periods (.). The name
cannot contain spaces.

DNS Server Address By default, two DNS server 100.125.x.x

addresses are configured. You
can change them as required.
A maximum of two DNS server
addresses are supported. Use
commas (,) to separate every
two addresses.
Huawei Cloud private DNS
server addresses are entered by
default. This allows ECSs in a
VPC to communicate with each
other and also access other
cloud services using private
domain names without
exposing their IP addresses to
the Internet.
You can change the default
DNS server addresses if
needed. This may interrupt
You can also click Reset on the
right to restore the DNS server
addresses to the default value.
A maximum of two DNS server
IP addresses can be configured.
Multiple IP addresses must be
separated using commas (,).
DHCP Lease Time The period during which a 365 days

client can use an IP address
automatically assigned by the
DHCP server. After the lease
time expires, a new IP address
will be assigned to the client.
● Limited: Set the DHCP lease
time. The unit can be day or
hour.
● Unlimited: The DHCP lease
time does not expire.
If a DHCP lease time is
changed, the new lease
automatically takes effect
when half of the current lease
time has passed. To make the
change take effect
immediately, restart the ECS or
log in to the ECS to cause the
DHCP lease to automatically
renew.

NTP Server Address The IP address of the NTP 192.168.2.1

server. This parameter is
optional.
You can configure the NTP
server IP addresses to be added
to the subnet as required. The
IP addresses are added in
addition to the default NTP
server addresses. If this
parameter is left empty, you do
not add an NTP server IP
address.
A maximum of four unique
NTP server IP addresses can be
configured. Multiple IP
addresses must be separated
by a comma (,). If you add or
change the NTP server
addresses of a subnet, you
need to renew the DHCP lease
for or restart all the ECSs in the
subnet to make the change
take effect immediately. If the
NTP server addresses have
been cleared out, restarting the
ECSs will not help. You must
renew the DHCP lease for all
ECSs to make the change take
effect immediately.
Description Supplementary information -

about the subnet. This
parameter is optional.
The description can contain a
maximum of 255 characters
and cannot contain angle
brackets (< or >).
8. Click OK.
1.3.3 Managing Subnet Tags
Scenarios
A subnet tag identifies a subnet. Tags can be added to subnets to facilitate subnet
identification and administration. You can add a tag to a subnet when creating the
subnet, or you can add a tag to a created subnet on the subnet details page. A
maximum of 10 tags can be added to each subnet.

requirements.
Table 1-9 Subnet tag key and value requirements

Parameter Requirements Example Value
Key ● Cannot be left blank. subnet_key1

● Must be unique for each subnet.
characters.
● Can contain letters, digits, underscores
(_), and hyphens (-).
Value ● Can contain a maximum of 43 subnet-01

characters.
(_), periods (.), and hyphens (-).
Procedure
Search for subnets by tag key and value on the page showing the subnet list.
Subnets column.
6. In the upper right corner of the subnet list, click Search by Tag.
7. Enter the tag key of the subnet to be queried.
Both the tag key and value must be specified. The system automatically
displays the subnets you are looking for if both the tag key and value are
matched.
8. Click + to add another tag key and value.
add more than one tag to search for subnets, the subnets containing all
specified tags will be displayed.
9. Click Search.
The system displays the subnets you are looking for based on the entered tag
keys and values.
Add, delete, edit, and view tags on the Tags tab of a subnet.


Subnets column.
6. In the subnet list, locate the target subnet and click its name.
7. On the subnet details page, click the Tags tab and perform desired operations
on tags.
– View tags.
subnet, including the number of tags and the key and value of each tag.
– Add a tag.
– Edit a tag.
Locate the row that contains the tag you want to edit and click Edit in
the Operation column. In the Edit Tag dialog box, change the tag value
and click OK.
– Delete a tag.
1.3.4 Exporting Subnet List

Scenarios
Information about all subnets under your account can be exported as an Excel file
to a local directory. This file records the name, ID, VPC, CIDR block, and associated
route table of each subnet.
Procedure
5. In the upper right corner of the subnet list, click .

The system will automatically export information about all subnets under
your account in the current region as an Excel file to a local directory.

1.3.5 Viewing and Deleting Resources in a Subnet

Scenarios
VPC subnets have private IP addresses used by cloud resources. This section
describes how to view resources that are using private IP addresses of subnets. If
these resources are no longer required, you can delete them.
You can view resources, including ECSs, BMSs, network interfaces, load balancers,
and NAT gateways.
NOTICE
After you delete all resources in a subnet by referring to this section, the message
"Delete the resource that is using the subnet and then delete the subnet." is
displayed when you delete the subnet, you can refer to Viewing IP Addresses in a
Subnet.
Procedure
5. Locate the target subnet and click its name.
6. On the Summary page, view the resources in the subnet.
a. In the Resources area, view the ECSs, BMSs, network interfaces, and load
balancers in the subnet.
b. In the Networking Components area, view the NAT gateways in the
subnet.
Figure 1-8 Viewing resources in a subnet

7. Delete resources from the subnet.
Table 1-10 Viewing and deleting resources in a subnet

Resource Reference
ECS Currently, you cannot directly switch to ECSs from the

subnet details page. You need to search for the target ECS
in the ECS list and delete it.
1. In the ECS list, click the ECS name.
The ECS details page is displayed.
2. In the NICs area, view the name of the subnet
associated with the ECS.
3. Confirm the information and delete the ECS.
BMS Currently, you cannot directly switch to BMSs from the

subnet details page. You need to search for the target BMS
in the BMS list and delete it.
1. In the BMS list, click the BMS name.
The BMS details page is displayed.
2. In the NICs tab, view the subnet associated with the
BMS.
3. Confirm the information and release the BMS.
Load balancer You can directly switch to load balancers from the subnet
details page.
1. Click the load balancer quantity in the Resources area.
The load balancer list is displayed.
2. Locate the row that contains the load balancer and
click Delete in the Operation column.
For details, see Deleting a Load Balancer.
NAT gateway You can directly switch to NAT gateways from the subnet
details page.
1. Click the NAT gateway name in the Networking
Components area.
The NAT gateway details page is displayed.
2. Click to return to the NAT gateway list.

3. Locate the row that contains the NAT gateway and click
● Deleting or Unsubscribing from a Public NAT
Gateway
● Deleting a Private NAT Gateway

1.3.6 Viewing IP Addresses in a Subnet

Scenarios
A subnet is an IP address range in a VPC. This section describes how to view the
used IP addresses in a subnet.
● Virtual IP addresses
● Private IP addresses
– Used by the subnet itself, such as the gateway, system interface, and
DHCP.
– Used by cloud resources, such as ECSs, load balancers, and RDS instances.

● A subnet cannot be deleted if its IP addresses are used by cloud resources.
● A subnet can be deleted if its IP addresses are used by itself.
Procedure
6. Click the IP Addresses tab to view the IP addresses in the subnet.
a. In the virtual IP address list, you can view the virtual IP addresses
assigned from the subnet.
b. In the private IP address list in the lower part of the page, you can view
the private IP addresses used by the subnet (gateway, system interface,
and DHCP).
Figure 1-9 Viewing IP addresses in a subnet

Follow-up Operations
If you want to view and delete the resources in a subnet, refer to Why Can't I
Delete My VPCs and Subnets?
1.3.7 Deleting a Subnet
Scenarios
This section describes how to delete a subnet.
NOTICE
Subnets are free of charge.

If you want to delete a subnet that has custom routes, virtual IP addresses, or
other resources, you need to delete these resources as prompted on the console
first and then delete the subnet.
You can refer to Why Can't I Delete My VPCs and Subnets?
Procedure
Subnets column.
6. In the subnet list, locate the row that contains the subnet you want to delete
and click Delete in the Operation column.
7. Click Yes.
NOTICE
If a VPC cannot be deleted, a message will be displayed on the console.

Delete the resources that are in the VPC by referring to Why Can't I Delete
My VPCs and Subnets?

1.4 IPv4 and IPv6 Dual-Stack Network

What Is an IPv4/IPv6 Dual-Stack Network?
IPv4 and IPv6 dual-stack allows your resources, such as ECSs, to use both IPv4 and
IPv6 addresses for private and public network communications. For example, if
ECSs uses the IPv4/IPv6 dual-stack network:
● ECSs can communicate with each other using private IPv4 addresses.
● ECSs can communicate with the Internet after they are bound with EIPs.
● ECSs can communicate with each other using IPv6 addresses.
● ECSs can communicate with the Internet after their IPv6 addresses are
associated with bandwidths.
NOTE
If you select Enable for IPv6 CIDR Block when creating a subnet, an IPv6 CIDR block will
be automatically assigned to the subnet.
Basic operations on IPv4 and IPv6 dual-stack networks are the same as those on IPv4
networks, except some parameters. Check the console pages for details.

● The IPv4/IPv6 dual-stack function is currently free, but will be billed at a later
date (price yet to be determined).
● Only ECS flavors that support IPv6 addresses can use IPv4/IPv6 dual-stack
networks.
You can use either of the following methods to check which ECS flavors
support IPv6 addresses:
– On the ECS console, click Buy ECS. On the displayed page, view the ECS
flavors.
If an ECS flavor has the IPv6 parameter with the value of Yes, the ECS
flavor supports IPv6 addresses.
– On the ECS Specifications page, click the link of your desired ECS
specifications for detailed information, and check the ECS flavors that
support IPv6 in the table of ECS features.
For example, if you want to check the flavors of general computing-plus
ECSs that support IPv6:
i. Open the ECS Specifications page.
ii. Under General Computing-Plus, click the link for detailed
information.
Figure 1-10 Link for detailed information
iii. On the General Computing-plus ECSs page, check whether IPv6 is

supported in the table of ECS features.

Figure 1-11 General computing-plus ECSs
IPv6 Application Scenarios

If your ECS supports IPv6, you can use the IPv4/IPv6 dual-stack network. Table
1-11 shows the example application scenarios.
Table 1-11 Application scenarios of IPv4/IPv6 dual stack

Applica Description Subnet ECS
tion
Scenari
o
Private Your applications deployed ● IPv4 ● Private IPv4 address:

commu on ECSs need to CIDR used for private
nicatio communicate with other block communication
n using systems (such as databases) ● IPv6 ● IPv6 address: used for
IPv6 through private networks CIDR private communication.
address using IPv6 addresses. block
es
Public Your applications deployed ● IPv4 ● Private IPv4 address +

commu on ECSs need to provide CIDR IPv4 EIP: used for
nicatio services accessible from the block public network
n using Internet using IPv6 addresses. ● IPv6 communication
IPv6 CIDR ● IPv6 address + shared
address Your applications deployed
on ECSs need to both provide block bandwidth: used for
es public network
services accessible from the
Internet and analyze the communication
access request data using
IPv6 addresses.
If your ECS flavor does not support IPv6 addresses, you can enable the IPv6 EIP
function to allow communications using IPv6 addresses. For details, see Table
1-12.

Table 1-12 Application scenarios of IPv6 EIPs

Applica Description Subnet ECS
tion
Scenari
o
Public Your applications deployed IPv4 ● Private IPv4 address

commu on ECSs need to provide CIDR ● IPv4 EIP (with IPv6
nicatio services accessible from the block function enabled): used
n using Internet using IPv6 addresses. for public
IPv6 communication using
address IPv4 and IPv6 EIPs
es

Figure 1-12 Application scenarios of IPv6 networks
Basic Operations
Creating an IPv6 Subnet
Create an IPv6 subnet by following the instructions in Creating a Subnet for the
VPC. Select Enable for IPv6 CIDR Block. An IPv6 CIDR block will be automatically
assigned to the subnet. IPv6 cannot be disabled after the subnet is created.
Currently, customizing IPv6 CIDR block is not supported.
Viewing In-Use IPv6 Addresses
In the subnet list, click the subnet name. On the displayed page, view in-use IPv6
addresses on the IP Addresses tab page.

Adding a Security Group Rule (IPv6)
Add a security group rule with Type set to IPv6 and Source or Destination set to
an IPv6 address or IPv6 CIDR block.
Adding a Network ACL Rule (IPv6)
Add a network ACL rule with Type set to IPv6 and Source or Destination set to
an IPv6 address or IPv6 CIDR block.
Figure 1-13 Adding a network ACL rule (IPv6)
Adding a Route (IPv6)
Add a route with Destination and Next Hop set to an IPv4 or IPv6 CIDR block.
For details about how to add a route, see Adding a Custom Route. If the
destination is an IPv6 CIDR block, the next hop can only be an IP address in the
same VPC as the IPv6 CIDR block.
NOTE
If the destination is an IPv6 CIDR block, the next hop type can only be an ECS, extension
NIC, or virtual IP address. The next hop must also have IPv6 addresses.
Dynamically Assigning IPv6 Addresses
After an ECS is created successfully, you can view the assigned IPv6 address on the
ECS details page. You can also log in to the ECS and run the ifconfig command to
view the assigned IPv6 address.
If an IPv6 address fails to be automatically assigned or the selected image does

not support the function of automatic IPv6 address assignment, manually obtain
the IPv6 address by referring to Dynamically Assigning IPv6 Addresses.
NOTE
If an ECS is created from a public image:

Before enabling dynamic IPv6 address assignment for a Linux public image, check whether
IPv6 is supported and then check whether dynamic IPv6 address assignment has been
enabled. Currently, all Linux public images support IPv6, and dynamic IPv6 address
assignment is enabled for Ubuntu 16 by default. You do not need to configure dynamic
IPv6 address assignment for the Ubuntu 16 OS. For other Linux public images, you need to
enable this function.

User Guide 2 Security
2 Security
2.1 Differences Between Security Groups and Network

ACLs
You can configure security groups and network ACL to increase the security of
ECSs in your VPC.
● Security groups operate at the ECS level.

● network ACLs protect associated subnets and all the resources in the subnets.
For details, see Figure 2-1.
Figure 2-1 Security groups and network ACLs

Table 2-1 describes the differences between security groups and network ACLs.
Table 2-1 Differences between security groups and network ACLs
Category Security Group network ACL
Targets Operates at the ECS level. Operates at the subnet level.
Rules Supports both Allow and Supports both Allow and Deny
Deny rules. rules.
Deny rules are only supported
in certain regions. You can go
to Function Overview and
click Security Group to view
the regions.
Priority If there are conflicting rules, If rules conflict, the rule with the
the rules take effect based on highest priority takes effect.
the sequence of their security
group in associating with a
resource and then based on
the rule priorities in the group.
Usage Automatically applies to ECSs Applies to all ECSs in the subnets

in the security group that is associated with the network ACL.
selected during ECS creation. Selecting a network ACL is not
You must select a security allowed during subnet creation.
group when creating ECSs. You must create a network ACL,
associate subnets with it, add
inbound and outbound rules, and
enable network ACL. The network
ACL then takes effect for the
associated subnets and ECSs in the
subnets.
Packets Only packet filtering based on Only packet filtering based on the
the 3-tuple (protocol, port, 5-tuple (protocol, source port,
and peer IP address) is destination port, source IP address,
supported. and destination IP address) is
supported.
2.2 Security Group
2.2.1 Security Group Overview
Security Group
A security group is a collection of access control rules for cloud resources, such as
cloud servers, containers, and databases, that have the same security protection
requirements and that are mutually trusted. After a security group is created, you

can create various access rules for the security group, these rules will apply to all
cloud resources added to this security group.
Like whitelists, security group rules work as follows:
● Inbound rule: If an inbound request matches the source in an inbound
security group rule with Action set to Allow, the request is allowed.
Unless otherwise specified, you do not need to configure deny rules in the
inbound direction because requests that do not match allow rules will be
denied.
● Outbound rule: If the destination of an outbound security group rule with
Action set to Allow is 0.0.0.0/0, all outbound requests are allowed.
IPv4 default route: 0.0.0.0/0
IPv6 default route: ::/0
Table 2-2 shows the inbound and outbound rules in security group sg-AB.
Table 2-2 Rules in security group sg-AB

Directi Act Prot Source or Description
on ion ocol Destination
&
Port
Inboun All All Source: sg- Allows access requests from security
d ow AB group sg-AB. This rule ensures that
instances in the security group can
communicate with each other.
Outbou All All Destination: Allows all requests in the security group
nd ow 0.0.0.0/0 to be sent out.
The system automatically creates a default security group for each account. If the
default security group does not meet your requirements, you can modify security
group rules or create a custom security group.
NOTE
Both default and custom security groups are free of charge.
Security Group Basics

● You can associate instances, such as servers and extension NICs, with one or
more security groups.
You can change the security groups that are associated with instances, such as
servers or extension NICs. By default, when you create an instance, it is
associated with the default security group of its VPC unless you specify
another security group.
● You need to add security group rules to allow instances in the same security
group to communicate with each other.
● Security groups are stateful. If you send a request from your instance and the
outbound traffic is allowed, the response traffic for that request is allowed to

flow in regardless of inbound security group rules. Similarly, if inbound traffic

is allowed, responses to allowed inbound traffic are allowed to flow out,
regardless of outbound rules.
Security groups use connection tracking to track traffic to and from instances
that they contain and security group rules are applied based on the
connection status of the traffic to determine whether to allow or deny traffic.
If you add, modify, or delete a security group rule, or create or delete an
instance in the security group, the connection tracking of all instances in the
security group will be automatically cleared. In this case, the inbound or
outbound traffic of the instance will be considered as new connections, which
need to match the inbound or outbound security group rules to ensure that
the rules take effect immediately and the security of incoming traffic.
In addition, if the inbound or outbound traffic of an instance has no packets
for a long time, the traffic will be considered as new connections after the
connection tracking times out, and the connections need to match the
outbound and inbound rules. The timeout period of connection tracking varies
according to the protocol. The timeout period of a TCP connection in the
established state is 600s, and the timeout period of an ICMP connection is
30s. For other protocols, if packets are received in both directions, the
connection tracking timeout period is 180s. If one or more packets are
received in one direction but no packet is received in the other direction, the
connection tracking timeout period is 30s. For protocols other than TCP, UDP,
and ICMP, only the IP address and protocol number are tracked.
NOTE
If two ECSs are in the same security group but in different VPCs, the ECSs cannot
communicate with each other. To enable communications between the ECSs, use a VPC
peering connection to connect the two VPCs. For details about VPC connectivity, see
Application Scenarios.
Security Group Rules

After you create a security group, you can add rules to the security group. A rule
applies either to inbound traffic or outbound traffic. After you add cloud resources
to the security group, they are protected by the rules of the group.
A security group rule consists of:
● Source (inbound rule) or Destination (outbound rule): The value can be an

IP address (such as 192.168.10.10/32), IP address range (such as
192.168.52.0/24), or a security group (such as sg-abc).
● Protocol & Port: The value of ports can be individual ports (such as 22),
consecutive ports (such as 22-30), ports and port ranges (such as 20,23-30),
all ports (1-65535). The protocol can be TCP, UDP, HTTP, and others.
● Source: The value can be a single IP address, an IP address group, or a
security group.
● Type: The value can be IPv4 or IPv6.
● Description: Supplementary information about the security group rule.
Each security group has its default rules. For details, see Table 2-4. You can also
customize security group rules. For details, see Adding a Security Group Rule.

Security Group Template

You can select one of the following security group templates provided by the
system to quickly create a security group with default rules.
● General-purpose web server: The security group that you create using this
template is for general-purpose web servers and includes default rules that
allow all inbound ICMP traffic and allow inbound traffic on ports 22, 80, 443,
and 3389.
● All ports open: The security group that you create using this template
includes default rules that allow inbound traffic on any port. Note that
allowing inbound traffic on any port poses security risks.
● Custom: The security group that you create using this template includes
default rules that deny inbound traffic on any port. You can add or modify
security group rules as required.
Security Group Configuration Process
Figure 2-2 Process for configuring a security group
Security Group Constraints

● By default, you can create a maximum of 100 security groups in your cloud
account.
● By default, you can add up to 50 security group rules to a security group.
● By default, you can associate no more than five security groups with each ECS
or extension NIC.
● If a cloud server or an extension NIC is associated with multiple security
groups, security group rules will be applied based on the following sequence:
the first security group associated will take precedence over those associated
later, then the rule with the highest priority in that security group will be
applied first.
● You can add a maximum of 20 instances to a security group at a time.

● A security group can have no more than 6,000 instances associated, or

performance will deteriorate.
● Security group rules with certain configurations do not take effect for ECSs of
certain specifications. Table 2-3 shows the details.
Table 2-3 Scenarios that security group rules do not take effect
Rule Configuration ECS Type
Source or Destination is The following x86 ECS types are not supported:
set to IP address group. ● General computing (S1, C1, and C2 ECSs)
● Memory-optimized (M1 ECSs)
● High-performance computing (H1 ECSs)
● Disk-intensive (D1 ECSs)
● GPU-accelerated (G1 and G2 ECSs)
● Large-memory (E1, E2, and ET2 ECSs)
Port is set to non- The following x86 ECS types are not supported:
consecutive ports. ● General computing (S1, C1, and C2 ECSs)
All Kunpeng ECSs are not supported.
NOTE
● For details about x86 ECSs, see ECS Specifications (x86).

● For details about Kunpeng ECSs, see ECS Specifications (Kunpeng).
Suggestions
When using a security group:
● Do not add all instances to the same security group if they have different
isolation requirements.
● It is not necessary that you create a security group for each instance. Instead,
you can add instances with the same security requirements to the same
security group.
When adding a security group rule:

● Define simple security group rules. For example, if you add an instance to
multiple security groups, the instance may comply with hundreds of security
group rules, and a change to any rule may cause network disconnection for
the instance.

● Before you modify a security group and its rules, clone the security group and
then modify the cloned security group to test communication and prevent
adverse impact on running services. For details, see Cloning a Security
Group.
● When adding a security group rule for an instance, grant the minimum
permissions possible. For example:
– Open a specific port, for example, 22. It is not recommended that you
open a port range, for example, 22-30.
– It is not recommended that you enter 0.0.0.0/0, allowing traffic to or
from all IP addresses.
● A security group rule takes effect immediately for its associated ECSs after the
rule is configured without ECS restart. Regardless of the inbound rules of a
security group, the response traffic of the outbound traffic is allowed. If a
security group rule does not take effect after being configured, see Why Do
My Security Group Rules Not Take Effect?
2.2.2 Default Security Groups and Security Group Rules

The system creates a default security group for each account. By default, the
default security group rules:
● Allow all outbound packets: Instances in the default security group can send
requests to and receive responses from instances in other security groups.
● Deny all inbound packets: Requests from instances in other security groups
will be denied by the default security group.
Figure 2-3 Default security group
NOTE
● Both default and custom security groups are free of charge.

● You cannot delete the default security group, but you can modify the rules for the
default security group.
● If two ECSs are in the same security group but in different VPCs, the ECSs cannot
communicate with each other. To enable communications between the ECSs, use a VPC
peering connection to connect the two VPCs.
Table 2-4 describes the default rules for the default security group.

Table 2-4 Rules in the default security group
Direc Priori Acti Proto Port/ Source/ Description

tion ty on col Range Destination
Outb 100 Allo All All Destination: Allows all outbound

ound w 0.0.0.0/0 traffic.
Inbou 100 Allo All All Source: Allows

nd w Current communications
security group among ECSs within
name the same security
group on any port.
Inbou 100 Allo TCP 22 Source: Allows all IP

nd w 0.0.0.0/0 addresses to access
Linux ECSs over SSH.
Inbou 100 Allo TCP 3389 Source: Allows all IP

nd w 0.0.0.0/0 addresses to access
Windows ECSs over
RDP.
2.2.3 Security Group Configuration Examples

Common security group configurations are presented here. The examples in this
section allow all outgoing data packets by default. This section will only describe
how to configure inbound rules.
● Allowing External Access to a Specified Port

● Enabling ECSs in Different Security Groups to Communicate with Each
Other Through an Internal Network
● Enabling Specified IP Addresses to Remotely Access ECSs in a Security
Group
● Remotely Connecting to Linux ECSs Using SSH
● Remotely Connecting to Windows ECSs Using RDP
● Enabling Communication Between ECSs
● Hosting a Website on ECSs
● Enabling an ECS to Function as a DNS Server
● Uploading or Downloading Files Using FTP
You can use the default security group or create a security group in advance. For
details, see sections Creating a Security Group and Adding a Security Group
Rule.
Allowing External Access to a Specified Port

● Example scenario:
After services are deployed, you can add security group rules to allow external
access to a specified port (for example, 1100).

● Security group rule:

Directi Protocol Port Source
on
Inboun TCP 1100 0.0.0.0/0

d
Enabling ECSs in Different Security Groups to Communicate with Each Other

Through an Internal Network
Resources on an ECS in a security group need to be copied to an ECS
associated with another security group. The two ECSs are in the same VPC.
We recommend that you enable private network communication between the
ECSs and then copy the resources.
● Security group configuration:
Within a given VPC, ECSs in the same security group can communicate with
one another by default. However, ECSs in different security groups cannot
communicate with each other by default. To enable these ECSs to
communicate with each other, you need to add certain security group rules.
You can add an inbound rule to the security groups containing the ECSs to
allow access from ECSs in the other security group. The required rule is as
follows.
on
Inboun TCP All ID of another

d NOTE security group
Select a protocol used Example: 014d7278-
for communication
XXX-530c95350d43
through an internal
network.

NOTICE
If ECSs associated with the same security group cannot communicate with
each other, check whether the rule that allows the communication has been
deleted.
The following uses security group sg-demo as an example. The rule with
Source set to sg-demo allows resources associated with this security group to
communicate with each other.
Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group

To prevent ECSs from being attacked, you can change the port for remote
login and configure security group rules that allow only specified IP addresses
to remotely access the ECSs.
● Security group configuration:
To allow IP address 192.168.20.2 to remotely access Linux ECSs in a security
group over the SSH protocol (port 22), you can configure the following
security group rule.

on
Inboun SSH 22 IPv4 CIDR block or ID of another

d security group
For example, 192.168.20.2/32
Remotely Connecting to Linux ECSs Using SSH

After creating Linux ECSs, you can add a security group rule to enable remote
SSH access to the ECSs.
NOTE
The default security group comes with the following rule. If you use the default
security group, you do not need to add this rule again.

Directio Protocol Port Source

n
Inbound SSH 22 0.0.0.0/0
Remotely Connecting to Windows ECSs Using RDP

After creating Windows ECSs, you can add a security group rule to enable
remote RDP access to the ECSs.
NOTE
The default security group comes with the following rule. If you use the default
security group, you do not need to add this rule again.
Directio Protocol Port Source

n
Inbound RDP 3389 0.0.0.0/0
Enabling Communication Between ECSs

After creating ECSs, you need to add a security group rule so that you can run
the ping command to test communication between the ECSs.
Direction Protocol Port Source
Inbound ICMP All 0.0.0.0/0
Hosting a Website on ECSs

If you deploy a website on your ECSs and require that your website be
accessed over HTTP or HTTPS, you can add rules to the security group used
by the ECSs that function as the web servers.
Inbound HTTP 80 0.0.0.0/0
Inbound HTTPS 443 0.0.0.0/0

Enabling an ECS to Function as a DNS Server

If you need to use an ECS as a DNS server, you must allow TCP and UDP
access from port 53 to the DNS server. You can add the following rules to the
security group associated with the ECS.
● Security group rules:
Inbound TCP 53 0.0.0.0/0
Inbound UDP 53 0.0.0.0/0
Uploading or Downloading Files Using FTP

If you want to use File Transfer Protocol (FTP) to upload files to or download
files from ECSs, you need to add a security group rule.
NOTE
You must first install the FTP server program on the ECSs and check whether ports 20
and 21 are working properly.
Inbound TCP 20-21 0.0.0.0/0
Adding an ECS to Multiple Security Groups

You may need to add an ECS to multiple security groups based on service
requirements. The security group rules will be applied based on the following
sequence: the first security group associated will take precedence over those
associated later, then the rule with the highest priority in that security group will
be applied first. Using multiple security groups might cause problems when you
access the ECS. We recommend that you associate no more than five security
groups with each ECS.
2.2.4 Creating a Security Group

Scenarios
You can create security groups and add ECSs in a VPC to different security groups
to improve ECS access security. We recommend that you allocate ECSs that have
different Internet access requirements to different security groups.
Each ECS must be associated with at least one security group. If you have no
security group when creating an ECS, the system provides a default security group.
You have an option to create a new security group for the ECS. This section
describes how to create a security group on the management console.

Procedure
4. In the navigation pane on the left, choose Access Control > Security Groups.
5. On the Security Groups page, click Create Security Group.
6. In the Create Security Group area, set the parameters as prompted. Table
2-5 lists the parameters to be configured.
Figure 2-4 Create Security Group

Table 2-5 Parameter description

Parameter Description Example
Value
Template A template comes with default security group General-

rules, helping you quickly create security purpose web
groups. The following templates are provided: server
● Custom: This template allows you to
create security groups with custom
security group rules.
● General-purpose web server: The
security group that you create using this
template is for general-purpose web
servers and includes default rules that
allow all inbound ICMP traffic and allow
inbound traffic on ports 22, 80, 443, and
3389.
● All ports open: The security group that
you create using this template includes
default rules that allow inbound traffic on
any port. Note that allowing inbound
traffic on any port poses security risks.
Name The security group name. This parameter is sg-318b

mandatory.
The security group name can contain a
maximum of 64 characters, which may
consist of letters, digits, underscores (_),
hyphens (-), and periods (.). The name
cannot contain spaces.
NOTE
You can change the security group name after a
security group is created. It is recommended that
you give each security group a different name.
Enterprise When creating a security group, you can add default

Project the security group to an enabled enterprise
project.
An enterprise project facilitates project-level
management and grouping of cloud
resources and users. The name of the default
project is default.
For details about creating and managing
enterprise projects, see the Enterprise
Description Supplementary information about the N/A

security group. This parameter is optional.
The security group description can contain a
maximum of 255 characters and cannot
contain angle brackets (< or >).

7. Click OK.
Related Operations
● For each security group, you can add rules that control the inbound traffic to
ECSs, and a separate set of rules that control the outbound traffic. For details,
see Adding a Security Group Rule.
● Each ECS must be associated with at least one security group. You can add an
ECS to multiple security groups based on service requirements. For details, see
Adding Instances to and Removing Them from a Security Group.
2.2.5 Adding a Security Group Rule

Scenarios
A security group is a collection of access control rules for cloud resources, such as
cloud servers, containers, and databases, to control inbound and outbound traffic.
Cloud resources associated with the same security group have the same security
requirements and are mutually trusted within a VPC.
If the rules of the security group associated with your instance cannot meet your
requirements, for example, you need to allow inbound traffic on a specified TCP
port, you can add an inbound rule.
● Inbound rules control incoming traffic to cloud resources in the security group.
● Outbound rules control outgoing traffic from cloud resources in the security
group.
For details about the default security group rules, see Default Security Groups
and Security Group Rules. For details about security group rule configuration
examples, see Security Group Configuration Examples.
Prerequisites
● A security group has been created. For details about how to create a security
group, see Creating a Security Group.
● You have planned the public or private networks that can or cannot access
instances, such as ECSs. For more examples of security group rules, see
Security Group Configuration Examples.
Procedure
5. On the Security Groups page, locate the target security group and click
Manage Rule in the Operation column to switch to the page for managing
inbound and outbound rules.
6. On the Inbound Rules tab, click Add Rule. In the displayed dialog box, set
required parameters to add an inbound rule.

You can click + to add more inbound rules.
Figure 2-5 Add Inbound Rule
Table 2-6 Inbound rule parameter description
Param Description Example

eter Value
Priority The security group rule priority. 1

The priority value ranges from 1 to 100. The default
value is 1 and has the highest priority. The security
group rule with a smaller value has a higher
priority.
Action The security group rule actions. Allow

Deny rules take precedence over allow rules of the
same priority.
Protoc Protocol: The network protocol. Currently, the value TCP

ol & can be All, TCP, UDP, ICMP, GRE, or others.
Port
Port: The port or port range over which the traffic 22, or
can reach your ECS. The value ranges from 1 to 22-30
65535.
Enter ports in the following format:
● Individual port: Enter a port, such as 22.
● Consecutive ports: Enter a port range, such as
22-30.
● Non-consecutive ports: Enter ports and port
ranges, such as 22,23-30. You can enter a
maximum of 20 ports and port ranges. Each port
range must be unique.
● All ports: Leave it empty or enter 1-65535.
Type The IP address type. IPv4

● IPv4
● IPv6


eter Value
Source Source of the security group rule. The value can be 0.0.0.0/0
an IP address, a security group, or an IP address
group to allow access from IP addresses or
instances in the security group. For example:
● IP address:
– Single IP address: 192.168.10.10/32 (IPv4);
2002:50::44/128 (IPv6)
– All IP addresses: 0.0.0.0/0 (IPv4); ::/0 (IPv6)
– IP address range: 192.168.1.0/24 (IPv4);
2407:c080:802:469::/64 (IPv6)
● IP address group: ipGroup-A
● Security group: sg-A
If the source is a security group, this rule will apply
to all instances associated with the selected security
group.
For more information about IP address groups, see
IP Address Group Overview.
Descrip Supplementary information about the security N/A

tion group rule. This parameter is optional.
The security group rule description can contain a
maximum of 255 characters and cannot contain
7. On the Outbound Rules tab, click Add Rule. In the displayed dialog box, set
required parameters to add an outbound rule.
You can click + to add more outbound rules.
Figure 2-6 Add Outbound Rule

Table 2-7 Outbound rule parameter description

eter Value
Priority The security group rule priority. 1

The priority value ranges from 1 to 100. The default
priority.
Action The security group rule actions. Allow

● Allow: Allows outbound traffic from instances in
the security group based on the rule.
● Deny: Denies outbound traffic from instances in
same priority.
Protoc Protocol: The network protocol. Currently, the value TCP

ol & can be All, TCP, UDP, ICMP, GRE, or others.
Port
Port: The port or port range over which the traffic 22, or
can leave your ECS. The value ranges from 1 to 22-30
65535.

● IPv4
● IPv6
Destina Destination of the security group rule. The value 0.0.0.0/0

tion can be an IP address, a security group, or an IP
address group to allow access to IP addresses or
● IP address:
2002:50::44/128 (IPv6)
2407:c080:802:469::/64 (IPv6)
Descrip Supplementary information about the security N/A

tion group rule. This parameter is optional.

8. Click OK.
Verification
After required security group rules are added, you can verify whether the rules
take effect. For example, you have deployed a website on ECSs. Users need to
access your website over TCP (port 80), and you have added the security group
rule shown in Table 2-8.
Table 2-8 Security group rule

Inbound TCP 80 0.0.0.0/0
Linux ECS
To verify the security group rule on a Linux ECS:
1. Log in to the ECS.
2. Run the following command to check whether TCP port 80 is being listened
on:
netstat -an | grep 80
If command output shown in Figure 2-7 is displayed, TCP port 80 is being
listened on.
Figure 2-7 Command output for the Linux ECS
3. Enter http://ECS EIP in the address box of the browser and press Enter.
If the requested page can be accessed, the security group rule has taken
effect.
Windows ECS
To verify the security group rule on a Windows ECS:
1. Log in to the ECS.
2. Choose Start > Accessories > Command Prompt.
3. Run the following command to check whether TCP port 80 is being listened
on:
netstat -an | findstr 80
If command output shown in Figure 2-8 is displayed, TCP port 80 is being
listened on.
Figure 2-8 Command output for the Windows ECS
4. Enter http://ECS EIP in the address box of the browser and press Enter.
If the requested page can be accessed, the security group rule has taken
effect.

2.2.6 Fast-Adding Security Group Rules

Scenarios
You can add multiple security group rules with different protocols and ports at the
same time.
Procedure
5. On the Security Groups page, locate the target security group and click
Manage Rule in the Operation column to switch to the page for managing
inbound and outbound rules.
6. On the Inbound Rules tab, click Fast-Add Rule. In the displayed dialog box,
select the protocols and ports you wish to add all at once.
Figure 2-9 Fast-Add Inbound Rule

Table 2-9 Inbound rule parameter description

eter Value
Protoco Common protocols and ports are provided for: SSH (22)
ls and ● Remote login and ping
Ports
● Web services
● Databases
Type IP address version This parameter is available only IPv4

after the IPv6 function is enabled.
● IPv4
● IPv6
Source Source of the security group rule. The value can be 0.0.0.0/0
an IP address, an IP address group, or a security
group to allow access from IP addresses or
● Single IP address: 192.168.10.10/32 (IPv4);
2002:50::44/127 (IPv6)
● IP address range: 192.168.1.0/24 (IPv4);
2407:c080:802:469::/64 (IPv6)
● All IP addresses: 0.0.0.0/0 (IPv4); ::/0 (IPv6)
● Security group: sg-abc
● IP address group: ipGroup-test
If the source is a security group, this rule will apply
to all instances associated with the selected security
group.
Priority Security group rule priority. 1

The priority value is from 1 to 100. The default
priority.
Action Security group rule actions. Allow

same priority.
Descrip (Optional) Supplementary information about the -

tion security group rule.
The description can contain a maximum of 255
characters and cannot contain angle brackets (< or
>).

7. On the Outbound Rules tab, click Fast-Add Rule. In the displayed dialog box,
select required protocols and ports to add multiple rules at a time.
Figure 2-10 Fast-Add Outbound Rule
Table 2-10 Outbound rule parameter description

eter Value
Protoc Common protocols and ports are provided for: SSH (22)
ols and ● Remote login and ping
Ports
● Web services
● Databases
Type IP address version IPv4

● IPv4
● IPv6


eter Value
Destin Destination of the security group rule. The value 0.0.0.0/0

ation can be an IP address, an IP address group, or a
security group to allow access to IP addresses or
● xxx.xxx.xxx.xxx/32 (IPv4 address)
● xxx.xxx.xxx.0/24 (IPv4 address range)
● 0.0.0.0/0 (all IPv4 addresses)
● sg-abc (security group)
● Single IP address: 192.168.10.10/32 (IPv4);
2002:50::44/127 (IPv6)
● IP address range: 192.168.1.0/24 (IPv4);
2407:c080:802:469::/64 (IPv6)
● All IP addresses: 0.0.0.0/0 (IPv4); ::/0 (IPv6)
● Security group: sg-abc
● IP address group: ipGroup-test
Priority Security group rule priority. 1

The priority value is from 1 to 100. The default
priority.
Action Security group rule actions. Allow

● Allow: Allows outbound traffic from instances in
● Deny: Denies outbound traffic from instances in
same priority.
Descrip (Optional) Supplementary information about the -

tion security group rule.
The description can contain a maximum of 255
characters and cannot contain angle brackets (< or
>).
8. Click OK.

2.2.7 Replicating a Security Group Rule
Scenarios
Replicate an existing security group rule to generate a new rule. When replicating
a security group rule, you can make changes so that it is not a perfect copy.
Procedure
5. On the Security Groups page, click the security group name.
6. On the displayed page, locate the row that contains the security group rule to
be replicated, and click Replicate in the Operation column.
You can also modify the security group rule as required to quickly generate a
new rule.
7. Click OK.
2.2.8 Modifying a Security Group Rule
Scenarios
You can modify the port, protocol, and IP address of your security group rules as
required to ensure the security of your instances.
Procedure
6. On the displayed page, locate the row that contains the security group rule to
be modified, and click Modify in the Operation column.
7. Modify the rule and click Confirm.
2.2.9 Deleting a Security Group Rule
Scenarios
If the source of an inbound security group rule or destination of an outbound
security group rule needs to be changed, you need to first delete the security
group rule and add a new one.


Security group rules use whitelists. Deleting a security group rule may result in
ECS access failures. Security group rules work as follows:
● If an inbound request matches the source in an inbound security group rule
with Action set to Allow, the request is allowed.
● If the destination of an outbound security group rule with Action set to Allow
is 0.0.0.0/0, all outbound requests are allowed.
Procedure
6. If you do not need a security group rule, locate the row that contains the
target rule, and click Delete.
7. Click Yes in the displayed dialog box.
Deleting multiple security group rules at once
You can also select multiple security group rules and click Delete above the
security group rule list to delete multiple rules at a time.
2.2.10 Importing and Exporting Security Group Rules

Scenarios
● If you want to quickly create or restore security group rules, you can import
existing rules to the security group.
● If you want to back up security group rules locally, you can export the rules to
an Excel file.
● If you want to quickly apply the rules of one security group to another, or if
you want to modify multiple rules of the current security group at once, you
can import or export existing rules.

● When modifying exported security group rules, you can only modify existing
fields in the exported file based on the template and cannot add new fields or
modify the field names. Otherwise, the file will fail to be imported.
● When importing security group rules, if the source is an IP address group,
ensure that the IP address group exists and its name and ID are correct. The
format is ipGroup-zy[2b5213cb-0f41-4d0b-bed9-b6340bf51017].
● Duplicate rules are not allowed.
Procedure

6. Export and import security group rules.
– Click to export all rules of the current security group to an Excel file.
– Click to import security group rules from an Excel file into the
current security group.
Table 2-11 describes the parameters in the template for importing rules.
Table 2-11 Template parameters

eter Value
Directi The direction in which the security group rule Inbound

on takes effect.
● Inbound rules control incoming traffic to
cloud resources in the security group.
● Outbound rules control outgoing traffic from
cloud resources in the security group.
Priorit The priority value ranges from 1 to 100. The 1

y default value is 1 and has the highest priority.
The security group rule with a smaller value has
a higher priority.
Action Deny rules take precedence over allow rules of Allow

the same priority.
Protoc Protocol: The network protocol. Currently, the TCP

ol & value can be All, TCP, UDP, ICMP, GRE, or
Port others.
Port: The port or port range over which the 22, or

traffic can reach your ECS. The value ranges 22-30
from 1 to 65535.

● IPv4
● IPv6


eter Value
Source Source of the security group rule. The value can 0.0.0.0/0
be an IP address, a security group, or an IP
address group to allow access from IP addresses
or instances in the security group. For example:
● IP address:
2002:50::44/128 (IPv6)
2407:c080:802:469::/64 (IPv6)
For more information about IP address groups,
see IP Address Group Overview.
Destin Destination of the security group rule. The value 0.0.0.0/0

ation can be an IP address, a security group, or an IP
address group to allow access to IP addresses or
For more information about IP address groups,
see IP Address Group Overview.
Descri Supplementary information about the security -

ption group rule. This parameter is optional.
Last The time when the security group was modified. -

Modifi
ed
2.2.11 Deleting a Security Group

Scenarios
This section describes how to delete security groups.

● Both default and custom security groups are free of charge.
● The default security group is named default and cannot be deleted.

Figure 2-11 Default security group
● A security group cannot be deleted if it is being used by instances, such as

cloud servers, containers, and databases.
If you need to delete such a security group, delete the instances or change the
security group used by the instance first.
If you still cannot delete a security group even after deleting all the
associated instances, submit a service ticket.
● A security group cannot be deleted if it is used as the source or destination of
a rule in another security group.
Delete or modify the rule and delete the security group again.
For example, if the source of a rule in security group sg-B is set to sg-A, you
need to delete or modify the rule in sg-B before deleting sg-A.
Procedure
The security group list is displayed.
5. Locate the row that contains the target security group, click More in the
Operation column, and click Delete.
2.2.12 Adding Instances to and Removing Them from a

Security Group
Scenarios
After a security group is created, you can add instances to the security group to
protect the instances. You can also remove them from the security group as
required.
You can add multiple instances to or remove them from a security group.
Adding Instances to a Security Group


5. On the Security Groups page, click Manage Instance in the Operation
column.
6. On the Servers tab, click Add and add one or more servers to the current
security group.
7. On the Extension NICs tab, click Add and add one or more extension NICs to
the current security group.
8. Click OK.
Removing Instances from a Security Group

NOTE
● Instances have been added to two or more security groups.

● The instances removed from a security group cannot communicate with other instances
in this security group. Ensure that your instances will not be adversely affected before
you remove instances from a security group.
5. On the Security Groups page, click Manage Instance in the Operation
column.
6. On the Servers tab, locate the target server and click Remove in the
Operation column to remove the server from current security group.
7. On the Extension NICs tab, locate the target extension NIC and click Remove
in the Operation column to remove the NIC from the current security group.
8. Click Yes.
Removing multiple instances from a security group
● Select multiple servers and click Remove above the server list to remove the
selected servers from the current security group all at once.
● Select multiple extension NICs and click Remove above the extension NIC list
to remove the selected extension NICs from the current security group all at
once.
Related Operations
● You can change a security group for an instance based on service
requirements.
● You can delete the security groups that you no longer need. Deleting a
security group will also delete its security group rules.
2.2.13 Cloning a Security Group

Scenarios
You can clone a security group from one region to another to quickly apply the
security group rules to ECSs in another region.

You can clone a security group in the following scenarios:
● For example, you have security group sg-A in region A. If ECSs in region B
require the same security group rules as those configured for security group
sg-A, you can clone security group sg-A to region B, freeing you from creating
a new security group in region B.
● If you need new security group rules, you can clone the original security
group as a backup.

If you clone security group across regions, the system will clone only rules whose
source and destination are CIDR blocks or are in the current security group.
Procedure
5. On the Security Groups page, locate the row that contains the target security
group and choose More > Clone in the Operation column.
6. Set required parameters and click OK.
You can then switch to the required region to view the cloned security group
in the security group list.
2.2.14 Modifying a Security Group
Scenarios
Modify the name and description of a created security group.
Procedure
Method 1
5. On the Security Groups page, locate the target security group and choose
More > Modify in the Operation column.
6. Modify the name and description of the security group as required.
7. Click OK.
Method 2

6. On the displayed page, click on the right of Name and edit the security
group name.
7. Click √ to save the security group name.
8. Click on the right of Description and edit the security group description.
9. Click √ to save the security group description.
2.2.15 Viewing the Security Group of an ECS
Scenarios
View inbound and outbound rules of a security group used by an ECS.
Procedure
3. Under Compute, click Elastic Cloud Server.
The ECS list is displayed.
4. On the Elastic Cloud Server page, click the name of the target ECS.
The page providing details about the ECS is displayed.
5. Click the Security Groups tab and view information about the security group
used by the ECS.
You can view the security groups associated with the ECS and the inbound
and outbound rules.
2.2.16 Changing the Security Group of an ECS
Scenarios
Change the security group associated with an ECS NIC.
Procedure
2. Click . Under Compute, click Elastic Cloud Server.

3. In the ECS list, locate the row that contains the target ECS. Click More in the
Operation column and select Manage Network > Change Security Group.
The Change Security Group dialog box is displayed.

Figure 2-12 Change Security Group
4. Select the target NIC and security groups as prompted.

You can select multiple security groups. In such a case, the rules of all the
selected security groups will be aggregated to apply on the ECS.
To create a security group, click Create Security Group.
NOTE
Using multiple security groups may deteriorate ECS network performance. You are
suggested to select no more than five security groups.
5. Click OK.
2.2.17 Common Ports Used by ECSs

When adding a security group rule, you must specify the port or port range for
communication. When a security group detects an access request, it checks
whether the IP address and the port of the device that sends the request are
allowed by security group rules. Data communication can be established only
when security group rules allow the request.
Table 2-12 lists the common ports used by ECSs. You can configure security group
rules to allow traffic to and from specified ECS ports. For details, see Adding a
Security Group Rule. For more information about requirements for Windows, see
Service overview and network port requirements for Windows.
Table 2-12 Common ports used by ECSs
Protocol Port Description
FTP 21 Used to upload and download files
SSH 22 Used to remotely connect to Linux ECSs
Telnet 23 Used to remotely log in to ECSs using Telnet

Protocol Port Description
SMTP 25 Used to send emails

For security purposes, TCP port 25 is disabled in the
outbound direction by default. For details about how
to open the port, see Why Is Outbound Access
Through TCP Port 25 Restricted?
HTTP 80 Used to access websites over HTTP
POP3 110 Used to receive emails using Post Office Protocol

version 3 (POP3)
IMAP 143 Used to receive emails using Internet Message Access

Protocol (IMAP)
HTTPS 443 Used to access websites over HTTPS
SQL Server 1433 A TCP port of the Microsoft SQL Server for providing
services
SQL Server 1434 A UDP port of the Microsoft SQL Server for returning
the TCP/IP port number used by the SQL Server
Oracle 1521 Oracle database communications port, which must

be enabled on the ECSs where Oracle SQL Server is
deployed
MySQL 3306 Used by MySQL databases to provide services
Windows 3389 Used to connect to Windows ECSs

Server Remote
Desktop
Services
Proxy 8080 Proxy port 8080 used in the WWW proxy service for
web browsing. If you use port 8080, you need to
add :8080 after the IP address when you visit a
website or use a proxy server. After Apache Tomcat is
installed, the default service port is 8080.
NetBIOS 137, NetBIOS is often used for Windows files, printer

138, sharing, and Samba.
and ● Ports 137 and 138: UDP ports that are used when
139 transferring files using Network Neighborhood
(My Network Places)
● Port 139: Connections from this port try to access
the NetBIOS/SMB service.
Some Ports Inaccessible

Symptom: Users in certain areas cannot access some ports.
Analysis: Ports listed in the following table are high-risk ports and are blocked by
default.

Table 2-13 High-risk ports

Protocol Port
TCP 42, 135, 137, 138, 139, 444, 445, 593, 1025, 1068, 1433, 1434, 3127,
3128, 3129, 3130, 4444, 4789, 5554, 5800, 5900, 8998, 9995, and
9996
UDP 135 to 139, 1026, 1027, 1028, 1068, 1433, 1434, 4789, 5554, 9995,
and 9996
Solution: It is recommended that you use ports that are not listed in the table for
your services.
2.3 Network ACL
2.3.1 Network ACL Overview

A network ACL is an optional layer of security for your subnets. After you
associate one or more subnets with a network ACL, you can control traffic in and
out of the subnets.
Figure 2-13 shows how a network ACL works.
Figure 2-13 Security groups and network ACLs
Similar to security groups, network ACLs control access to subnets and add an
additional layer of defense to your subnets. Security groups only have the "allow"

rules, but network ACLs have both "allow" and "deny" rules. You can use network
ACLs together with security groups to implement comprehensive and fine-grained
access control.
Differences Between Security Groups and Network ACLs summarizes the basic
differences between security groups and network ACLs.
Network ACL Basics

● Your VPC does not come with a network ACL, but you can create a network
ACL and associate it with a VPC subnet if required. By default, each network
ACL denies all inbound traffic to and outbound traffic from the associated
subnet until you add rules.
● You can associate a network ACL with multiple subnets. However, a subnet
can only be associated with one network ACL at a time.
● Each newly created network ACL is in the Inactive state until you associate
subnets with it.
● Network ACLs are stateful. If the network ACL allows outbound traffic and
you send a request from your instance, the response traffic for that request is
allowed to flow in regardless of inbound network ACL rules. Similarly, if
inbound traffic is allowed, responses to allowed inbound traffic are allowed to
flow out, regardless of outbound rules.
The timeout period of connection tracking varies according to the protocol.
The timeout period of a TCP connection in the established state is 600s, and
the timeout period of an ICMP connection is 30s. For other protocols, if
packets are received in both directions, the connection tracking timeout
period is 180s. If one or more packets are received in one direction but no
packet is received in the other direction, the connection tracking timeout
period is 30s. For protocols other than TCP, UDP, and ICMP, only the IP address
and protocol number are tracked.
Default Network ACL Rules

By default, each network ACL has preset rules that allow the following packets:
● Packets whose source and destination are in the same subnet.
● Broadcast packets with the destination 255.255.255.255/32, which is used to
configure host startup information.
● Multicast packets with the destination 224.0.0.0/24, which is used by routing
protocols.
● Metadata packets with the destination 169.254.169.254/32 and TCP port
number 80, which is used to obtain metadata.
● Packets from CIDR blocks that are reserved for public services (for example,
packets with the destination 100.125.0.0/16)
● A network ACL denies all traffic in and out of a subnet excepting the
preceding packets. Table 2-14 shows the default rules. You cannot modify or
delete the default rules.

Table 2-14 Default network ACL rules

Direction Priorit Actio Protoco Sourc Destinatio Description
y n l e n
Inbound * Deny All 0.0.0.0 0.0.0.0/0 Denies all

/0 inbound
traffic.
Outboun * Deny All 0.0.0.0 0.0.0.0/0 Denies all

d /0 outbound
traffic.
Rule Priorities
● Each network ACL rule has a priority value where a smaller value corresponds
to a higher priority. Any time two rules conflict, the rule with the higher
priority is the one that gets applied. The rule whose priority value is an
asterisk (*) has the lowest priority.
● If multiple network ACL rules conflict, only the rule with the highest priority
takes effect. If you need a rule to take effect before or after a specific rule,
you can insert that rule before or after the specific rule.
Application Scenarios
● If the application layer needs to provide services for users, traffic must be
allowed to reach the application layer from all IP addresses. However, you
also need to prevent illegal access from malicious users.
Solution: You can add network ACL rules to deny access from suspect IP
addresses.
● How can I isolate ports with identified vulnerabilities? For example, how do I
isolate port 445 that can be exploited by WannaCry worm?
Solution: You can add network ACL rules to deny access traffic from a specific
port and protocol, for example, TCP port 445.
● No defense is required for the communication within a subnet, but access
control is required for communication between subnets.
Solution: You can add network ACL rules to control traffic between subnets.
● For frequently accessed applications, a security rule sequence may need to be
adjusted to improve performance.
Solution: A network ACL allows you to adjust the rule sequence so that
frequently used rules are applied before other rules.
Configuration Procedure
Figure 2-14 shows the procedure for configuring a network ACL.

Figure 2-14 network ACL configuration procedure
1. Create a network ACL by following the steps described in Creating a

Network ACL.
2. Add network ACL rules by following the steps described in Adding a Network
ACL Rule.
3. Associate subnets with the network ACL by following the steps described in
Associating Subnets with a Network ACL. After subnets are associated with
the network ACL, the subnets will be protected by the configured network
ACL rules.

● By default, you can create a maximum of 200 network ACLs in your cloud
account.
● You can associate a network ACL with multiple subnets. However, a subnet
can only be associated with one network ACL at a time.
● A network ACL can contain no more than 20 rules in one direction, or
performance will deteriorate.
● For optimal performance, import no more than 40 network ACL rules at a
time. Existing rules will still be available after new rules are imported. Each
rule can be imported only once.
2.3.2 Network ACL Configuration Examples

This section provides examples for configuring network ACLs.
● Denying Access from a Specific Port

● Allowing Access from Specific Ports and Protocols
● Denying Access from a Specific IP Address

Denying Access from a Specific Port

You might want to block TCP 445 to protect against the WannaCry ransomware
attacks. You can add a network ACL rule to deny all incoming traffic from TCP
port 445.
Network ACL Configuration
Table 2-15 lists the inbound rule required.
Table 2-15 network ACL rules

Dire Ac Prot Sour Source Destination Destina Description
ctio ti ocol ce Port tion
n on Range Port
Range
Inbo D TCP 0.0.0. 1-6553 0.0.0.0/0 445 Denies inbound

und en 0/0 5 traffic from any
y IP address
through TCP port
445.
Inbo All All 0.0.0. 1-6553 0.0.0.0/0 All Allows all

und o 0/0 5 inbound traffic.
w
NOTE
● By default, a network ACL denies all inbound traffic. You need to allow all inbound
traffic if necessary.
● If you want a deny rule to be matched first, insert the deny rule above the allow rule.
For details, see Changing the Sequence of a Network ACL Rule.
Allowing Access from Specific Ports and Protocols

In this example, an ECS in a subnet is used as the web server, and you need to
allow inbound traffic from HTTP port 80 and HTTPS port 443 and allow all
outbound traffic. You need to configure both the network ACL rules and security
group rules to allow the traffic.
Table 2-16 lists the inbound rule required.

Table 2-16 network ACL rules

Dire Acti Protoc Sourc Source Desti Destina Description
ctio on ol e Port natio tion
n Range n Port
Range
Inbo Allo TCP 0.0.0.0 1-65535 0.0.0. 80 Allows inbound

und w /0 0/0 HTTP traffic from
any IP address to
ECSs in the
subnet through
port 80.
Inbo Allo TCP 0.0.0.0 1-65535 0.0.0. 443 Allows inbound

und w /0 0/0 HTTPS traffic
from any IP
address to ECSs in
the subnet
through port 443.
Outb Allo All 0.0.0.0 All 0.0.0. All Allows all

ound w /0 0/0 outbound traffic
from the subnet.
Security group configuration

Table 2-17 lists the inbound and outbound security group rules required.
Table 2-17 Security group rules

Direc Protocol Port Source/ Description
tion / Destination
Applicati
on
Inbou TCP 80 Source: 0.0.0.0/0 Allows inbound HTTP

nd traffic from any IP address
to ECSs associated with
the security group through
port 80.
Inbou TCP 443 Source: 0.0.0.0/0 Allows inbound HTTPS

nd traffic from any IP address
to ECSs associated with
the security group through
port 443.
Outb All All Destination: Allows all outbound traffic

ound 0.0.0.0/0 from the security group.

A network ACL adds an additional layer of security. Even if the security group rules
allow more traffic than that actually required, the network ACL rules allow only
access from HTTP port 80 and HTTPS port 443 and deny other inbound traffic.
Denying Access from a Specific IP Address

In this example, you can add a network ACL rule to deny the access from some
abnormal IP addresses, for example, 192.168.1.102.
Table 2-18 lists the inbound rules required.
Table 2-18 Network ACL rules
Dir A Pr Source Source Destina Destin Description

ect ct ot Port tion ation
ion io oc Range Port
n ol Range
Inb D TC 192.168 1-65535 0.0.0.0/ All Denies access from

ou en P . 0 192.168.1.102.
nd y 1.102/3
2
Inb Al All 0.0.0.0/ 1-65535 0.0.0.0/ All Allows all inbound

ou lo 0 0 traffic.
nd w
NOTE
● By default, a network ACL denies all inbound traffic. You can add a rule to allow all
inbound traffic if necessary.
● If you want a deny rule to be matched first, insert the deny rule above the allow rule.
For details, see Changing the Sequence of a Network ACL Rule.
2.3.3 Creating a Network ACL
Scenarios
You can create a custom network ACL. By default, a newly created network ACL is
disabled and has no inbound or outbound rules, or any subnets associated. Each
user can create up to 200 network ACLs by default.
Procedure
4. In the navigation pane on the left, choose Access Control > Network ACLs.

5. In the right pane displayed, click Create Network ACL.

6. On the Create Network ACL page, configure parameters as prompted.
Name The network ACL name. This parameter fw-92d3

is mandatory.
The name contains a maximum of 64
digits, underscores (_), and hyphens (-).
The name cannot contain spaces.

network ACL. This parameter is
optional.
The description can contain a
maximum of 255 characters and
cannot contain angle brackets (< or >).
7. Click OK.
2.3.4 Adding a Network ACL Rule
Scenarios
Add an inbound or outbound rule based on your network security requirements.
It is recommended that a network ACL contain no more than 20 rules in one

direction. Otherwise, its performance may deteriorate.
Procedure
5. Locate the target network ACL and click its name to switch to the page
showing details of that particular network ACL.
6. On the Inbound Rules or Outbound Rules tab, click Add Rule to add an
inbound or outbound rule.
– Click + to add more rules.
– Locate the row that contains the network ACL rule and click Replicate in
the Operation column to replicate an existing rule.


Value
Priority Priority of network ACL rule. A smaller 3

priority value represents a higher priority.
Each network ACL includes a default rule
whose priority value is an asterisk (*).
Default rules have the lowest priority.
Status Status of a network ACL. When you add a Enabled

rule to it, its default status is Enabled.
Type This parameter is available only after the IPv4

IPv6 function is enabled.
The network ACL type. This parameter is
mandatory. You can select a value from
the drop-down list. Currently, only IPv4
and IPv6 are supported.
Action The action in the network ACL. This Allow

parameter is mandatory. You can select a
value from the drop-down list. Currently,
the value can be Allow or Deny.
Protocol The protocol supported by the network TCP

ACL. This parameter is mandatory. You can
select a value from the drop-down list.
The value can be TCP, UDP, All, or ICMP.
If ICMP or All is selected, you do not need
to specify port information.
Source The source from which the traffic is 0.0.0.0/0

allowed. The source can be an IP address,
IP address range, or IP address group.
Either the source or the destination can
use the IP address group.
● IP address:
– Single IP address: 192.168.10.10/32
(IPv4); 2002:50::44/128 (IPv6)
– All IP addresses: 0.0.0.0/0 (IPv4); ::/0
(IPv6)
– IP address range: 192.168.1.0/24
(IPv4); 2407:c080:802:469::/64 (IPv6)


Value
Source Port The source port number or port number 22, or 22-30
Range range. The value ranges from 1 to 65535.
For a port number range, enter two port
numbers connected by a hyphen (-). For
example, 1-100.
You must specify this parameter if TCP or
UDP is selected for Protocol.
Destination The destination to which the traffic is 0.0.0.0/0

allowed. The destination can be an IP
address, IP address range, or IP address
group.
● IP address:
(IPv4); 2002:50::44/128 (IPv6)
(IPv6)
(IPv4); 2407:c080:802:469::/64 (IPv6)
Destination The destination port number or port 22, or 22-30

Port Range number range. The value ranges from 1 to
65535. For a port number range, enter two
port numbers connected by a hyphen (-).
For example, 1-100.

network ACL rule. This parameter is
optional.
The description can contain a maximum of
255 characters and cannot contain angle
brackets (< or >).
7. Click OK.
2.3.5 Associating Subnets with a Network ACL

Scenarios
On the page showing network ACL details, you can associate desired subnets with
a network ACL. After a network ACL is associated with a subnet, the network ACL
denies all traffic to and from the subnet until you add rules to allow traffic.

Procedure
6. On the displayed page, click the Associated Subnets tab.
7. On the Associated Subnets page, click Associate.
8. On the displayed page, select the subnets to be associated with the network
ACL, and click OK.
NOTE
Subnets with network ACLs associated will not be displayed on the page for you to select. If
you want to associate such a subnet with another network ACL, you must first disassociate
the subnet from the original network ACL. One-click subnet association and disassociation
are not supported currently. A subnet can only be associated with one network ACL.
2.3.6 Disassociating a Subnet from a Network ACL

Scenarios
Disassociate a subnet from a network ACL when necessary.
Procedure
6. On the displayed page, click the Associated Subnets tab.
7. On the Associated Subnets page, locate the row that contains the target
subnet and click Disassociate in the Operation column.
Disassociating subnets from a network ACL
Select multiple subnets and click Disassociate above the subnet list to disassociate
the subnets from a network ACL at a time.

2.3.7 Changing the Sequence of a Network ACL Rule
Scenarios
If you need a rule to take effect before or after a specific rule, you can insert that
rule before or after the specific rule.
If multiple network ACL rules conflict, only the rule with the highest priority takes
effect.
Procedure
6. On the Inbound Rules or Outbound Rules tab, locate the target rule, click
More in the Operation column, and select Insert Rule Above or Insert Rule
Below.
7. In the displayed dialog box, configure required parameters and click OK.
The rule is inserted. The procedure for inserting an outbound rule is the same
as that for inserting an inbound rule.
2.3.8 Modifying a Network ACL Rule
Scenarios
Modify an inbound or outbound network ACL rule based on your network security
requirements.
Procedure
6. On the Inbound Rules or Outbound Rules tab, locate the row that contains
the target rule and click Modify in the Operation column. In the displayed
dialog box, configure parameters as prompted. Table 2-21 lists the
parameters to be configured.


Value
Priority Priority of network ACL rule. A smaller 3

priority value represents a higher priority.
Each network ACL includes a default rule
whose priority value is an asterisk (*).
Default rules have the lowest priority.
Status Status of a network ACL. When you add a Enabled

rule to it, its default status is Enabled.
Type This parameter is available only after the IPv4

IPv6 function is enabled.
The network ACL type. This parameter is
mandatory. You can select a value from
the drop-down list. Currently, only IPv4
and IPv6 are supported.
Action The action in the network ACL. This Allow

parameter is mandatory. You can select a
value from the drop-down list. Currently,
the value can be Allow or Deny.
Protocol The protocol supported by the network TCP

ACL. This parameter is mandatory. You can
select a value from the drop-down list.
The value can be TCP, UDP, All, or ICMP.
If ICMP or All is selected, you do not need
to specify port information.
Source The source from which the traffic is 0.0.0.0/0

allowed. The source can be an IP address,
IP address range, or IP address group.
● IP address:
(IPv4); 2002:50::44/128 (IPv6)
(IPv6)
(IPv4); 2407:c080:802:469::/64 (IPv6)


Value
Source Port The source port number or port number 22, or 22-30
Range range. The value ranges from 1 to 65535.
For a port number range, enter two port
numbers connected by a hyphen (-). For
example, 1-100.
Destination The destination to which the traffic is 0.0.0.0/0

allowed. The destination can be an IP
address, IP address range, or IP address
group.
● IP address:
(IPv4); 2002:50::44/128 (IPv6)
(IPv6)
(IPv4); 2407:c080:802:469::/64 (IPv6)
Destination The destination port number or port 22, or 22-30

Port Range number range. The value ranges from 1 to
65535. For a port number range, enter two
port numbers connected by a hyphen (-).
For example, 1-100.

network ACL rule. This parameter is
optional.
The description can contain a maximum of
255 characters and cannot contain angle
brackets (< or >).
7. Click Confirm.
2.3.9 Enabling or Disabling a Network ACL Rule
Scenarios
Enable or disable an inbound or outbound rule based on your network security
requirements.

Procedure
the target rule, and click More and then Enable or Disable in the Operation
column.
The rule is enabled or disabled. The procedure for enabling or disabling an
outbound rule is the same as that for enabling or disabling an inbound rule.
2.3.10 Deleting a Network ACL Rule

Scenarios
Delete an inbound or outbound rule based on your network security requirements.
Procedure
the target rule and click Delete in the Operation column.
Deleting Multiple Network ACL Rules at a Time
You can also select multiple network ACL rules and click Delete above the
network ACL rule list to delete multiple rules at a time.
2.3.11 Exporting and Importing Network ACL Rules

Scenarios
You can export inbound and outbound rules of a specific network ACL as an Excel
file and then import these rules for another network ACL. Importing and exporting
rules across regions are supported.
It is recommended that you import no more than 40 rules each time. Importing
rules will not delete existing rules. Importing duplicate rules will fail.

Exporting Network ACL Rules

6. Click to export the inbound and outbound network ACL rules. The
exported rules are stored in an Excel file. You need to download the file to a
local directory.
Importing Network ACL Rules

6. Click .
7. Select the Excel file containing the exported network ACL rules and click
Import to import the rules.
2.3.12 Viewing a Network ACL
Scenarios
View details about a network ACL.
Procedure
6. On the displayed page, click the Inbound Rules, Outbound Rules, and
Associated Subnets tabs one by one to view details about inbound rules,
outbound rules, and subnet associations.

2.3.13 Modifying a Network ACL
Scenarios
Modify the name and description of a network ACL.
Procedure
6. On the displayed page, click on the right of Name and edit the network
ACL name.
7. Click √ to save the new network ACL name.
8. Click on the right of Description and edit the network ACL description.
9. Click √ to save the new network ACL description.
2.3.14 Enabling or Disabling a Network ACL
Scenarios
After a network ACL is created, you may need to enable it based on network
security requirements. You can also disable an enabled network ACL if need.
Before enabling a network ACL, ensure that subnets have been associated with the
network ACL and that inbound and outbound rules have been added to the
network ACL.
When a network ACL is disabled, custom rules will become invalid while default
rules still take effect. Disabling a network ACL may interrupt network traffic. For
information about the default network ACL rules, see Default Network ACL
Rules.
Procedure
5. Locate the row that contains the network ACL in the right pane, click More in
the Operation column, and click Enable or Disable.

2.3.15 Deleting a Network ACL

Scenarios
Delete a network ACL when it is no longer required.
Procedure
5. Locate the network ACL in the right pane, click More in the Operation
column, and click Delete.
6. Click Yes.
NOTE
Deleting a network ACL will also disassociate its associated subnets and delete the
network ACL rules.

User Guide 3 IP Address Group
3 IP Address Group
3.1 IP Address Group Overview

An IP address group is a collection of IP addresses that can use the same security
group rules or network ACL rules. You can use an IP address group to manage IP
addresses that have the same security requirements or whose security
requirements change frequently.
You can create an IP address group and add IP addresses that need to be
managed in a unified manner to the group. Then, you can select this IP address
group when configuring a security group rule. The rule will take effect for all IP
addresses in the IP address group.
NOTE
If the source or destination of a security group rule is an IP address group, such a rule does
not take effect for certain ECSs. For details about these certain ECSs, see ECS
Specifications.
● General computing (S1, C1, and C2 ECSs)
3.2 Creating an IP Address Group

Scenarios
Create an IP address group and add IP addresses that need to be centrally
managed to this group.
Procedure

4. In the navigation pane on the left, choose Access Control > IP Address
Groups.
5. Click Create IP Address Group.
6. Configure the required parameters. Table 3-1 lists the IP address group
parameters.

Paramet Description Example Value
er
Name The IP address group name. This ipGroup-A

parameter is mandatory.
The IP address group name contains
a maximum of 64 characters, which
may consist of letters, digits,
underscores (_), hyphens (-), and
spaces.
You can customize the name of an IP
address group that is uniquely
identified by its ID.
IP Mandatory IPv4
Address Currently, the following IP address
Version versions are supported:
● IPv4
● IPv6

Paramet Description Example Value

er
IP Enter IPv4 or IPv6 address ranges or 192.168.0.0/16

Address addresses. 192.168.1.1-192.168.1.5
You can add a maximum of 20 IP 0
addresses and IP address ranges, and 192.168.10.10
each must be on a separate line. You
can enter:
● IPv4
– IP address range: For example,
192.168.0.0/16
– Consecutive IP addresses
separated a hyphen (-): For
example,
192.168.1.1-192.168.1.50
– Single IP address: For example,
192.168.10.10
● IPv6
– IPv6 address range: For
example, 2001:db8:a583:6e::/64
– Consecutive IPv6 addresses
separated by a hyphen (-): For
example, 2001:db8:a583:6e::
1-2001:db8:a583:6e::50
– Single IPv6 address: For
example, 2001:db8:a583:6e::5c
Descripti Supplementary information about the N/A

on IP address group. This parameter is
optional.
The IP address group description can
contain a maximum of 255 characters
and cannot contain angle brackets (<
or >).
7. Click OK.
3.3 Associating an IP Address Group with Resources

Scenarios
This section describes how to associate an IP address group with a resource.
Procedure
You need to associate an IP address group with resources. For details, see Table
3-2.

Table 3-2 Associating an IP address group with resources

Resource Description Reference
Security The Source or Destination Adding a Security Group Rule

group of a security group rule can ● Inbound rule: Set Source to an
be set to IP address group. IP address group.
● Outbound rule: Set
Destination to an IP address
group.
Network The Source or Destination Adding a Network ACL Rule

ACL of a network ACL is set to IP ● Inbound rule: Set Source or
address group. Destination to an IP address
group. Either the source or the
destination can use the IP
address group.
● Outbound rule: Set Source or
Destination to an IP address
group. Either the source or the
destination can use the IP
address group.
3.4 Modifying an IP Address Group

Scenarios
This section describes how to modify an IP address group.
NOTE
After an IP address group is modified, the source of its associated security group rules and
network ACL rules will also change.
Modifying an IP Address Group

4. In the navigation pane on the left, choose Access Control > IP Address
Groups.
5. On the displayed page, click Modify in the Operation column to modify the
name, IP address, and description of the IP address group.

User Guide 4 Elastic IP
4 Elastic IP
4.1 EIP Overview

EIP
The Elastic IP (EIP) service enables you to use static public IP addresses and
scalable bandwidths to connect your cloud resources to the Internet. EIPs can be
bound to or unbound from ECSs, BMSs, virtual IP addresses, NAT gateways, or
load balancers. Various billing modes are provided to meet diverse service
requirements.
Each EIP can be used by only one cloud resource at a time.
Figure 4-1 Accessing the Internet using an EIP
Advantages
● Flexibility

An EIP can be flexibly associated with or disassociated from the ECS, BMS,
NAT gateway, load balancer, or virtual IP address. The bandwidth can be
adjusted according to service changes.
● Flexible billing
EIPs are available on a pay-per-use (bandwidth usage or amount of traffic is
billed) and yearly/monthly basis. The yearly/monthly billing mode is more
preferential.
● Shared bandwidth
EIPs can use shared bandwidth to lower bandwidth costs.
● Immediate use
EIP associations, disassociations, and bandwidth adjustments take effect
immediately.
NOTE
If you want to submit a service ticket, refer to Submitting a Service Ticket.
4.2 Assigning an EIP and Binding It to an ECS

Scenarios
You can assign an EIP and bind it to an ECS so that the ECS can access the
Internet.
Assigning an EIP
3. On the console homepage, under Networking, click Elastic IP.
4. On the displayed page, click Buy EIP.
5. Set the parameters as prompted.

Billing Mode The following billing modes are Pay-per-use

available:
● Yearly/Monthly
● Pay-per-use

Region Regions are geographic areas CN-Hong Kong

that are physically isolated from
each other. The networks inside
different regions are not
connected to each other, so
resources cannot be shared
across different regions. For
lower network latency and
faster access to your resources,
select the region nearest you.
The region selected for the EIP
is its geographical location.
NOTE
The geographical location of an EIP
purchased in CN North-Ulanqab1 is
Beijing.
EIP Type ● Dynamic BGP: Dynamic BGP Dynamic BGP

provides automatic failover
and chooses the optimal
path when a network
connection fails.
● Static BGP: Static BGP offers
more routing control and
protects against route
flapping, but an optimal
path cannot be selected in
real time when a network
connection fails.
● Premium BGP: Premium BGP
chooses the optimal path
and ensures low-latency and
high-quality networks. BGP is
used to interconnect with
lines of multiple mainstream
carriers. Public network
connections that feature low
latency and high quality are
directly established between
Chinese mainland and Hong
Kong (China). (This
parameter is available only
in CN-Hong Kong.)
For details, see What Are the
Differences Between Static
BGP and Dynamic BGP?

Billed By This parameter is available only Bandwidth

when you set Billing Mode to
Pay-per-use.
● Bandwidth: You specify a
maximum bandwidth and
pay for the amount of time
you use the bandwidth. This
is suitable for scenarios with
heavy or stable traffic.
● Traffic: You specify a
maximum bandwidth and
pay for the total traffic you
use. This is suitable for
scenarios with light or
sharply fluctuating traffic.
● Shared Bandwidth: The
bandwidth can be shared by
multiple EIPs. This is suitable
for scenarios with staggered
traffic.
Bandwidth The bandwidth size in Mbit/s. 100
EIP Name The EIP name. eip-test
Enterprise Project The enterprise project that the default

EIP belongs to.
An enterprise project facilitates
project-level management and
grouping of cloud resources and
users. The name of the default
project is default.
For details about creating and
managing enterprise projects,
see the Enterprise
Advanced Settings Click the drop-down arrow to -

configure parameters, including
the bandwidth name and tag.
Bandwidth Name The name of the bandwidth. bandwidth
Tag The EIP tags. Each tag contains ● Key:

a key and value pair. Ipv4_key1
The tag key and value must ● Value:
meet the requirements listed in 3005eip
Table 4-2.

Monitoring Used to monitor the EIP. -

Enabled by default
You can use the management
console or APIs provided by
Cloud Eye to query the metrics
and alarms generated for the
EIP and bandwidth.
Required Duration The duration for which the 1 month

purchased EIP will use. The
duration must be specified if
the Billing Mode is set to
Yearly/Monthly.
Quantity The number of EIPs you want to 1

purchase.
The quantity must be specified
if the Billing Mode is set to
Pay-per-use.
Table 4-2 EIP tag requirements

Parameter Requirement Example Value
Key ● Cannot be left blank. Ipv4_key1

● Must be unique for each EIP.
characters.
underscores (_), and hyphens (-).
Value ● Can contain a maximum of 43 3005eip

characters.
underscores (_), periods (.), and
hyphens (-).

NOTE
● If you are buying an EIP billed on a pay-per-use basis and you want to use a
shared bandwidth, you can only select an existing shared bandwidth from the
Bandwidth Name drop-down list. If there are no shared bandwidths to select,
purchase a shared bandwidth first.
● A dedicated bandwidth cannot be changed to a shared bandwidth and vice versa.
However, you can purchase shared bandwidth for pay-per-use EIPs.
● After an EIP is added to a shared bandwidth, the EIP will use the shared
bandwidth.
● After an EIP is removed from the shared bandwidth, the EIP will use the
dedicated bandwidth.
6. Click Next.
7. Click Submit.
Binding an EIP
1. On the EIPs page, locate the row that contains the target EIP, and click Bind.
2. Select the instance that you want to bind the EIP to.
3. Click OK.
Helpful Links
● How Do I Assign or Retrieve a Specific EIP?
● How Do I Access an ECS with an EIP Bound from the Internet?
● Can I Bind an EIP to an ECS, to Another ECS?
● How Do I Know If My EIP Bandwidth Limit Has Been Exceeded?
● Why Can't My ECS Access the Internet Even After an EIP Is Bound?
4.3 Unbinding an EIP from an ECS and Releasing the

EIP
Scenarios
If you no longer need an EIP, unbind it from the ECS and release the EIP to avoid
wasting network resources.

● You can only release EIPs that are not bound to any resources.
● You cannot buy an EIP that has been released if it is currently in use by
another user.
● The price of a pay-per-use EIP includes the retention fee and the bandwidth
price. If you unbind an EIP but do not release it, the EIP will continue to be
billed and the price includes the retention fee and the bandwidth price. The
moment you bind an EIP to an instance, the retention fee is no longer
included in the EIP price.

Procedure
Unbinding a single EIP
4. On the displayed page, locate the row that contains the target EIP, and click
Unbind.
Releasing a single EIP

4. On the displayed page, locate the row that contains the target EIP, click More
and then Release in the Operation column.
Unbinding multiple EIPs at once
4. On the displayed page, select the EIPs to be unbound.
5. Click the Unbind button located above the EIP list.
Releasing multiple EIPs at once
4. On the displayed page, select the EIPs to be released.
5. Click the Release button located above the EIP list.
4.4 Modifying an EIP Bandwidth

Scenarios
No matter which billing mode is used, if your EIP is not added to a shared
bandwidth, it uses a dedicated bandwidth.
This section describes how to increase or decrease a dedicated bandwidth.

When you change the bandwidth size, the bandwidth price and effective time
depend on the billing mode, which applies to both dedicated and shared
bandwidths. For details, see Table 4-3.
NOTE
Decreasing bandwidths may cause packet loss.
Table 4-3 Impact on billing after bandwidth size change

Billing Billed Change Impact
Mode By
Yearly/ Bandw Increase The change will take effect immediately.

Monthly idth bandwidth The increased bandwidth will be billed
accordingly.
Bandw Decrease The change will not take effect

idth bandwidth immediately.
upon renewal You need to select a new bandwidth size
and a renewal duration. The change will
take effect in the first billing cycle after a
successful renewal.
● The order can be unsubscribed before
the bandwidth takes effect.
● The bandwidth cannot be modified in
the first billing cycle.
Pay-per- Bandw Increase or The change will take effect immediately.

use idth decrease the
bandwidth
Traffic Increase or The change will take effect immediately.

decrease the The bandwidth size you set is only used to
bandwidth limit the maximum data transfer rate.
Procedure
4. Locate the row that contains the target EIP in the EIP list, click More in the
Operation column, and select Modify Bandwidth.
5. Modify the bandwidth parameters as prompted.

Figure 4-2 Modifying bandwidth of a pay-per-use EIP
Figure 4-3 Modifying monthly/yearly bandwidth
6. Click Next.
7. Click Submit.
Helpful Links
● How Do I Change the EIP Billing Option from Bandwidth to Traffic or
from Traffic to Bandwidth?
● What Are Inbound Bandwidth and Outbound Bandwidth?
● Can I Increase My Bandwidth Billed on Yearly/Monthly Basis and Then
Decrease It?
● How Do I Increase a Bandwidth to Be More Than 300 Mbit/s?

4.5 Exporting EIP Information

Scenarios
The information of all EIPs under your account can be exported in an Excel file to
a local directory. The file records the ID, status, type, bandwidth name, and
bandwidth size of EIPs.
Procedure
4. On the displayed page, click in the upper right corner of the EIP list.
The system will automatically export all EIPs in the current region of your
account to an Excel file and download the file to a local directory.
4.6 Managing EIP Tags

Scenarios
Tags can be added to EIPs to facilitate EIP identification and administration. You
can add a tag to an EIP when assigning the EIP. Alternatively, you can add a tag to
an assigned EIP on the EIP details page. A maximum of 10 tags can be added to
each EIP.
requirements.
Table 4-4 EIP tag requirements
Parameter Requirement Example Value
Key ● Cannot be left blank. Ipv4_key1

● Must be unique for each EIP.
characters.
(_), and hyphens (-).
Value ● Can contain a maximum of 43 3005eip

characters.
(_), periods (.), and hyphens (-).

Procedure
Searching for EIPs by tag key and value on the page showing the EIP list
4. Click the search box and then click Tag in the drop-down list.
5. Select the tag key and value of the EIP.
add more than one tag to search for EIPs, the system will display only the EIPs
that contain all of the tags you specified.
6. Click OK.
The system displays the EIPs you are looking for based on the entered tag
keys and values.
Adding, deleting, editing, and viewing tags on the Tags tab of an EIP
4. On the displayed page, locate the EIP whose tags you want to manage, and
click the EIP name.
5. On the page showing EIP details, click the Tags tab and perform desired
operations on tags.
– View tags.
EIP, including the number of tags and the key and value of each tag.
– Add a tag.
– Edit a tag.
Locate the row that contains the tag you want to edit, and click Edit in
the Operation column. Enter the new tag value, and click OK.
The tag key cannot be modified.
– Delete a tag.
4.7 IPv6 EIP

Overview
Both IPv4 and IPv6 EIPs are available. You can assign an IPv6 EIP or map an
existing IPv4 EIP to an IPv6 EIP.

After the IPv6 EIP function is enabled, you will obtain both an IPv4 EIP and its
corresponding IPv6 EIP. External IPv6 addresses can access cloud resources through
this IPv6 EIP.
IPv4 EIPs are billed. IPv6 EIPs are currently free, but will be billed at a later date
(price yet to be determined).
Application Scenarios of IPv4/IPv6 Dual Stack

If your ECS supports IPv6, you can use the IPv4/IPv6 dual stack. Table 4-5 shows
the example application scenarios.
Table 4-5 Application scenarios of IPv4/IPv6 dual stack

Appli Description Requirement IPv4 ECS
catio or
n IPv6
Scena Subne
rio t
Privat Your ● IPv6 is not enabled for the IPv4 Private IPv4
e IPv4 applications VPC subnet. CIDR address: used
comm on ECSs ● No EIPs have been bound Block for private
unicat need to to the ECSs. IPv4
ion communica communicatio
te with n.
other
systems
(such as
databases)
through
private
networks
using IPv6
addresses.
Public Your ● IPv6 is not enabled for the IPv4 ● Private

IPv4 applications VPC subnet. CIDR IPv4
comm on ECSs ● EIPs have been bound to Block address:
unicat need to the ECSs. used for
ion communica private IPv4
te with communica
other tion.
systems ● Public IPv4
(such as address:
databases) used for
through public IPv4
public IPv4 communica
addresses. tion.


catio or
n IPv6
Scena Subne
rio t
Privat Your ● IPv6 has been enabled for ● IPv ● Private

e IPv6 applications the VPC subnet. 4 IPv4
comm on ECSs ● The network has been CID address +
unicat need to configured for the ECSs as R IPv4 EIP:
ion communica follows: Blo Bind an
te with ck IPv4 EIP to
other – Flavor: Any ECS flavor the
that supports the IPv6 ● IPv
systems 6 instance to
(such as network. For details allow public
about the ECS flavor that CID
databases) R IPv4
through support the IPv6 communica
network, see section " blo
private IPv6 ck tion.
addresses. x86 ECS Specifications
and Types" in the Elastic ● Private
Cloud Server User IPv4
Guide. address: Do
not bind
– VPC and Subnet: IPv6- any IPv4
enabled subnet and VPC. EIP to the
– Self-assigned IPv6 instance
address: Selected. and use
– Shared Bandwidth: only the
Selected Do not private IPv4
configure. address to
allow
private IPv4
communica
tion.
● IPv6
address: Do
not
configure
shared
bandwidth
for the IPv6
address to
allow
private IPv6
communica
tion.


catio or
n IPv6
Scena Subne
rio t
Public An IPv6 ● IPv6 has been enabled for ● IPv ● Private

IPv6 network is the VPC subnet. 4 IPv4
comm required for ● The network has been CID address +
unicat the ECS to configured for the ECSs as R IPv4 EIP:
ion access the follows: Blo Bind an
IPv6 service ck IPv4 EIP to
on the – Flavor: Any ECS flavor the
that supports the IPv6 ● IPv
Internet. 6 instance to
network. For details allow public
about the ECS flavor that CID
R IPv4
support the IPv6 communica
network, see section " blo
ck tion.
x86 ECS Specifications
and Types" in the Elastic ● Private
Cloud Server User IPv4
Guide. address: Do
not bind
– VPC and Subnet: IPv6- any IPv4
enabled subnet and VPC. EIP to the
– Self-assigned IPv6 instance
address: Selected. and use
– Shared Bandwidth: only the
Selected a shared private IPv4
bandwidth. address to
allow
NOTE
For details, see Setting Up an private IPv4
IPv6 Network. communica
tion.
● IPv6
address +
shared
bandwidth:
Allow both
private IPv6
communica
tion and
public IPv6
communica
tion.
For details, see IPv4 and IPv6 Dual-Stack Network.
Application Scenarios of IPv6 EIP

If you want an ECS to provide IPv6 services but the ECS does not support IPv6
networks or you do not want to build an IPv6 network, you can use IPv6 EIP to

quickly address your requirements. For details about application scenarios and
resource planning, see Table 4-6.
Table 4-6 Application scenarios and resource planning of an IPv6 EIP network
(with IPv6 EIP enabled)
Applic Description Requirement IPv4 or ECS
ation IPv6
Scenar Subnet
io
Public You want to ● An EIP has IPv4 ● Private IPv4

IPv6 allow an ECS to been CIDR address: used for
comm provide IPv6 bound to Block private IPv4
unicati services for the ECS. communication.
on clients on the ● IPv6 EIP ● IPv4 EIP (with IPv6
Internet without has been EIP enabled): used
setting up an enabled. for public network
IPv6 network. communication
through IPv4 and
IPv6 addresses.

Application Scenarios and Resource Planning of IPv6 Networks
Figure 4-4 Application scenarios and resource planning of IPv6 networks
Enabling IPv6 (Assigning IPv6 EIPs)

● Method 1:
Select the IPv6 EIP option when you assign an EIP by referring to Assigning
an EIP and Binding It to an ECS so that you can obtain both an IPv4 and an
IPv6 EIP.
External IPv6 addresses can access cloud resources through this IPv6 EIP.
● Method 2:
If you want an IPv6 EIP in addition to an existing IPv4 EIP, locate the row that
contains the target IPv4 EIP, click More in the Operation column, and select
Enable IPv6 EIP. Then, a corresponding IPv6 EIP will be assigned.
After the IPv6 EIP is enabled, you will obtain both an IPv4 EIP and an IPv6 EIP.
External IPv6 addresses can access cloud resources through this IPv6 EIP.
NOTE
There is no adverse impact on the cloud resources bound with existing IPv4 EIPs.

Configuring Security Groups

After IPv6 EIP is enabled, add inbound and outbound security group rules to allow
packets to and from the IP address range 198.19.0.0/16. Table 4-7 shows the
security group rules. IPv6 EIP uses NAT64 to convert the source IP address in the
inbound direction to an IPv4 address in the IP address range 198.19.0.0/16. The
source port can be a random one, the destination IP address is the private IPv4
address of your local server, and the destination port remains unchanged.
For details, see Virtual Private Cloud User Guide.
Table 4-7 Security group rules

Direction Protocol Source or Destination
Inbound All Source: 198.19.0.0/16
Outbound All Destination: 198.19.0.0/16
Disabling IPv6 EIP

If you do not need the IPv6 EIP, locate the row that contains its corresponding IPv4
EIP, click More in the Operation column, and select Disable IPv6 EIP. Then, the
IPv6 EIP will be released. You will only have the IPv4 EIP.

User Guide 5 Shared Bandwidth
5 Shared Bandwidth
5.1 Shared Bandwidth Overview

A shared bandwidth can be shared by multiple EIPs and controls the data transfer
rate on these EIPs in a centralized manner. All ECSs, BMSs, and load balancers that
have EIPs bound in the same region can share a bandwidth.
When you host a large number of applications on the cloud, if each EIP uses a
bandwidth, a lot of bandwidths are required, which significantly increases
bandwidth costs. If all EIPs share the same bandwidth, you can lower bandwidth
costs and easily perform system O&M.
● Lowered Bandwidth Costs
Region-level bandwidth sharing and multiplexing reduce bandwidth usage
and O&M costs.
● Flexible Operations
You can add pay-per-use EIPs (except for 5_gray EIPs of dedicated load
balancers) to or remove them from a shared bandwidth regardless of the type
of instances that they are bound to.
● Flexible Billing Modes
The yearly/monthly and pay-per-use billing modes are provided.
You can use a shared bandwidth in either of the following ways:
● Assign a shared bandwidth and add your pay-per-use EIPs to the bandwidth.
– Assigning a Shared Bandwidth
– Adding EIPs to a Shared Bandwidth
● Assign a shared bandwidth, set Billed By to Shared Bandwidth and select the
shared bandwidth when you assign EIPs.
– Assigning a Shared Bandwidth
– Assigning an EIP and Binding It to an ECS

● The minimum size of a shared bandwidth that can be purchased is 5 Mbit/s.
You can only add pay-per-use EIPs to a shared bandwidth.

● Each account can have a maximum of 5 shared bandwidths. If you need more
shared bandwidths, submit a service ticket to request a quota increase.
● If a yearly/monthly shared bandwidth is deleted upon expiration, EIPs sharing
the bandwidth will be removed from the bandwidth and be billed based on
the mode before they are added to the shared bandwidth.
● A shared bandwidth cannot control how much data can be transferred using a
single EIP. Data transfer rate on EIPs cannot be customized.
● A shared bandwidth can only be used by resources from its same account.
NOTE
● A dedicated bandwidth cannot be changed to a shared bandwidth and vice versa.

However, you can purchase a shared bandwidth for pay-per-use EIPs.
● Add an EIP to a shared bandwidth and then the EIP will use the shared
bandwidth.
● Remove the EIP from the shared bandwidth and then the EIP will use the
dedicated bandwidth.
● If you want to submit a service ticket, refer to Submitting a Service Ticket.
5.2 Assigning a Shared Bandwidth

Scenarios
When you host a large number of applications on the cloud, if each EIP uses
dedicated bandwidth, a lot of bandwidths are required, which incurs high costs. If
all EIPs share the same bandwidth, your network operation costs will be lowered
and your system O&M as well as resource statistics will be simplified.
Assign a shared bandwidth for use with EIPs.
Procedure
4. In the navigation pane on the left, choose Elastic IP and Bandwidth >
Shared Bandwidths.
5. In the upper right corner, click Buy Shared Bandwidth. On the displayed
page, configure parameters as prompted.


Billing Mode A shared bandwidth can be billed on a Yearly/Monthly

yearly/monthly or pay-per-use basis.
● Yearly/Monthly: You pay for the
bandwidth by year or month before
using it. No other charges apply
during the validity period of the
bandwidth.
● Pay-per-use: You pay for the
bandwidth based on the amount of
time you use the bandwidth.
Region Regions are geographic areas that are CN-Hong Kong

physically isolated from each other. The
networks inside different regions are not
connected to each other, so resources
cannot be shared across different
regions. For lower network latency and
faster access to your resources, select the
region nearest you.
Billed By The billing method for the shared Bandwidth

bandwidth.
You can pay by bandwidth.
Bandwidth The bandwidth size in Mbit/s. The 10

minimum value is 5 Mbit/s. The
maximum bandwidth can be 2000
Mbit/s.
Enterprise The enterprise project to which the EIP default

Project belongs.
An enterprise project facilitates project-
level management and grouping of
cloud resources and users. The name of
the default project is default.
Bandwidth The name of the shared bandwidth. Bandwidth-001

Name
Required The duration for which the purchased EIP 2 months

Duration will use. The duration must be specified
if the Billing Mode is set to Yearly/
Monthly.
6. Click Next.

5.3 Adding EIPs to a Shared Bandwidth

Scenarios
Add EIPs to a shared bandwidth and the EIPs can then share that bandwidth. You
can add multiple EIPs to a shared bandwidth at the same time.

● Currently, yearly/monthly EIPs cannot be added to a shared bandwidth.
● After an EIP is added to a shared bandwidth, the original bandwidth used by
the EIP will become invalid and the EIP will start to use the shared bandwidth.
● The EIP's original dedicated bandwidth will be deleted and will no longer be
billed.
● To add a yearly/monthly EIP to a shared bandwidth, you need to first change
its billing mode to pay-per-use.
Procedure
Shared Bandwidths.
5. In the shared bandwidth list, locate the row that contains the shared
bandwidth that you want to add EIPs to. In the Operation column, choose
Add EIP, and select the EIPs to be added.
6. Click OK.
Helpful Links
What Are the Differences Between a Dedicated Bandwidth and a Shared
Bandwidth? Can a Dedicated Bandwidth Be Changed to a Shared Bandwidth
or the Other Way Around?
5.4 Removing EIPs from a Shared Bandwidth

Scenarios
Remove EIPs that are no longer required from a shared bandwidth if needed.

A yearly/monthly EIP cannot be removed from a shared bandwidth purchased
during OBT.

Procedure
Shared Bandwidths.
5. In the shared bandwidth list, locate the row that contains the bandwidth from
which EIPs are to be removed, choose More > Remove EIP in the Operation
column, and select the EIPs to be removed in the displayed dialog box.
6. Set the EIP bandwidth after the EIP is removed. You can configure the EIP
billing mode and bandwidth size.
7. Click OK.
5.5 Modifying a Shared Bandwidth

Scenarios
You can modify the name and size of a shared bandwidth as required.
● If a shared bandwidth is billed on a pay-per-use basis, the modification will

take effect immediately. For details, see Modifying a Shared Bandwidth
(Pay-per-Use).
● If a shared bandwidth is billed on a yearly/monthly basis:
– you can increase the bandwidth. The increased bandwidth size will take
effect immediately and the price difference will be billed accordingly.
– you can decrease the bandwidth. The decreased bandwidth size will
take effect in the first billing cycle after a successful renewal.
If you want to change the billing mode of a shared bandwidth, see How Do I
Change My EIP Billing Mode from Pay-per-Use to Yearly/Monthly?
Modifying a Shared Bandwidth (Pay-per-Use)

Shared Bandwidths.
5. In the shared bandwidth list, locate the row that contains the shared
bandwidth you want to modify, click Modify Bandwidth in the Operation
column, and modify the bandwidth settings.
6. Click Next.
7. Click Submit.
The modification takes effect immediately.

Increasing a Shared Bandwidth (Yearly/Monthly)

Shared Bandwidths.
5. In the shared bandwidth list, locate the row that contains the target shared
bandwidth, and click Modify Bandwidth in the Operation column.
6. Select Increase bandwidth and click Continue.
7. In the New Configuration area on the Modify Bandwidth page, change the
bandwidth name and size.
8. Click Next.
9. Confirm the information and click Pay Now.
After you complete the payment, the increased bandwidth will take effect
immediately.
Decreasing a Shared Bandwidth (Yearly/Monthly)

Shared Bandwidths.
5. In the shared bandwidth list, locate the row that contains the target shared
bandwidth, and click Modify Bandwidth in the Operation column.
6. Select Decrease bandwidth and click Continue.
7. In the New Configuration area on the Modify Bandwidth page, change the
bandwidth name and size.
8. Click Next.
9. Confirm the information and click Pay Now.
After you complete the payment, the decreased bandwidth will take effect in
the first billing cycle after the current subscription ends.
5.6 Deleting a Shared Bandwidth

Scenarios
Delete a shared bandwidth billed on a pay-per-use basis if it is no longer required.

A yearly/monthly shared bandwidth cannot be directly deleted. It can only be
unsubscribed in the User Center.

Prerequisites
Before deleting a shared bandwidth, remove all the EIPs associated with it. For
details, see Removing EIPs from a Shared Bandwidth.
Procedure
Shared Bandwidths.
5. In the shared bandwidth list, locate the row that contains the pay-per-use
shared bandwidth you want to delete, click More in the Operation column,
and then click Delete.
6. In the displayed dialog box, click Yes.

User Guide 6 Shared Data Package
6 Shared Data Package
6.1 Shared Data Package Overview

Shared data package provides a quota for data usage. Such packages are cost-
effective and easy to use. Shared data packages take effect immediately after your
purchase. If you have subscribed to pay-per-use EIPs using bandwidth billed by
traffic in a region and buy a shared data package in the same region, the EIPs will
use the shared data package. After the package quota is used up or the package
expires, the EIPs will continue to be billed on a pay-per-use basis. For billing
details, see Product Pricing Details.
● Two types of packages are available: dynamic BGP and static BGP. Dynamic
BGP data packages will be used by dynamic BGP EIPs, and static BGP data
packages will be used by static BGP EIPs.
● Shared data packages can be purchased yearly or monthly. Packages
purchased for a year are more cost effective. If you have multiple shared data
packages, the data package with the shortest validity period will be used first.
● If your usage exceeds your shared data package quota within its validity, you
will be billed on a pay-per-use basis for the additional traffic usage.
● If a shared data package expires, make sure your account balance is sufficient
and your EIP will be billed on a pay-per-use basis.

● Shared data packages require a one-off payment and take effect immediately
after purchase. You cannot specify the effective date.
● Shared data packages cannot be unsubscribed from once purchased and
cannot be renewed upon expiration.
● Shared data packages are billed by month or year. Once expired, remaining
package quota cannot be used any more.
● Shared data packages can only be used by pay-per-use bandwidth billed by
traffic. Two types of shared data packages are available: static BGP (for static
BGP bandwidth) and dynamic BGP (for dynamic BGP bandwidth).
● A shared data package cannot be used for bandwidth of a specific EIP.

● A shared data package cannot be used for a shared bandwidth.

● A shared data package cannot be used by EIPs of the premium BGP type.
● If you have an order that has not been paid within the payment period, you
need to cancel or pay for the order first. Then, you can purchase a shared
data package.
6.2 Buying a Shared Data Package

Scenarios
This section describes how to buy a shared data package. Shared data packages
take effect immediately after your purchase. If you have subscribed to pay-per-use
EIPs billed by traffic in a region and buy a shared data package in the same
region, the EIPs will use the shared data package. After the package quota is used
up or the package expires, the EIPs will continue to be billed on a pay-per-use
basis.

● Shared data packages require a one-off payment and take effect immediately
after purchase. You cannot specify the effective date.
● Shared data packages cannot be unsubscribed from once purchased and
cannot be renewed upon expiration.
● Shared data packages are billed by month or year. Once expired, remaining
package quota cannot be used any more.
● Shared data packages can only be used by pay-per-use bandwidth billed by
traffic. Two types of shared data packages are available: static BGP (for static
BGP bandwidth) and dynamic BGP (for dynamic BGP bandwidth).
● A shared data package cannot be used for bandwidth of a specific EIP.
● A shared data package cannot be used for a shared bandwidth.
● A shared data package cannot be used by EIPs of the premium BGP type.
● If you have an order that has not been paid within the payment period, you
need to cancel or pay for the order first. Then, you can purchase a shared
data package.
Procedure
Shared Data Packages.
5. In the upper right corner, click Buy Shared Data Package. On the displayed
page, configure parameters as prompted.


Region A shared data package can only be used CN-Hong Kong

by resources in its same region. Select
the region based on your requirements.
Type The shared data package type. Set this Static BGP
parameter based on the bandwidth type
of the EIP. The following two types of
packages are available:
● Dynamic BGP: A dynamic BGP data
package can only be used by dynamic
BGP EIPs billed by traffic on a pay-
per-use basis.
● Static BGP: A static BGP data package
can only be used by static BGP EIPs
billed by traffic on a pay-per-use
basis.
Package The validity period of the shared data 1 month

Validity package. Select a validity period based
on service requirements. A shared data
package cannot be unsubscribed and
takes effect immediately after you
purchase it. Expired shared data
packages will longer be available for use.
Specification The size of the shared data package in 10 GB

GB.
Usage The validity period of the shared data Default

Duration package.
6. Click Next.

User Guide 7 Route Tables
7 Route Tables
7.1 Route Table Overview

Route Table
A route table contains a set of routes that are used to determine where network
traffic from your subnets in a VPC is directed. Each subnet must be associated with
a route table. A subnet can only be associated with one route table at a time, but
you can associate multiple subnets with the same route table.
Default Route Table and Custom Route Table

When you create a VPC, the system automatically generates a default route table
for the VPC. If you create a subnet in the VPC, the subnet automatically associates
with the default route table.
● You can add routes to, delete routes from, and modify routes in the default
route table, but cannot delete the table.
● When you create a VPN, Cloud Connect, or Direct Connect connection, the
default route table automatically delivers a route that cannot be deleted or
modified.
If you do not want to use the default route table, you can now create a custom
route table and associate it with the subnet. You can delete the custom route
table if it is no longer required.
NOTE
● The custom route table associated with a subnet affects only the outbound traffic. The
default route table determines the inbound traffic.
● To use a custom route table, you need to submit a service ticket. You need to click
Increase quota on the Create Route Table page or choose More > Service Tickets >
Create Service Ticket in the upper right corner of the page. For more information, see
Submitting a Service Ticket.

Route
A route is configured with the destination, next hop type, and next hop to
determine where network traffic is directed. Routes are classified into system
routes and custom routes.
● System routes: These routes are automatically added by the system and
cannot be modified or deleted.
After a route table is created, the system automatically adds the following
system routes to the route table, so that instances in a VPC can communicate
with each other.
– Routes whose destination is 100.64.0.0/10 or 198.19.128.0/20.
– Routes whose destination is a subnet CIDR block.
NOTE
In addition to the preceding system routes, the system automatically adds a

route whose destination is 127.0.0.0/8. This is the local loopback address.
● Custom routes: These are routes that you can add, modify, and delete. The
destination of a custom route cannot overlap with that of a system route.
You can add a custom route and configure the destination, next hop type, and
next hop in the route to determine where network traffic is directed. Table
7-1 lists the supported types of next hops.
You cannot add two routes with the same destination to a VPC route table
even if their next hop types are different, because the destination determines
the route priority. According to the longest match routing rule, the destination
with a higher matching degree is preferentially selected for packet forwarding.
Table 7-1 Next hop type
Next Hop Type Description Supported Route

Table
Server Traffic intended for the ● Default route

destination is forwarded to an ECS table
in the VPC. ● Custom route
table
Extension NIC Traffic intended for the ● Default route

destination is forwarded to the table
extension NIC of an ECS in the ● Custom route
VPC. table
BMS user- Traffic intended for the ● Default route

defined network destination is forwarded to a BMS table
user-defined network. ● Custom route
table
VPN gateway Traffic intended for the Custom route table

destination is forwarded to a VPN
gateway.

Next Hop Type Description Supported Route

Table
Direct Connect Traffic intended for the Custom route table

gateway destination is forwarded to a
Direct Connect gateway.
Cloud Traffic intended for the Custom route table

connection destination is forwarded to a
cloud connection.
Supplementary Traffic intended for the ● Default route

network destination is forwarded to the table
interface supplementary network interface ● Custom route
of an ECS in the VPC. table
NAT gateway Traffic intended for the ● Default route

destination is forwarded to a NAT table
gateway. ● Custom route
table
VPC peering Traffic intended for the ● Default route

connection destination is forwarded to a VPC table
peering connection. ● Custom route
table
Virtual IP Traffic intended for the ● Default route

address destination is forwarded to a table
virtual IP address and then sent to ● Custom route
active and standby ECSs to which table
the virtual IP address is bound.
VPC endpoint Traffic intended for the ● Default route

destination is forwarded to a VPC table
endpoint. ● Custom route
table
Cloud container Traffic intended for the ● Default route

destination is forwarded to a table
cloud container. ● Custom route
table
Enterprise router Traffic intended for the ● Default route

destination is forwarded to an table
enterprise router. ● Custom route
table
Cloud firewall Traffic intended for the ● Default route

destination is forwarded to a table
cloud firewall. ● Custom route
table

NOTE
If you specify the destination when creating a resource, a system route is delivered. If
you do not specify a destination when creating a resource, a custom route that can be
modified or deleted is delivered.
For example, when you create a NAT gateway, the system automatically delivers a
custom route without a specific destination (0.0.0.0/0 is used by default). In this case,
you can change the destination. However, when you create a VPN gateway, you need
to specify the remote subnet, that is, the destination of a route. In this case, the
system delivers this system route. Do not modify the route destination on the Route
Tables page. If you do, the destination will be inconsistent with the configured remote
subnet. To modify the route destination, go to the specific resource page and modify
the remote subnet, then the route destination will be changed accordingly.
Custom Route Table Configuration Process

Figure 7-1 shows the process of creating and configuring a custom route table.
Figure 7-1 Route table configuration process
1. For details about how to create a custom route table, see Creating a Custom
Route Table.
2. For details about how to add a custom route, see Adding a Custom Route.
3. For details about how to associate a subnet with a route table, see
Associating a Route Table with a Subnet. After the association, the routes in
the route table control the routing for the subnet.
7.2 Creating a Custom Route Table

Scenarios
If your default route table cannot meet your service requirements, you can create
a custom route table by following the instructions provided in this section.


● Each VPC can have a maximum of 10 route tables, including the default route
table.
● When you create a VPC, the system automatically generates a default route
table for the VPC.
If you want to apply for a higher quota to create more route tables, see
Creating a Service Ticket.
Procedure
4. In the navigation pane on the left, choose Virtual Private Cloud > Route
Tables.
5. In the upper right corner, click Create Route Table. On the displayed page,
configure parameters as prompted.
Name The name of the route table. This rtb-001

parameter is mandatory.
spaces.
VPC The VPC that the route table belongs to. vpc-001
This parameter is mandatory.
Description Supplementary information about the -

route table. This parameter is optional.
The description can contain a maximum
of 255 characters and cannot contain
Route The route information. This parameter is -

Settings optional.
You can add a route when creating the
route table or after the route table is
created. For details, see Adding a
Custom Route.
You can click + to add more routes.
6. Click OK.

A message is displayed. You can determine whether to associate the route

table with subnets immediately as prompted. If you want to associate
immediately, perform the following operations:
a. Click Associate Subnet. The route table details page is displayed.
b. Click Associate Subnet and select the target subnets to be associated.
c. Click OK.
7.3 Associating a Route Table with a Subnet

Scenarios
After a route table is associated with a subnet, its routes control the routing for
the subnet and apply to all cloud resources in the subnet.

A subnet can only be associated with one route table.
Procedure
Tables.
5. In the route table list, locate the row that contains the target route table and
click Associate Subnet in the Operation column.
6. Select the subnet to be associated.
Figure 7-2 Associate Subnet
7. Click OK.

7.4 Changing the Route Table Associated with a Subnet

Scenarios
You can change the route table for a subnet. If the route table for a subnet is
changed, routes in the new route table will apply to all cloud resources in the
subnet.
Procedure
Tables.
5. Click the name of the target route table.
6. On the Associated Subnets tab page, click Change Route Table in the
Operation column and select a new route table as prompted.
7. Click OK.
After the route table for a subnet is changed, routes in the new route table
will apply to all cloud resources in the subnet.
7.5 Viewing the Route Table Associated with a Subnet

Scenarios
This section describes how to view the route table associated with a subnet.
Procedure

Figure 7-3 Viewing the route table associated with a subnet
6. In the right of the subnet details page, view the route table associated with
the subnet.
7. Click the name of the route table.
The route table details page is displayed. You can further view the route
information.
7.6 Viewing Route Table Information

Scenarios
This section describes how to view detailed information about a route table,
including:
● Basic information, such as name, type (default or custom), and ID of the
route table
● Routes, such as destination, next hop, and route type (system or custom)
● Associated subnets
Procedure
Tables.
5. Click the name of the target route table.
The route table details page is displayed.
a. On the Summary tab page, view the basic information and routes of the
route table.
b. On the Associated Subnets tab page, view the subnets associated with
the route table.

7.7 Exporting Route Table Information

Scenarios
Information about all route tables under your account can be exported as an Excel
file to a local directory. This file records the name, ID, VPC, type, and number of
associated subnets of the route tables.
Procedure
Tables.
5. On the displayed page, click in the upper right of the route table list.
The system will automatically export information about all route tables under
your account in the current region as an Excel file to a local directory.
7.8 Deleting a Route Table

Scenarios
This section describes how to delete a custom route table.

● The default route table cannot be deleted.
However, deleting a VPC will also delete its default route table. Both default
and custom route tables are free of charge.
● A custom route table with a subnet associated cannot be deleted directly.
If you want to delete such a route table, you can associate the subnet with
another route table first by referring to Changing the Route Table
Associated with a Subnet.
Procedure
Tables.
4. Locate the row that contains the route table you want to delete and click


5. Click Yes.
7.9 Adding a Custom Route

Scenarios
Each route table contains a default system route, which indicates that ECSs in a
VPC can communicate with each other. You can also add custom routes as
required to forward the traffic destined for the destination to the specified next
hop.

A maximum of 200 routes can be added to each route table.
Procedure
Tables.
5. In the route table list, click the name of the route table to which you want to
add a route.
6. Click Add Route and set parameters as prompted.
You can click + to add more routes.

Destination Mandatory IPv4:

Enter the destination of the route. You 192.168.0.0/16
can enter a single IP address or an IP
address range in CIDR notation.
The destination of each route in a route
table must be unique. The destination
cannot overlap with any subnet in the
VPC.

Next Hop Mandatory VPC peering

Type Set the type of the next hop. For details connection
about the supported resource types, see
Table 7-1.
NOTE
When you add or modify a custom route in a
default route table, the next hop type of the
route cannot be set to VPN gateway, Direct
Connect gateway, or Cloud connection.
Next Hop Mandatory peer-AB

Set the next hop. The resources in the
drop-down list box are displayed based
on the selected next hop type.
Description Optional -
Enter the description of the route in the
text box as required.
7. Click OK.
7.10 Modifying a Route

Scenarios
This section describes how to modify a custom route in a route table.

● System routes cannot be modified.
● When you create a VPN, Cloud Connect, or Direct Connect connection, the
default route table automatically delivers a route that cannot be deleted or
modified.
● Routes with the next hop type of cloud container cannot be modified or
deleted.
● Routes with the next hop type of VPC endpoint cannot be modified or
deleted.
Procedure
Tables.
5. In the route table list, click the name of the target route table.

6. Locate the row that contains the route to be modified and click Modify in the
Operation column.
7. Modify the route information in the displayed dialog box.

Destination Mandatory IPv4:

Enter the destination of the route. You 192.168.0.0/16
can enter a single IP address or an IP
address range in CIDR notation.
The destination of each route in a route
table must be unique. The destination
cannot overlap with any subnet in the
VPC.
Next Hop Mandatory VPC peering

Type Set the type of the next hop. For details connection
about the supported resource types, see
Table 7-1.
NOTE
When you add or modify a custom route in a
default route table, the next hop type of the
route cannot be set to VPN gateway, Direct
Connect gateway, or Cloud connection.
Next Hop Mandatory peer-AB

Set the next hop. The resources in the
drop-down list box are displayed based
on the selected next hop type.
Description Optional -
Enter the description of the route in the
text box as required.
8. Click OK.
7.11 Replicating a Route

Scenarios
This section describes how to replicate routes among all route tables of a VPC.
VPC route tables include the default and custom route tables.

Table 7-5 shows whether routes of different types can be replicated to default or
custom route tables.
For example, if the next hop type of a route is a server, this route can be replicated
to both default or custom route tables. If the next hop type of a route is a Direct

Connect gateway, the route cannot be replicated to the default route table, but
can be replicated to a custom route table.
Table 7-5 Route replication
Next Hop Type Can Be Replicated to Can Be Replicated to

Default Route Table Custom Route Table
Local No No
Server Yes Yes
Extension NIC Yes Yes
BMS user-defined No Yes

network
VPN gateway No Yes
Direct Connect gateway No Yes
Cloud connection No Yes
Supplementary network Yes Yes

interface
NAT gateway Yes Yes
VPC peering connection Yes Yes
Virtual IP address Yes Yes
VPC endpoint No No
Cloud container No No
Enterprise router Yes Yes
Cloud firewall Yes Yes
NOTE
● If the Direct Connect service is enabled by call or email, the routes delivered to the
default route table cannot be replicated to a custom route table.
Procedure
Tables.
4. In the route table list, locate the row that contains the route table you want
to replicate routes from and click Replicate Route in the Operation column.

5. Select the target route table that you want to replicate route to and the
routes to be replicated as prompted.
The listed routes are those that do not exist in the target route table. You can
select one or more routes to replicate to the target route table.
6. Click OK.
7.12 Deleting a Route

Scenarios
This section describes how to delete a custom route from a route table.

● System routes cannot be deleted.
Figure 7-4 System routes
● The routes automatically delivered by VPN, Cloud Connect, or Direct Connect

to the default route table cannot be deleted. The next hop types of such
routes are:
– VPN gateway
– Direct Connect gateway
– Cloud connection
The following figure shows a route with VPN gateway as Next Hop Type. If
you want to delete such a route, click the next hop hyperlink to delete the
corresponding resource.
Figure 7-5 Route delivered by VPN
● Routes with the next hop type of cloud container cannot be modified or
deleted.

● Routes with the next hop type of VPC endpoint cannot be modified or
deleted.
Procedure
Tables.
5. Locate the target route table and click its name.
The route table details page is displayed.
Figure 7-6 Deleting a custom route
6. In the route list, locate the row that contains the route to be deleted and click
7.13 Configuring an SNAT Server

Scenarios
Together with VPC route tables, you can configure SNAT on an ECS to enable
other ECSs that have no EIPs bound in the same VPC to access the Internet
through this ECS.
The configured SNAT takes effect for all subnets in a VPC.
Prerequisites
● You have an ECS where SNAT is to be configured.
● The ECS where SNAT is to be configured runs Linux.
● The ECS where SNAT is to be configured has only one network interface card
(NIC).
Differences Between SNAT ECSs and NAT Gateways

The NAT Gateway service provides network address translation (NAT) for servers,
such as ECSs, BMSs and Workspace desktops, in a VPC or servers from an on-
premises data center that connects to a VPC through Direct Connect or VPN. A

NAT gateway allows these servers to share an EIP to access the Internet or provide
services accessible from the Internet.
The NAT Gateway service is easier to configure and use than SNAT. This service
can be flexibly deployed across subnets and AZs and has different NAT gateway
specifications. You can click NAT Gateway under Networking on the
management console to try this service.
For details, see the NAT Gateway User Guide.
Procedure
3. On the console homepage, under Compute, click Elastic Cloud Server.
4. On the displayed page, locate the target ECS in the ECS list and click the ECS
name to switch to the page showing ECS details.
5. On the displayed ECS details page, click the NICs tab.
6. In the displayed area showing the NIC IP address details, disable Source/
Destination Check.
By default, the source/destination check is enabled. When this check is
enabled, the system checks whether source IP addresses contained in the
packets sent by ECSs are correct. If the IP addresses are incorrect, the system
does not allow the ECSs to send the packets. This mechanism prevents packet
spoofing, thereby improving system security. If the SNAT function is used, the
SNAT server needs to forward packets. This mechanism prevents the packet
sender from receiving returned packets. Therefore, you need to disable the
source/destination check for SNAT servers.
7. Bind an EIP.
– Bind an EIP to the private IP address of the ECS. For details, see
Assigning an EIP and Binding It to an ECS.
– Bind an EIP to the virtual IP address of the ECS. For details, see Binding a
Virtual IP Address to an EIP or ECS.
8. On the ECS console, use the remote login function to log in to the ECS where
you plan to configure SNAT.
9. Run the following command and enter the password of user root to switch to
user root:
su - root
10. Run the following command to check whether the ECS can successfully
connect to the Internet:
NOTE
Before running the command, you must disable the response iptables rule on the ECS
where SNAT is configured and configure security group rules.
ping www.huawei.com
The ECS can access the Internet if the following information is displayed:
[root@localhost ~]# ping support.huawei.com
PING www.XXX.com (xxx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=51 time=9.34 ms


11. Run the following command to check whether IP forwarding of the Linux OS
is enabled:
cat /proc/sys/net/ipv4/ip_forward
In the command output, 1 indicates it is enabled, and 0 indicates it is
disabled. The default value is 0.
– If IP forwarding in Linux is enabled, go to step 14.
– If IP forwarding in Linux is disabled, go to 12 to enable IP forwarding in
Linux.
Many OSs support packet routing. Before forwarding packets, OSs change
source IP addresses in the packets to OS IP addresses. Therefore, the
forwarded packets contain the IP address of the public sender so that the
response packets can be sent back along the same path to the initial packet
sender. This method is called SNAT. The OSs need to keep track of the packets
where IP addresses have been changed to ensure that the destination IP
addresses in the packets can be rewritten and that packets can be forwarded
to the initial packet sender. To achieve these purposes, you need to enable the
IP forwarding function and configure SNAT rules.
12. Use the vi editor to open the /etc/sysctl.conf file, change the value of
net.ipv4.ip_forward to 1, and enter :wq to save the change and exit.
13. Run the following command to make the change take effect:
sysctl -p /etc/sysctl.conf
14. Configure the SNAT function.
Run the following command to enable all ECSs on the network (for example,
192.168.1.0/24) to access the Internet using the SNAT function:
iptables -t nat -A POSTROUTING -o eth0 -s subnet -j SNAT --to nat-
instance-ip
Figure 7-7 Configuring SNAT
NOTE
To ensure that the rule will not be lost after the restart, write the rule into the /etc/
rc.local file.
1. Switch to the /etc/sysctl.conf file:
vi /etc/rc.local
2. Perform 14 to configure SNAT.
3. Save the configuration and exit:
:wq
4. Add the execution permissions for the rc.local file:
# chmod +x /etc/rc.local

15. Check whether the configuration is successful. If information similar to Figure

7-8 (for example, 192.168.1.0/24) is displayed, the configuration was
successful.
iptables -t nat --list
Figure 7-8 Verifying configuration
16. Add a route. For details, see section Adding a Custom Route.
Set the destination to 0.0.0.0/0, and the next hop to the private or virtual IP
address of the ECS where SNAT is deployed. For example, the next hop is
192.168.1.4.
After these operations are complete, if the network communication still fails,
check your security group and network ACL configuration to see whether required
traffic is allowed.

User Guide 8 VPC Peering Connection
8 VPC Peering Connection
8.1 VPC Peering Connection Overview

What Is a VPC Peering Connection?
A VPC peering connection is a networking connection between two VPCs and
enables them to communicate using private IP addresses. The VPCs to be peered
can be in the same account or different accounts, but must be in the same region.
● If you want to connect VPCs in different regions, use Cloud Connect.
● You can use VPC peering connections to build different networks. For details,
see VPC Peering Connection Usage Examples.
Figure 8-1 shows an application scenario of VPC peering connections.

● There are two VPCs (VPC-A and VPC-B) in region A that are not connected.
● Service servers (ECS-A01 and ECS-A02) are in VPC-A, and database servers
(RDS-B01 and RDS-B02) are in VPC-B. The service servers and database
servers cannot communicate with each other.
● You need to create a VPC peering connection (peering-AB) between VPC-A
and VPC-B so the service servers and database servers can communicate with
each other.
Figure 8-1 VPC peering connection network diagram

NOTICE
Currently, VPC peering connections are free of charge.
VPC Peering Connection Creation Process

A VPC peering connection can only connect VPCs in the same region.
● If two VPCs are in the same account, the process of creating a VPC peering
connection is shown in Figure 8-2.
For details about how to create a VPC peering connection, see Creating a
VPC Peering Connection with Another VPC in Your Account.
Figure 8-2 Process of creating a VPC peering connection between VPCs in the
same account
● If two VPCs are in different accounts, the process of creating a VPC peering
connection is shown in Figure 8-3.
For details about how to create a VPC peering connection, see Creating a
VPC Peering Connection with a VPC in Another Account.
If account A initiates a request to create a VPC peering connection with a VPC
in account B, the VPC peering connection takes effect only after account B
accepts the request.
Figure 8-3 Process of creating a VPC peering connection between VPCs in

different accounts


● A VPC peering connection can only connect VPCs in the same region.
– If you want to connect VPCs in different regions, you can use Cloud
Connect.
– If you only need few ECSs in different regions to communicate with each
other, you can assign and bind EIPs to the ECSs.
● If the local and peer VPCs have overlapping CIDR blocks, the VPC peering
connection may not take effect.
In this case, you can refer to networking configuration examples.
● A VPC peering connection can enable a VPC created on the Huawei Cloud
Chinese Mainland website and the other created on the Huawei Cloud
International website to communicate, but the VPCs must be in the same
region. For example, one VPC on the Chinese Mainland website is in CN-Hong
Kong region, and the other VPC on the International website is also in CN-
Hong Kong region.
● By default, if VPC A is peered with VPC B that has EIPs, VPC A cannot use EIPs
in VPC B to access the Internet. To enable this, you can use the NAT Gateway
service or configure an SNAT server. For details, see Enabling Internet
Connectivity for an ECS Without an EIP.
8.2 VPC Peering Connection Usage Examples

A VPC peering connection is a networking connection between two VPCs and
enables them to communicate. Table 8-1 lists different scenarios of using VPC
peering connections.
Table 8-1 VPC peering connection usage examples
Locati CIDR Block Description Usage Example

on
VPCs ● VPC CIDR You can create VPC ● Peering Two or More VPCs
in the blocks do peering connections ● Peering One Central VPC
same not to connect entire with Multiple VPCs
region overlap. CIDR blocks of VPCs.
Then, all resources in ● For more usage scenarios,
● Subnet see Connecting Entire CIDR
CIDR the VPCs can
communicate with Blocks of VPCs.
blocks of
VPCs do each other.
not
overlap.
VPCs ● VPC CIDR You can create VPC ● Peering Two VPCs with
in the blocks peering connections Overlapping CIDR Blocks
same overlap. to connect specific ● For more usage scenarios,
region ● Some subnets or ECSs from see Connecting Specific
subnet different VPCs. Subnets from Different
CIDR ● To connect VPCs.
specific subnets

Locati CIDR Block Description Usage Example

on
blocks from two VPCs, ● Peering ECSs in a Central
overlap. the subnet CIDR VPC with ECSs in Two
blocks cannot Other VPCs
overlap. ● For more usage scenarios,
● To connect see Connecting Specific
specific ECSs from ECSs from Different VPCs.
two VPCs, each
ECS must have a
unique private IP
address.
VPCs ● VPC CIDR VPC peering ● Invalid VPC Peering

in the blocks connections are not Connections
same overlap. usable. ● For more examples, see
region ● All subnet Unsupported VPC Peering
CIDR Configurations.
blocks
overlap.
NOTICE
A VPC peering connection can only connect VPCs in the same region. If your VPCs
are in different regions, use Cloud Connect.
Peering Two or More VPCs

● Two VPCs peered together: Figure 8-4 shows the networking diagram of a
VPC peering connection that connects VPC-A and VPC-B.

Figure 8-4 Networking diagram (IPv4)
Table 8-2 Peering relationships (IPv4)

Peering Peering Local VPC Peer VPC
Relationship Connection
Name
VPC-A is Peering-AB VPC-A VPC-B

peered with
VPC-B.
Table 8-3 VPC route tables (IPv4)

Rout Destina Next Rout Description
e tion Hop e
Tabl Type
e
rtb- 10.0.0.0/ Peering Custo Add a route with the CIDR block of
VPC- 16 -AB m VPC-B as the destination and Peering-
A AB as the next hop.
rtb- 172.16.0 Peering Custo Add a route with the CIDR block of
VPC- .0/16 -AB m VPC-A as the destination and Peering-
B AB as the next hop.
● Multiple VPCs peered together: Figure 8-5 shows the networking diagram of
VPC peering connections that connect VPC-A, VPC-B, and VPC-C.


Name
VPC-A is Peering-AB VPC-A VPC-B

peered with
VPC-B.
VPC-A is Peering-AC VPC-A VPC-C

peered with
VPC-C.
VPC-B is Peering-BC VPC-B VPC-C

peered with
VPC-C.
Table 8-5 VPC route tables (IPv4)

Rout Destinat Next Rout Description
e ion Hop e
Tabl Type
e
rtb- 10.0.0.0/ Peering Custo Add a route with the CIDR block of
VPC- 16 -AB m VPC-B as the destination and Peering-
A AB as the next hop.


e ion Hop e
Tabl Type
e
192.168. Peering Custo Add a route with the CIDR block of

0.0/16 -AC m VPC-C as the destination and Peering-
AC as the next hop.
rtb- 172.16.0. Peering Custo Add a route with the CIDR block of
VPC- 0/16 -AB m VPC-A as the destination and Peering-
B AB as the next hop.
192.168. Peering Custo Add a route with the CIDR block of

0.0/16 -BC m VPC-C as the destination and Peering-
BC as the next hop.
rtb- 172.16.0. Peering Custo Add a route with the CIDR block of
VPC- 0/16 -AC m VPC-A as the destination and Peering-
C AC as the next hop.
10.0.0.0/ Peering Custo Add a route with the CIDR block of

16 -BC m VPC-B as the destination and Peering-
BC as the next hop.
NOTE
If a large number of VPCs, for example, 10 VPCs, need to communicate with each
other, the networking for establishing VPC peering connections among them is
complex. In this case, an enterprise router is recommended. You can attach all the
VPCs to an enterprise router to allow them to communicate. For details, see Using an
Enterprise Router to Enable Communications Between VPCs in the Same Region.
Peering One Central VPC with Multiple VPCs

Figure 8-6 shows the networking diagram of VPC peering connections that
connect VPC-B, VPC-C, VPC-D, VPC-E, VPC-F, VPC-G, and central VPC-A.


Name
VPC-A is peered Peering-AB VPC-A VPC-B

with VPC-B.
VPC-A is peered Peering-AC VPC-A VPC-C

with VPC-C.
VPC-A is peered Peering-AD VPC-A VPC-D

with VPC-D.
VPC-A is peered Peering-AE VPC-A VPC-E

with VPC-E.
VPC-A is peered Peering-AF VPC-A VPC-F

with VPC-F.


Name
VPC-A is peered Peering-AG VPC-A VPC-G

with VPC-G.
Table 8-7 VPC route table details (IPv4)

Rout Destinati Next Route Description
e on Hop Type
Table
rtb- 10.0.0.0/ Peering Custo Add a route with the CIDR block of VPC-
VPC- 16 -AB m B as the destination and Peering-AB as
A the next hop.
192.168.0 Peering Custo Add a route with the CIDR block of VPC-
.0/16 -AC m C as the destination and Peering-AC as
the next hop.
10.2.0.0/ Peering Custo Add a route with the CIDR block of VPC-
16 -AD m D as the destination and Peering-AD as
the next hop.
16 -AE m E as the destination and Peering-AE as
the next hop.
172.17.0. Peering Custo Add a route with the CIDR block of VPC-
0/16 -AF m F as the destination and Peering-AF as
the next hop.
16 -AG m G as the destination and Peering-AG as
the next hop.
rtb- 172.16.0. Peering Custo Add a route with the CIDR block of VPC-
VPC- 0/16 -AB m A as the destination and Peering-AB as
B the next hop.
VPC- 0/16 -AC m A as the destination and Peering-AC as
C the next hop.
VPC- 0/16 -AD m A as the destination and Peering-AD as
D the next hop.
VPC-E 0/16 -AE m A as the destination and Peering-AE as
the next hop.

Rout Destinati Next Route Description

e on Hop Type
Table
VPC-F 0/16 -AF m A as the destination and Peering-AF as
the next hop.
VPC- 0/16 -AG m A as the destination and Peering-AG as
G the next hop.
Peering Two VPCs with Overlapping CIDR Blocks

As shown in Figure 8-7, VPC-A and VPC-B have overlapping CIDR blocks, and their
Subnet-A01 and Subnet-B01 also have overlapping CIDR blocks. In this case, a VPC
peering connection can connect their Subnet-A02 and Subnet-B02 that do not
overlap with each other.

Name
VPC-A is peered Peering-AB VPC-A VPC-B

with VPC-B.


e ion Hop e
Table Type
rtb- 10.0.2.0/ Peering- Custo Add a route with the CIDR block of
VPC- 24 AB m Subnet-B02 as the destination and
A Peering-AB as the next hop.
rtb- 10.0.1.0/ Peering- Custo Add a route with the CIDR block of
VPC- 24 AB m Subnet-A02 as the destination and
B Peering-AB as the next hop.
Peering ECSs in a Central VPC with ECSs in Two Other VPCs

As shown in Figure 8-8, VPC-B and VPC-C have overlapping CIDR blocks, and their
Subnet-B01 and Subnet-BC01 have overlapping CIDR blocks. In this case, the VPC
peering connection can connect ECSs in Subnet-B01 and Subnet-A01, and ECSs in
Subnet-C01 and Subnet-A01.


Name
ECS-A01-1 in Peering-AB VPC-A VPC-B

VPC-A is peered
with ECS-B01 in
VPC-B.
ECS-A01-2 in Peering-AC VPC-A VPC-C

VPC-A is peered
with ECS-C01 in
VPC-C.

Rout Destinat Next Route Description
e ion Hop Type
Table
rtb- 10.0.0.13 Peering Custo Add a route with the private IP address
VPC- 9/32 -AB m of ECS-B01 as the destination and
A Peering-AB as the next hop.
10.0.0.71 Peering Custo Add a route with the private IP address

/32 -AC m of ECS-C01 as the destination and
Peering-AC as the next hop.
rtb- 172.16.0. Peering Custo Add a route with the private IP address
VPC- 111/32 -AB m of ECS-A01-1 as the destination and
B Peering-AB as the next hop.
rtb- 172.16.0. Peering Custo Add a route with the private IP address
VPC- 218/32 -AC m of ECS-A01-2 as the destination and
C Peering-AC as the next hop.
Invalid VPC Peering Connections

If VPCs with the same CIDR block also include subnets that overlap, VPC peering
connections are not usable. VPC-A and VPC-B have the same CIDR block and their
subnets have the same CIDR block. If a VPC peering connection is created between
VPC-A and VPC-B, traffic cannot be routed between them because there are routes
with the same destination.
In the rtb-VPC-A route table, the custom route for routing traffic from VPC-A to
VPC-B and the local route have overlapping destinations. The local route has a
higher priority and traffic will be forwarded within VPC-A and cannot reach VPC-B.

Table 8-12 VPC route table details

Rou Destination Next Rout Description
te Hop e
Tabl Type
e
rtb- 10.0.0.0/24 Local Syste Local routes are automatically added

VPC- m for communications within a VPC.
A
10.0.1.0/24 Local Syste
m
10.0.0.0/16 Peerin Cust Add a route with the CIDR block of

(VPC-B) g-AB om VPC-B as the destination and
Peering-AB as the next hop.
rtb- 10.0.0.0/24 Local Syste Local routes are automatically added

VPC- m for communications within a VPC.
B
10.0.1.0/24 Local Syste
m
10.0.0.0/16 Peerin Cust Add a route with the CIDR block of

(VPC-A) g-AB om VPC-A as the destination and
Peering-AB as the next hop.

8.3 Creating a VPC Peering Connection with Another

VPC in Your Account
Scenarios
If two VPCs from the same region cannot communicate with each other, you can
use a VPC peering connection. This section describes how to create a VPC peering
connection between two VPCs in the same account.
This following describes how to create a VPC peering connection between VPC-A
and VPC-B in account A to enable communications between ECS-A01 and RDS-
B01.
Procedure:
1. Step 1: Create a VPC Peering Connection
2. Step 2: Add Routes for the VPC Peering Connection
3. Step 3: Verify Network Connectivity
Figure 8-10 Networking diagram of a VPC peering connection between VPCs in

the same account
NOTICE

● Only one VPC peering connection can be created between two VPCs at the
same time.
Connect.

Prerequisites
You have two VPCs in the same region. If you want to create one, see Creating a
VPC.
Step 1: Create a VPC Peering Connection

4. In the navigation pane on the left, choose Virtual Private Cloud > VPC
Peering Connections.
The VPC peering connection list is displayed.
5. In the upper right corner of the page, click Create VPC Peering Connection.
The Create VPC Peering Connection dialog box is displayed.
6. Configure the parameters as prompted.
For details, see Table 8-13.

Figure 8-11 Create VPC Peering Connection
Table 8-13 Parameters for creating a VPC peering connection

Name Mandatory peering-AB

Enter a name for the VPC
peering connection.
including letters, digits, hyphens
(-), and underscores (_).
Local VPC Mandatory VPC-A

VPC at one end of the VPC
peering connection. You can
select one from the drop-down
list.

Local VPC CIDR block of the selected local 172.16.0.0/16

CIDR Block VPC
Account Mandatory My account

● Options: My account and
Another account
● Select My account.
Peer Project The system fills in the ab-cdef-1

corresponding project by
default because My account is
set to Account.
For example, if VPC-A and VPC-
B are in account A and region
A, the system fills in the
correspond project of account A
in region A by default.
Peer VPC This parameter is mandatory if VPC-B

Account is set to My account.
VPC at the other end of the
VPC peering connection. You
can select one from the drop-
down list.
Peer VPC CIDR CIDR block of the selected peer 172.17.0.0/16

Block VPC
If the local and peer VPCs have
overlapping CIDR blocks, the
VPC peering connection may
not take effect. For details, see
VPC Peering Connection
Usage Examples.
Description Optional peering-AB connects

Enter the description of the VPC VPC-A and VPC-B.
peering connection in the text
box as required. The description
can contain a maximum of 255
7. Click OK.
A dialog box for adding routes is displayed.
8. Click Add Route or Add Later.
a. If you click Add Route, the Local Routes page is displayed. Then, go to
Step 2: Add Routes for the VPC Peering Connection.
b. If you click Add Later, the VPC peering connection list is displayed.

NOTICE
After a VPC peering connection is created, you must add routes to the route
tables of the local and peer VPCs. Otherwise, the VPC peering connection
does not take effect.
Step 2: Add Routes for the VPC Peering Connection

1. Add routes to the route table of the local VPC:
a. On the Local Routes tab of the VPC peering connection, click the Route
Tables hyperlink.
The Summary tab of the default route table for the local VPC is
displayed.
Figure 8-12 Route Tables hyperlink-Local VPC
b. Click Add Route.

Table 8-14 describes the route parameters.
Destination The peer VPC CIDR block, subnet CIDR VPC-B CIDR
block, or ECS IP address. For details, block:
see VPC Peering Connection Usage 172.17.0.0/16
Examples.
Next Hop The next hop type. Select VPC peering VPC peering
Type connection. connection
Next Hop The next hop address. Select the name peering-AB
of the current VPC peering connection.

route. This parameter is optional.
The route description can contain a
cannot contain angle brackets (< or
>).

c. Click OK.
You can view the route in the route list.
Figure 8-13 Route for the local VPC
2. Add routes to the route table of the peer VPC:

a. On the Peer Routes tab of the VPC peering connection, click the Route
Tables hyperlink.
The Summary tab of the default route table for the peer VPC is
displayed.
Figure 8-14 Route Tables hyperlink-Peer VPC
b. Click Add Route.

Destination The local VPC CIDR block, subnet CIDR VPC-A CIDR
Examples.


>).
c. Click OK.
Figure 8-15 Route for the peer VPC
Step 3: Verify Network Connectivity

After you add routes for the VPC peering connection, verify the communication
between the local and peer VPCs.
1. Log in to ECS-A01 in the local VPC.
Multiple methods are available for logging in to an ECS. For details, see
Logging In to an ECS.
2. Check whether ECS-A01 can communicate with RDS-B01.
ping IP address of RDS-B01
Example command:
ping 172.17.0.21
If information similar to the following is displayed, ECS-A01 and RDS-B01 can
communicate with each other, and the VPC peering connection between VPC-
A and VPC-B is successfully created.
[root@ecs-A02 ~]# ping 172.17.0.21
PING 172.17.0.21 (172.17.0.21) 56(84) bytes of data.
64 bytes from 172.17.0.21: icmp_seq=1 ttl=64 time=0.849 ms
...
--- 172.17.0.21 ping statistics ---

NOTICE
● In this example, ECS-A01 and RDS-B01 are in the same security group. If
the instances in different security groups, you need to add inbound rules to
allow access from the peer security group. For details, see Enabling ECSs
in Different Security Groups to Communicate with Each Other Through
an Internal Network.
● If VPCs connected by a VPC peering connection cannot communicate with
each other, refer to Why Did Communication Fail Between VPCs That
Were Connected by a VPC Peering Connection?
8.4 Creating a VPC Peering Connection with a VPC in

Another Account
Scenarios
If two VPCs from the same region cannot communicate with each other, you can
use a VPC peering connection. This section describes how to create a VPC peering
connection between two VPCs in different accounts.
This following describes how to create a VPC peering connection between VPC-A
in account A and VPC-B in account B to enable communications between ECS-A01
and RDS-B01.
Procedure:
1. Step 1: Create a VPC Peering Connection
2. Step 2: Peer Account Accepts the VPC Peering Connection Request
3. Step 3: Add Routes for the VPC Peering Connection
4. Step 4: Verify Network Connectivity
Figure 8-16 Networking diagram of a VPC peering connection between VPCs in

different accounts
NOTICE


● Only one VPC peering connection can be created between two VPCs at the
same time.
Connect.
● For a VPC peering connection between VPCs in different accounts:
– If account A initiates a request to create a VPC peering connection with a
VPC in another B, the VPC peering connection takes effect only after
account B accepts the request.
– To ensure network security, do not accept VPC peering connections from
unknown accounts.
Prerequisites
You have two VPCs in the same region. If you want to create one, see Creating a
VPC.
Step 1: Create a VPC Peering Connection

5. In the upper right corner of the page, click Create VPC Peering Connection.
The Create VPC Peering Connection dialog box is displayed.
6. Configure the parameters as prompted.
For details, see Table 8-16.

Figure 8-17 Create VPC Peering Connection
Table 8-16 Parameters for creating a VPC peering connection

Name Mandatory peering-AB

Enter a name for the VPC
peering connection.
including letters, digits, hyphens
(-), and underscores (_).
Local VPC Mandatory VPC-A

VPC at one end of the VPC
peering connection. You can
select one from the drop-down
list.

Local VPC CIDR block of the selected local 172.16.0.0/16

CIDR Block VPC
Account Mandatory Another account

● Options: My account and
Another account
● Select Another account.
Peer Project This parameter is mandatory Project ID of VPC-B in

ID because Account is set to region A:
Another account. 067cf8aecf3XXX08322f
The project ID of the region that 13b
the peer VPC resides. For details
about how to obtain the project
ID, see Obtaining the Peer
Project ID of a VPC Peering
Connection.
Peer VPC ID This parameter is mandatory VPC-B ID:

because Account is set to 17cd7278-
Another account. XXX-530c952dcf35
ID of the VPC at the other end
of the VPC peering connection.
For details about how to obtain
the ID, see Obtaining a VPC ID.
Description Optional peering-AB connects

Enter the description of the VPC VPC-A and VPC-B.
peering connection in the text
box as required. The description
can contain a maximum of 255
7. Click OK.
– If the message "Invalid VPC ID and project ID." is displayed, check
whether the project ID and VPC ID are correct.
▪ Peer Project ID: The value must be the project ID of the region where
the peer VPC resides.
▪ The local and peer VPCs must be in the same region.

– If the status of the created VPC peering connection is Awaiting
acceptance, go to Step 2: Peer Account Accepts the VPC Peering
Connection Request.

Figure 8-18 Awaiting acceptance
Step 2: Peer Account Accepts the VPC Peering Connection Request

After you create a VPC peering connection with a VPC in another account, you
need to contact the peer account to accept the VPC peering connection request. In
this example, account A notifies account B to accept the request. Account B needs
to:

4. In the upper part of the VPC peering connection list, locate the VPC peering
connection request to be accepted.
Figure 8-19 Accept Request
5. Locate the row that contains the target VPC peering connection and click
Accept Request in the Operation column.
After the status of the VPC peering connection changes to Accepted, the VPC
peering connection is created.
6. Go to Step 3: Add Routes for the VPC Peering Connection.
NOTICE
After a VPC peering connection is created, you must add routes to the route
tables of the local and peer VPCs. Otherwise, the VPC peering connection
does not take effect.
Step 3: Add Routes for the VPC Peering Connection

Both accounts need to add a route to the route table of their VPC. In this example,
account A adds a route to the route table of VPC-A, and account B adds a route to
the route table of VPC-B.
1. Add routes to the route table of the local VPC:

a. In the VPC peering connection list of the local account, click the name of
the target VPC peering connection.
The Basic Information tab of the VPC peering connection is displayed.
b. On the Local Routes tab of the VPC peering connection, click the Route
Tables hyperlink.
displayed.
Figure 8-20 Route Tables hyperlink-Local VPC
c. Click Add Route.


Destination The peer VPC CIDR block, subnet CIDR VPC-B CIDR
Examples.

>).
d. Click OK.

Figure 8-21 Route for the local VPC
2. Add routes to the route table of the peer VPC:

a. In the VPC peering connection list of the peer account, click the name of
the target VPC peering connection.
The Basic Information tab of the VPC peering connection is displayed.
b. On the Local Routes tab of the VPC peering connection, click the Route
Tables hyperlink.
displayed.
Figure 8-22 Route Tables hyperlink-Peer VPC
c. Click Add Route.

Destination The local VPC CIDR block, subnet CIDR VPC-A CIDR
Examples.


>).
d. Click OK.
Figure 8-23 Route for the peer VPC
Step 4: Verify Network Connectivity

After you add routes for the VPC peering connection, verify the communication
between the local and peer VPCs.
1. Log in to ECS-A01 in the local VPC.
Multiple methods are available for logging in to an ECS. For details, see
Logging In to an ECS.
2. Check whether ECS-A01 can communicate with RDS-B01.
ping IP address of RDS-B01
Example command:
ping 172.17.0.21
If information similar to the following is displayed, ECS-A01 and RDS-B01 can
communicate with each other, and the VPC peering connection between VPC-
A and VPC-B is successfully created.
[root@ecs-A02 ~]# ping 172.17.0.21
PING 172.17.0.21 (172.17.0.21) 56(84) bytes of data.
...
--- 172.17.0.21 ping statistics ---

NOTICE
● In this example, ECS-A01 and RDS-B01 are in the same security group. If
the instances in different security groups, you need to add inbound rules to
allow access from the peer security group. For details, see Enabling ECSs
in Different Security Groups to Communicate with Each Other Through
an Internal Network.
● If VPCs connected by a VPC peering connection cannot communicate with
each other, refer to Why Did Communication Fail Between VPCs That
Were Connected by a VPC Peering Connection?
8.5 Obtaining the Peer Project ID of a VPC Peering

Connection
Scenarios
If you create a VPC peering connection between two VPCs in different accounts,
you can refer to this section to obtain the project ID of the region that the peer
VPC resides.
Procedure
The owner of the peer account logs in to the management console.
2. Select My Credentials from the username drop-down list.
The My Credentials page is displayed.
Figure 8-24 My Credentials
3. In the project list, obtain the project ID.

Locate the region of the peer VPC and obtain the project ID corresponding to
the region.

Figure 8-25 Project ID
8.6 Modifying a VPC Peering Connection

Scenarios
This section describes how to modify the basic information about a VPC peering
connection, including its name and description.
Either owner of a VPC in a peering connection can modify the VPC peering
connection in any state.
Procedure
The Virtual Private Cloud page is displayed.
5. In the VPC peering connection list, locate the row that contains the target
VPC peering connection and click Modify in the Operation column.
The Modify VPC Peering Connection dialog box is displayed.
6. Modify the VPC peering connection information and click OK.
8.7 Viewing VPC Peering Connections

Scenarios
This section describes how to view basic information about a VPC peering
connection, including the connection name, status, and information about the
local and peer VPCs.
If a VPC peering connection is created between two VPCs in different accounts,

both the local and peer accounts can view information about the VPC peering
connection.

Procedure
5. In the VPC peering connection list, click the name of the target VPC peering
connection.
On the displayed page, view details about the VPC peering connection.
8.8 Deleting a VPC Peering Connection

Scenarios
This section describes how to delete a VPC peering connection.
Either owner of a VPC in a peering connection can delete the VPC peering
connection in any state.

The owner of either VPC in a peering connection can delete the VPC peering
connection at any time. Deleting a VPC peering connection will also delete all
information about this connection, including the routes in the local and peer VPC
route tables added for the connection.
Procedure
5. In the VPC peering connection list, locate the row that contains the target
VPC peering connection and click Delete in the Operation column.
6. Click Yes.

8.9 Modifying Routes Configured for a VPC Peering

Connection
Scenarios
This section describes how to modify the routes added for a VPC peering
connection in the route tables of the local and peer VPCs.
● Modifying Routes of a VPC Peering Connection Between VPCs in the
Same Account
● Modifying Routes of a VPC Peering Connection Between VPCs in Different
Accounts
You can follow the instructions provided in this section to modify routes based on
your requirements.
Modifying Routes of a VPC Peering Connection Between VPCs in the Same

Account
connection.
The page showing the VPC peering connection details is displayed.
6. Modify the route added to the route table of the local VPC:
a. Click the Local Routes tab and then click the Route Tables hyperlink.
displayed.
b. Locate the row that contains the route to be modified and click Modify in
the Operation column.
The Modify Route dialog box is displayed.
c. Modify the route and click OK.
7. Modify the route added to the route table of the peer VPC:
a. Click the Peer Routes tab and then click the Route Tables hyperlink.
displayed.
b. Locate the row that contains the route to be modified and click Modify in
c. Modify the route and click OK.

Modifying Routes of a VPC Peering Connection Between VPCs in Different

Accounts
Only the account owner of a VPC can modify the routes added for the connection.
1. Log in to the management console using the account of the local VPC and
modify the route of the local VPC:
a. Click in the upper left corner and select the desired region and
project.
b. On the console homepage, under Networking, click Virtual Private
Cloud.
c. In the navigation pane on the left, choose Virtual Private Cloud > VPC
d. In the VPC peering connection list, click the name of the target VPC
peering connection.
e. Modify the route added to the route table of the local VPC:
i. Click the Local Routes tab and then click the Route Tables
hyperlink.
displayed.
ii. Locate the row that contains the route to be modified and click
Modify in the Operation column.
iii. Modify the route and click OK.
2. Log in to the management console using the account of the peer VPC and
modify the route of the peer VPC by referring to 1.
8.10 Viewing Routes Configured for a VPC Peering

Connection
Scenarios
This section describes how to view the routes added to the route tables of local
and peer VPCs of a VPC peering connection.
● Viewing Routes of a VPC Peering Connection Between VPCs in the Same
Account
● Viewing Routes of a VPC Peering Connection Between VPCs in Different
Accounts
If two VPCs cannot communicate through a VPC peering connection, you can
check the routes added for the local and peer VPCs by following the instructions
provided in this section.

Viewing Routes of a VPC Peering Connection Between VPCs in the Same

Account
connection.
6. View the routes added for the VPC peering connection:
a. Click the Local Routes tab to view the local route added for the VPC
peering connection.
b. Click the Peer Routes tab to view the peer route added for the VPC
peering connection.
Viewing Routes of a VPC Peering Connection Between VPCs in Different

Accounts
Only the account owner of a VPC in a VPC peering connection can view the routes
added for the connection.
view the route of the local VPC:
project.
Cloud.
peering connection.
e. Click the Local Routes tab to view the local route added for the VPC
peering connection.
view the route of the peer VPC by referring to 1.

8.11 Deleting Routes Configured for a VPC Peering

Connection
Scenarios
This section describes how to delete routes from the route tables of the local and
peer VPCs connected by a VPC peering connection.
● Deleting Routes of a VPC Peering Connection Between VPCs in the Same
Account
● Deleting Routes of a VPC Peering Connection Between VPCs in Different
Accounts
Deleting Routes of a VPC Peering Connection Between VPCs in the Same

Account
connection.
6. Delete the route added to the route table of the local VPC:
a. Click the Local Routes tab and then click the Route Tables hyperlink.
displayed.
b. Locate the row that contains the route to be deleted and click Delete in
c. Click Yes.
7. Delete the route added to the route table of the peer VPC:
a. Click the Peer Routes tab and then click the Route Tables hyperlink.
displayed.
b. Locate the row that contains the route to be deleted and click Delete in
c. Click Yes.

Deleting Routes of a VPC Peering Connection Between VPCs in Different

Accounts
Only the account owner of a VPC in a VPC peering connection can delete the
routes added for the connection.
delete the route of the local VPC:
project.
Cloud.
peering connection.
e. Delete the route added to the route table of the local VPC:
i. Click the Local Routes tab and then click the Route Tables
hyperlink.
displayed.
ii. Locate the row that contains the route to be deleted and click Delete
in the Operation column.
iii. Click Yes.
delete the route of the peer VPC by referring to 1.

User Guide 9 VPC Flow Log
9 VPC Flow Log
9.1 VPC Flow Log Overview

A VPC flow log records information about the traffic going to and from a VPC.
VPC flow logs help you monitor network traffic, analyze network attacks, and
determine whether security group and network ACL rules require modification.
Currently, the VPC flow log function is supported in certain regions. You can go to
Function Overview and click VPC Flow Log to check.
VPC flow logs must be used together with the Log Tank Service (LTS). Before you
create a VPC flow log, you need to create a log group and a log stream in LTS.
Figure 9-1 shows the process for configuring VPC flow logs.

Figure 9-1 Configuring VPC flow logs
The VPC flow log function itself is free of charge, but you may be charged for
other resources used. For example, the storage of VPC flow log records will be
charged. For details, see Log Tank Service User Guide.

● Currently, only S2, M2, Hc2, D2, Pi1, S3, C3, M3, H3, Ir3, I3, S6, E3, C3ne,
M3ne, G5, P2v, C6, M6, Pi1, and H3 ECSs support VPC flow logs.
For details about ECS types, see ECS Types.
● By default, you can create a maximum of 10 VPC flow logs.
● By default, a maximum of 400,000 flow log records are supported.
9.2 Creating a VPC Flow Log

Scenarios
A VPC flow log records information about the traffic going to and from a VPC.
Prerequisites
Ensure that the following operations have been performed on the LTS console:
● Create a log group.
● Create a log stream.

For more information about the LTS service, see the Log Tank Service User Guide.
Procedure
4. In the navigation pane on the left, choose VPC Flow Logs.
5. In the upper right corner, click Create VPC Flow Log. On the displayed page,
configure parameters as prompted.
Name The VPC flow log name. flowlog-495d

spaces.
Resource The type of resources whose traffic is to NIC

Type be logged. You can select NIC, Subnet,
or VPC.
Resource The specific NIC whose traffic is to be N/A

logged.
NOTE
We recommend that you select an ECS that is
in the running state. If an ECS in the stopped
state is selected, restart the ECS after creating
the VPC flow log for accurately recording the
information about the traffic going to and
from the ECS NIC.
Filter ● All traffic: specifies that both All

accepted and rejected traffic of the
specified resource will be logged.
● Accepted traffic: specifies that only
accepted traffic of the specified
resource will be logged. Accepted
traffic refers to the traffic permitted
by the security group or network ACL.
● Rejected traffic: specifies that only
rejected traffic of the specified
resource will be logged. Rejected
traffic refers to the traffic denied by
the network ACL.
Log Group The log group created in LTS. lts-group-wule

Log Stream The log stream created in LTS. lts-topic-wule

VPC flow log. This parameter is optional.
The VPC flow log description can contain
a maximum of 255 characters and
cannot contain angle brackets (< or >).
NOTE
Only two flow logs, each with a different filter, can be created for a single resource
under the same log group and log stream. Each VPC flow log must be unique.
6. Click OK.
9.3 Viewing a VPC Flow Log

Scenarios
View information about your flow log record.
The capture window is approximately 10 minutes, which indicates that a flow log
record will be generated every 10 minutes. After creating a VPC flow log, you need
to wait about 10 minutes before you can view the flow log record.
NOTE
If an ECS is in the stopped state, its flow log records will not be displayed.
Procedure
5. Locate the target VPC flow log and click View Log Record in the Operation
column to view information about the flow log record in LTS.
The flow log record is in the following format:
<version> <project-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets>
<bytes> <start> <end> <action> <log-status>
Example 1: The following is an example of a flow log record in which data
was recorded during the capture window:
1 5f67944957444bd6bb4fe3b367de8f3d 1d515d18-1b36-47dc-a983-bd6512aed4bd 192.168.0.154
192.168.3.25 38929 53 17 1 96 1548752136 1548752736 ACCEPT OK
Value 1 indicates the VPC flow log version. Traffic with a size of 96 bytes to
NIC 1d515d18-1b36-47dc-a983-bd6512aed4bd during the past 10 minutes
(from 16:55:36 to 17:05:36 on January 29, 2019) was allowed. A data packet

was transmitted over the UDP protocol from source IP address 192.168.0.154
and port 38929 to destination IP address 192.168.3.25 and port 53.
Example 2: The following is an example of a flow log record in which no data
was recorded during the capture window:
1 5f67944957444bd6bb4fe3b367de8f3d 1d515d18-1b36-47dc-a983-bd6512aed4bd - - - - - - -
1431280876 1431280934 - NODATA
Example 3: The following is an example of a flow log record in which data

was skipped during the capture window:
1 5f67944957444bd6bb4fe3b367de8f3d 1d515d18-1b36-47dc-a983-bd6512aed4bd - - - - - - -
1431280876 1431280934 - SKIPDATA
Table 9-2 describes the fields of a flow log record.
Table 9-2 Log field description

Field Description Example Value
version The VPC flow log version. 1
project-id The project ID. 5f67944957444bd6bb4fe3b3

67de8f3d
interface-id The ID of the NIC for which 1d515d18-1b36-47dc-a983-

the traffic is recorded. bd6512aed4bd
srcaddr The source IP address. 192.168.0.154
dstaddr The destination IP address. 192.168.3.25
srcport The source port. 38929
dstport The destination port. 53
protocol The Internet Assigned 17

Numbers Authority (IANA)
protocol number of the
traffic. For details, see
Assigned Internet
Protocol Numbers.
packets The number of packets 1

transferred during the
capture window.
bytes The number of bytes 96

transferred during the
capture window.
start The time, in Unix seconds, 1548752136

of the start of the capture
window.
end The time, in Unix seconds, 1548752736

of the end of the capture
window.

Field Description Example Value
action The action associated with ACCEPT

the traffic:
● ACCEPT: The recorded
traffic was allowed by
the security groups or
network ACLs.
● REJECT: The recorded
traffic was denied by the
security groups or
network ACLs.
log-status The logging status of the OK

VPC flow log:
● OK: Data is logging
normally to the chosen
destinations.
● NODATA: There was no
traffic of the Filter
setting to or from the
NIC during the capture
window.
● SKIPDATA: Some flow
log records were skipped
during the capture
window. This may be
caused by an internal
capacity constraint or an
internal error.
Example:
When Filter is set to
Accepted traffic, if there is
accepted traffic, the value
of log-status is OK. If
there is no accepted traffic,
the value of log-status is
NODATA regardless of
whether there is rejected
traffic. If some accepted
traffic is abnormally
skipped, the value of log-
status is SKIPDATA.
You can enter a keyword on the log stream details page on the LTS console to
search for flow log records.

9.4 Enabling or Disabling VPC Flow Log

Scenarios
After a VPC flow log is created, the VPC flow log is automatically enabled. If you
do not need to record traffic data, you can disable the corresponding VPC flow
log. The disabled VPC flow log can be enabled again.
Procedure
5. Locate the VPC flow log to be enabled or disabled, and click Enable or
Disable in the Operation column.
6. Click Yes.
9.5 Deleting a VPC Flow Log

Scenarios
Delete a VPC flow log that is not required. Deleting a VPC flow log will not delete
the existing flow log records in LTS.
NOTE
If a NIC that uses a VPC flow log is deleted, the flow log will be automatically deleted.
However, the flow log records are not deleted.
Procedure
5. Locate the row that contains the VPC flow log to be deleted and click Delete
in the Operation column.

User Guide 10 Virtual IP Address
10 Virtual IP Address
10.1 Virtual IP Address Overview

What Is a Virtual IP Address?
A virtual IP address can be shared among multiple ECSs. An ECS can have both
private and virtual IP addresses, and you can access the ECS through either IP
address. A virtual IP address has the same network access capabilities as a private
IP address, including layer 2 and layer 3 communication in VPCs, access between
VPCs using VPC peering connections, as well as access through EIPs, VPN
connections, and Direct Connect connections.
You can bind ECSs deployed in active/standby mode with the same virtual IP
address, and then bind an EIP to the virtual IP address. Virtual IP addresses can
work together with Keepalived to ensure high availability and disaster recovery. If
the active ECS is faulty, the standby ECS automatically takes over services from the
active one.
Networking
Virtual IP addresses are used for high availability and can work together with
Keepalived to make active/standby ECS switchover possible. This way if one ECS
goes down for some reason, the other one can take over and services continue
uninterrupted. ECSs can be configured for HA or as load balancing clusters.
● Networking mode 1: HA
If you want to improve service availability and avoid single points of failure,
you can deploy ECSs in the active/standby mode or deploy one active ECS and
multiple standby ECSs. In this arrangement, the ECSs all use the same virtual
IP address. If the active ECS becomes faulty, a standby ECS takes over services
from the active ECS and services continue uninterrupted.

Figure 10-1 Networking diagram of the HA mode
– In this configuration, a single virtual IP address is bound to two ECSs in

the same subnet.
– Keepalived is then used to configure the two ECSs to work in the active/
standby mode. Follow industry standards for configuring Keepalived. The
details are not included here.
● Networking mode 2: HA load balancing cluster
If you want to build a high-availability load balancing cluster, use Keepalived
and configure LVS nodes as direct routers.
Figure 10-2 HA load balancing cluster
– Bind a single virtual IP address to two ECSs.

– Configure the two ECSs as LVS nodes working as direct routers and use
Keepalived to configure the nodes in the active/standby mode. The two
ECSs will evenly forward requests to different backend servers.
– Configure two more ECSs as backend servers.
– Disable the source/destination check for the two backend servers.
– Check whether the source/destination check is disabled on the active and
standby LVS ECSs. For details, see Disabling Source and Destination
Check (HA Load Balancing Cluster Scenario).

If you bind an ECS to a virtual IP address on the management console,

the source/destination check is automatically disabled. If you bind an ECS
to a virtual IP address by calling APIs, you need to manually disable the
source/destination check.
Follow industry standards for configuring Keepalived. The details are not
included here.
Application Scenarios
● Accessing the virtual IP address through an EIP
If your application has high availability requirements and needs to provide
services through the Internet, it is recommended that you bind an EIP to a
virtual IP address.
● Using a VPN, Direct Connect, or VPC peering connection to access a virtual IP
address
To ensure high availability and access to the Internet, use a VPN for security
and Direct Connect for a stable connection. The VPC peering connection is
needed so that the VPCs in the same region can communicate with each
other.

● Virtual IP addresses are not recommended when multiple NICs in the same
subnet are configured on an ECS. It is too easy for there to be route conflicts
on the ECS, which would cause communication failure using the virtual IP
address.
● A virtual IP address can only be bound to ECSs in the same subnet.
● IP forwarding must be disabled on the standby ECS. For details, see Disabling
IP Forwarding on the Standby ECS.
● Each virtual IP address can be bound to only one EIP.
● It is recommended that no more than eight virtual IP addresses be bound to
an ECS.
● A virtual IP address can be bound to up to 10 ECSs.
NOTE
If you bind a virtual IP address to an ECS, the virtual IP address is also associated with
the security groups of the ECS. A virtual IP address can be associated with up to 10
security groups.
● Virtual IP addresses and extension NICs cannot be used to directly access
Huawei Cloud services, such as DNS. You can use VPCEP to access these
services. For details, see Buying a VPC Endpoint.
10.2 Assigning a Virtual IP Address

Scenarios
If an ECS requires a virtual IP address or if a virtual IP address needs to be
reserved, you can assign a virtual IP address from the subnet.

Procedure
5. In the subnet list, click the name of the subnet where a virtual IP address is to
be assigned.
6. Click the IP Addresses tab and click Assign Virtual IP Address.
7. Select a virtual IP address assignment mode.
– Automatic: The system assigns an IP address automatically.
– Manual: You can specify an IP address.
8. Select Manual and enter a virtual IP address.
9. Click OK.
You can then query the assigned virtual IP address in the IP address list.
10.3 Binding a Virtual IP Address to an EIP or ECS

Scenarios
You can bind a virtual IP address to an EIP so that you can access the ECSs bound
with the same virtual IP address from the Internet. These ECSs can work in the
active/standby mode to improve fault tolerance.
Procedure
5. In the subnet list, click the name of the subnet that the virtual IP address
belongs to.
6. Click the IP Addresses tab, locate the row that contains the target virtual IP
address, and click Bind to EIP or Bind to Server in the Operation column.
7. Select the desired EIP, or ECS and its NIC.
NOTE
● If the ECS has multiple NICs, bind the virtual IP address to the primary NIC.
● Multiple virtual IP addresses can be bound to an ECS NIC.
8. Click OK.
9. Manually configure the virtual IP address bound to an ECS.
After a virtual IP address is bound to an ECS NIC, you need to manually
configure the virtual IP address on the ECS.
Linux OS (CentOS 7.2 64bit is used as an example.)

a. Run the following command to obtain the NIC to which the virtual IP
address is to be bound and the connection of the NIC:
nmcli connection
Information similar to the following is displayed:
The command output in this example is described as follows:
▪ eth0 in the DEVICE column indicates the NIC to which the virtual IP
address is to be bound.
▪ Wired connection 1 in the NAME column indicates the connection

of the NIC.
b. Run the following command to add the virtual IP address for the target
connection:
nmcli connection modify "CONNECTION" ipv4.addresses VIP
Configure the parameters as follows:
▪ CONNECTION: connection of the NIC obtained in 9.a.
▪ VIP: virtual IP address to be added.

○ If you add multiple virtual IP addresses at a time, separate them
with commas (,).
○ If a virtual IP address already exists and you need to add a new
one, the command must contain both the new and original
virtual IP addresses.
Example commands:
▪ Adding a single virtual IP address: nmcli connection modify "Wired

connection 1" ipv4.addresses 172.16.0.125
▪ Adding multiple virtual IP addresses: nmcli connection modify

"Wired connection 1" ipv4.addresses 172.16.0.125,172.16.0.126
c. Run the following command to make the configuration take effect:
nmcli connection up "CONNECTION"
In this example, run the following command:
nmcli connection up "Wired connection 1"
Information similar to the following is displayed:
d. Run the following command to check whether the virtual IP address has
been bound:
ip a
Information similar to the following is displayed. In the command output,
the virtual IP address 172.16.0.125 is bound to NIC eth0.

Windows OS (Windows Server is used as an example here.)

a. In Control Panel, click Network and Sharing Center, and click the
corresponding local connection.
b. On the displayed page, click Properties.
c. On the Network tab page, select Internet Protocol Version 4 (TCP/
IPv4).
d. Click Properties.
e. Select Use the following IP address and set IP address to the private IP
address of the ECS, for example, 10.0.0.101.

Figure 10-3 Configuring private IP address
f. Click Advanced.
g. On the IP Settings tab, click Add in the IP addresses area.
Add the virtual IP address. For example, 10.0.0.154.

Figure 10-4 Configuring virtual IP address
h. Click OK.
i. In the Start menu, open the Windows command line window and run the
following command to check whether the virtual IP address has been
configured:
ipconfig /all
In the command output, IPv4 Address is the virtual IP address 10.0.0.154,
indicating that the virtual IP address of the ECS NIC has been correctly
configured.
Helpful Links
● Why Can't the Virtual IP Address Be Pinged After It Is Bound to an ECS
NIC?

● What Are the Differences Between EIP, Private IP Address, and Virtual IP
Address?
● Unbinding a Virtual IP Address from an EIP
10.4 Binding a Virtual IP Address to an EIP

Scenarios
This section describes how to bind a virtual IP address to an EIP.
Prerequisites
● You have configured the ECS networking based on Networking and ensure
that the ECS has been bound with a virtual IP address.
● You have assigned an EIP.
Procedure
4. Locate the row that contains the EIP to be bound to the virtual IP address,
and click Bind in the Operation column.
5. In the Bind EIP dialog box, set Instance Type to Virtual IP address.
6. In the virtual IP address list, select the virtual IP address to be bound and click
OK.
10.5 Using a VPN to Access a Virtual IP Address

Procedure
1. Configure the ECS networking based on Networking.
2. Create a VPN.
The VPN can be used to access the virtual IP address of the ECS.
10.6 Using a Direct Connect Connection to Access the

Virtual IP Address
Procedure
2. Create a Direct Connect connection.
The created Direct Connect connection can be used to access the virtual IP address
of the ECS.

10.7 Using a VPC Peering Connection to Access the

Virtual IP Address
Procedure
2. Create a VPC peering connection.
You can access the virtual IP address of the ECS through the VPC peering
connection.
10.8 Disabling IP Forwarding on the Standby ECS

For a Linux ECS:
1. Log in to standby ECS and run the following command to check whether the
IP forwarding is enabled:
cat /proc/sys/net/ipv4/ip_forward
In the command output, 1 indicates it is enabled, and 0 indicates it is
disabled. The default value is 0.
– If the command output is 1, perform 2 and 3 to disable IP forwarding.
– If the command output is 0, no further action is required.
2. Use the vi editor to open the /etc/sysctl.conf file, change the value of
net.ipv4.ip_forward to 0, and enter :wq to save the change and exit. You can
also use the sed command to modify the configuration. A command example
is as follows:
sed -i '/net.ipv4.ip_forward/s/1/0/g' /etc/sysctl.conf
3. Run the following command to make the change take effect:
sysctl -p /etc/sysctl.conf
For a Windows ECS:
1. Click Start, scroll down and expand the Windows System folder, click
Command Prompt, and run the following command:
ipconfig /all
In the command output, if the value of IP Routing Enabled is No, the IP
forwarding function is disabled.
2. Press Windows and R keys together to open the Run box, and enter regedit
to open the Registry Editor.
3. Set the value of IPEnableRouter under HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\Tcpip\Parameters to 0.
– If the value is set to 0, IP forwarding will be disabled.
– If the value is set to 1, IP forwarding will be enabled.

10.9 Disabling Source and Destination Check (HA Load

Balancing Cluster Scenario)
3. Under Compute, click Elastic Cloud Server.
4. In the ECS list, click the ECS name.
5. On the displayed ECS details page, click the NICs tab.
6. Check that Source/Destination Check is disabled.
10.10 Unbinding a Virtual IP Address from an Instance

Scenarios
This section describes how to unbind a virtual IP address from an instance, such as
an ECS or a Layer 2 connection.
Procedure
5. Click the name of the subnet that the virtual IP address belongs to.
The Summary page is displayed.
6. Click the IP Addresses tab.
The virtual IP address list is displayed.
Figure 10-5 Virtual IP addresses
7. Locate the row that contains the virtual IP address, click More in the
Operation column, and select Unbind from Instance.
The Bound Instance dialog box is displayed.

Figure 10-6 Bound Instance
8. Unbind the virtual IP address from the instance.

a. Select the type of the instance bound to the virtual IP address.
b. Locate the row that contains the instance and click Unbind in the
Operation column.
c. Confirm the information and click Yes.
10.11 Unbinding a Virtual IP Address from an EIP

Scenarios
This section describes how to unbind a virtual IP address from an EIP.
Procedure
The Summary page is displayed.
6. Click the IP Addresses tab.
The virtual IP address list is displayed.
Figure 10-7 Virtual IP addresses
7. Locate the row that contains the virtual IP address, click More in the
Operation column, and select Unbind from EIP.

10.12 Releasing a Virtual IP Address

Scenarios
If you no longer need a virtual IP address or a reserved virtual IP address, you can
release it to avoid wasting resources.

If you want to release a virtual IP address that is being used by a resource, refer to
Table 10-1.
Table 10-1 Releasing a virtual IP address that is being used by a resource

Prompts Cause Analysis and Solution
Figure 10-8: This operation This virtual IP address is being by an EIP, a layer 2
cannot be performed connection, or an ECS. Unbind the virtual IP
because the IP address is address first.
bound to an instance or an ● EIP: Unbinding a Virtual IP Address from an
EIP. Unbind the IP address EIP
and try again.
● ECS or Layer 2 connection: Unbinding a
Virtual IP Address from an Instance
Release the virtual IP address.
Figure 10-9: This operation The virtual IP address is being used by an

cannot be performed instance. Delete the instance, which will also
because the IP address is release the virtual IP address.
being used by a system Search for the instance based on the instance
component. information displayed on the virtual IP address
console and delete the instance.
● RDS DB instance: RDS Documentation
● CCE instance: CCE Documentation
● API gateway: API Gateway Documentation
Figure 10-8 Scenario 1—Virtual IP address cannot be deleted

Figure 10-9 Scenario 2—Virtual IP address cannot be deleted
Procedure
6. Click the IP Addresses tab, locate the row that contains the virtual IP address
to be released, click More in the Operation column, and select Release.
Figure 10-10 Releasing a virtual IP address

User Guide 11 Interconnecting with CTS
11 Interconnecting with CTS
11.1 Supported VPC Operations

With CTS, you can record operations performed on the VPC service for further
query, audit, and backtracking purposes.
Table 11-1 lists the VPC operations that can be recorded by CTS.
Table 11-1 VPC operations that can be recorded by CTS
Operation Resource Type Trace
Modifying a bandwidth Bandwidth modifyBandwidth
Assigning an EIP EIP createEip
Releasing an EIP EIP deleteEip
Binding an EIP EIP bindEip
Unbinding an EIP EIP unbindEip
Assigning a private IP Private IP address createPrivateIp

address
Deleting a private IP Private IP address deletePrivateIp

address
Creating a security security_groups createSecurity-group

group
Updating a security security_groups updateSecurity-group

group
Deleting a security security_groups deleteSecurity-group

group
Creating a security security-group-rules createSecurity-group-rule

group rule

Updating a security security-group-rules updateSecurity-group-rule

group rule
Deleting a security security-group-rules deleteSecurity-group-rule

group rule
Creating a subnet Subnet createSubnet
Deleting a subnet Subnet deleteSubnet
Modifying a subnet Subnet modifySubnet
Creating a VPC VPC createVpc
Deleting a VPC VPC deleteVpc
Modifying a VPC VPC modifyVpc
Creating a VPN VPN createVpn
Deleting a VPN VPN deleteVpn
Modifying a VPN VPN modifyVpn
Creating a router routers createRouter
Updating a router routers updateRouter
Adding an interface to routers addRouterInterface

a router
Deleting an interface routers removeRouterInterface

from a router
Creating a port ports createPort
Updating a port ports updatePort
Deleting a port ports deletePort
Creating a network networks createNetwork
Updating a network networks updateNetwork
Deleting a network networks deleteNetwork
Batch creating or tag batchUpdateTags

deleting subnet tags
Batch creating or tag batchUpdateVpcTags

deleting VPC tags
Creating a route table routetables createRouteTable
Updating a route table routetables updateRouteTable
Deleting a route table routetables deleteRouteTable

Creating a VPC peering vpc-peerings createVpcPeerings

connection
Updating a VPC vpc-peerings updateVpcPeerings

peering connection
Deleting a VPC peering vpc-peerings deleteVpcPeerings

connection
Creating a network ACL firewall-groups createFirewallGroup

group
Updating a network firewall-groups updateFirewallGroup

ACL group
Deleting a network ACL firewall-groups deleteFirewallGroup

group
Creating a network ACL firewall-policies createFirewallPolicy

policy
Updating a network firewall-policies updateFirewallPolicy

ACL policy
Deleting a network ACL firewall-policies deleteFirewallPolicy

policy
Inserting a network firewall-policies insertFirewallPolicyRule

ACL rule
Removing a network firewall-policies removeFirewallPolicyRule

ACL rule
Creating a network ACL firewall-rules createFirewallRule

rule
Updating a network firewall-rules updateFirewallRule

ACL rule
Deleting a network ACL firewall-rules deleteFirewallRule

rule
Creating an IP address address_group createAddress_group

group
Updating an IP address address_group updateAddress_group

group
Forcibly deleting an IP address_group force_deleteAddress_group

address group
Deleting an IP address address_group deleteAddress_group

group
Creating a flow log flowlogs createFlowLog

Updating a flow log flowlogs updateFlowLog
Deleting a flow log flowlogs deleteFlowLog
11.2 Viewing Traces

Scenarios
After CTS is enabled, CTS starts recording operations on cloud resources. The CTS
management console stores the last seven days of operation records.
This section describes how to query or export the last seven days of operation
records on the management console.
Procedure
3. Click Service List. Under Management & Governance, click Cloud Trace
Service.
4. In the navigation pane on the left, choose Trace List.
5. Specify filters as needed. The following filters are available:
– Trace Type: Set it to Management or Data.
– Trace Source, Resource Type, and Search By
Select filters from the drop-down list.
If you select Trace name for Search By, select a trace name.
If you select Resource ID for Search By, select or enter a resource ID.
If you select Resource name for Search By, select or enter a resource
name.
– Operator: Select a specific operator (a user other than an account).
– Trace Status: Select All trace statuses, Normal, Warning, or Incident.
– Search time range: In the upper right corner, choose Last 1 hour, Last 1
day, or Last 1 week, or specify a custom time range.
6. Click arrow on the left of the required trace to expand its details.
7. Locate the required trace and click View Trace in the Operation column.
A dialog box is displayed, showing the trace content.

User Guide 12 Monitoring
12 Monitoring
12.1 Supported Metrics

Description
This section describes the namespace, list, and measurement dimensions of EIP
and bandwidth metrics that you can check on Cloud Eye. You can use APIs or the
Cloud Eye console to query the metrics of the monitored metrics and alarms
generated for EIPs and bandwidths.
Namespace
SYS.VPC
Monitoring Metrics
Table 12-1 EIP and bandwidth metrics

ID Name Description Value Monitored Monitoring
Range Object Interval
(Raw Data)
upstream Outbo Network rate ≥0 Bandwidth or 1 minute

_bandwid und of outbound bit/s EIP
th Band traffic
width (Previously
called
"Upstream
Bandwidth")
Unit: bit/s

ID Name Description Value Monitored Monitoring

Range Object Interval
(Raw Data)
downstre Inbou Network rate ≥0 Bandwidth or 1 minute

am_band nd of inbound bit/s EIP
width Band traffic
width (Previously
called
"Downstream
Bandwidth")
Unit: bit/s
upstream Outbo Usage of 0% to Bandwidth or 1 minute

_bandwid und outbound 100% EIP
th_usage Band bandwidth in
width the unit of
Usage percent.
up_strea Outbo Network traffic ≥0 Bandwidth or 1 minute

m und going out of bytes EIP
Traffic the cloud
platform in a
minute
(Previously
called
"Upstream
Traffic")
Unit: byte
down_str Inbou Network traffic ≥0 Bandwidth or 1 minute

eam nd going into the bytes EIP
Traffic cloud platform
in a minute
(Previously
called
"Downstream
Traffic")
Unit: byte
Dimensions
Key Value
publicip_id EIP ID
bandwidth_id Bandwidth ID
If a monitored object has multiple dimensions, all dimensions are mandatory

when you use APIs to query the metrics.

● Query a monitoring metric:

dim.0=bandwidth_id,530cd6b0-86d7-4818-837f-935f6a27414d&dim.
1=publicip_id,3773b058-5b4f-4366-9035-9bbd9964714a
● Query monitoring metrics in batches:
"dimensions": [
{
"name": "bandwidth_id",
"value": "530cd6b0-86d7-4818-837f-935f6a27414d"
}
{
"name": "publicip_id",
"value": "3773b058-5b4f-4366-9035-9bbd9964714a"
}
],
12.2 Viewing Metrics

Scenarios
View related metrics to see bandwidth and EIP usage information.
You can view the inbound bandwidth, outbound bandwidth, inbound bandwidth
usage, outbound bandwidth usage, inbound traffic, and outbound traffic in a
specified period.
Procedure
3. Hover on the upper left corner to display Service List and choose
Management & Deployment > Cloud Eye.
4. Click Cloud Service Monitoring on the left of the page, and choose Elastic IP
and Bandwidth.
5. Locate the row that contains the target bandwidth or EIP and click View
Metric in the Operation column to check the bandwidth or EIP monitoring
information.
12.3 Creating an Alarm Rule

Scenarios
You can configure alarm rules to customize the monitored objects and notification
policies. You can learn your resource statuses at any time.

Procedure
3. Hover on the upper left corner to display Service List and choose
Management & Deployment > Cloud Eye.
4. In the left navigation pane on the left, choose Alarm Management > Alarm
Rules.
5. On the Alarm Rules page, click Create Alarm Rule and set required
parameters, or modify an existing alarm rule.
6. After the parameters are set, click Create.
After the alarm rule is created, the system automatically notifies you if an
alarm is triggered for the VPC service.
NOTE
For more information about alarm rules, see the Cloud Eye User Guide.

User Guide 13 Permissions Management
13 Permissions Management
13.1 Creating a User and Granting VPC Permissions

This section describes how to use IAM to implement fine-grained permissions
control for your VPC resources. With IAM, you can:
● Create IAM users for employees based on your enterprise's organizational
structure. Each IAM user will have their own security credentials for accessing
VPC resources.
● Grant only the permissions required for users to perform a specific task.
● Entrust a Huawei Cloud account or cloud service to perform efficient O&M on
your VPC resources.
If your Huawei Cloud account does not require individual IAM users, skip this
section.
This section describes the procedure for granting permissions (see Figure 13-1).
Prerequisites
Learn about the permissions (Permissions Management) supported by VPC and
choose policies or roles according to your requirements.
For permissions of other services, see System Permissions.

Process Flow
Figure 13-1 Process for granting VPC permissions
1. Create a user group and assign permissions to it.

Create a user group on the IAM console, and assign the VPC ReadOnlyAccess
policy to the group.
2. Create an IAM user and add it to the user group.
Create a user on the IAM console and add the user to the group created in 1.
3. Log in and verify permissions.
Log in to the VPC console by using the user created in 2, and verify that the
user only has read permissions for VPC.
– Choose Service List > Virtual Private Cloud. Then click Create VPC on
the VPC console. If a message appears indicating that you have
insufficient permissions to perform the operation, the VPC
ReadOnlyAccess policy has already taken effect.
– Choose any other service in Service List. If a message appears indicating
that you have insufficient permissions to access the service, the VPC
ReadOnlyAccess policy has already taken effect.
13.2 VPC Custom Policies

Custom policies can be created to supplement the system-defined policies of VPC.
For the actions supported for custom policies, see Permissions Policies and
Supported Actions.
You can create custom policies in either of the following ways:
● Visual editor: Select cloud services, actions, resources, and request conditions.
This does not require knowledge of policy syntax.

● JSON: Edit JSON policies from scratch or based on an existing policy.
For operation details, see Creating a Custom Policy. The following section
contains examples of common VPC custom policies.
Example Custom Policies

● Example 1: Allowing users to create and view VPCs
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"
vpc:vpcs:create
vpc:svpcs:list
"
]
}
]
}
● Example 2: Denying VPC deletion

A deny policy must be used in conjunction with other policies to take effect. If
the permissions assigned to a user contain both Allow and Deny actions, the
Deny actions take precedence over the Allow actions.
The following method can be used if you need to assign permissions of the
VPC FullAccess policy to a user but also forbid the user from deleting VPCs.
Create a custom policy for denying VPC deletion, and assign both policies to
the group the user belongs to. Then the user can perform all operations on
VPC except deleting VPCs. The following is an example deny policy:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"vpc:vpcs:delete"
]
}
]
}
● Example 3: Defining permissions for multiple services in a policy

A custom policy can contain the actions of multiple services that are of the
global or project-level type. The following is an example policy containing
actions of multiple services:
{
"Version": "1.1",
"Statement": [
{
"Action": [
"vpc:vpcs:create",
"vpc:vpcs:update"
],
"Effect": "Allow"
},
{
"Action": [
"ecs:servers:delete"
],
"Effect": "Allow"

}
]
}

User Guide A Change History
A Change History
Release Date What's New
2023-02-25 This issue is the forty-first official release, which incorporates

the following changes:
● Added VPC Peering Connection Usage Examples.
● Added Obtaining the Peer Project ID of a VPC Peering
Connection.
● Added Modifying Routes Configured for a VPC Peering
Connection.
2022-12-23 This issue is the fortieth official release, which incorporates

● Added Viewing and Deleting Resources in a Subnet.
● Added Viewing IP Addresses in a Subnet.
● Modified Deleting a VPC and Deleting a Subnet.
2022-11-15 This issue is the thirty-ninth official release, which

incorporates the following changes:
● Added the link to the price calculator in Shared Data
Package Overview.
● Added Unbinding a Virtual IP Address from an
Instance and Unbinding a Virtual IP Address from an
EIP.
● Added notes and constraints in Releasing a Virtual IP
Address.
● Added description that security groups are free of charge
in Deleting a Security Group.
2022-11-01 This issue is the thirty-eighth official release, which

incorporates the following change:
● Changed the number of instances that can be associated
with a security group in Security Group Overview.

2022-07-26 This issue is the thirty-seventh official release, which

Added descriptions that EIPs cannot be used across regions
in the following section:
EIP Overview
2022-07-14 This issue is the thirty-sixth official release, which

● Optimized description about premium BGP in Assigning
an EIP and Binding It to an ECS.
● Put VPC flow logs into commercial use.
2022-06-15 This issue is the thirty-fifth official release, which

Deleted the content about L2CGs. For the latest document
about L2CGs, see Enterprise Switch User Guide.
2022-05-15 This issue is the thirty-fourth official release, which

● Added description about different types of routes that
can be added to default and custom route tables in
Route Table Overview.
● Added notes and constraints about whether different
types of routes can be replicated in Replicating a Route.
2021-12-30 This issue is the thirty-third official release, which

● Added application scenarios of IPv6 networks in IPv4 and
IPv6 Dual-Stack Network.
● Added Viewing a VPC Topology.
2021-10-30 This issue is the thirty-second official release, which

Added section "Permissions Management".
2021-05-20 This issue is the thirty-first official release, which

Added FAQ "Why Am I Stilled Be Billed After All VPCs Are
Deleted?"
2021-03-24 This issue is the thirtieth official release, which incorporates

● Added "Network Service Overview" in section "Service
Overview".
● Added FAQ "Why Cannot I Access Websites Using IPv6
Addresses After IPv4/IPv6 Dual Stack Is Configured?"

2021-03-01 This issue is the twenty-ninth official release, which

Added sections "Adding a Secondary CIDR Block to a VPC"
and "Removing a Secondary CIDR Block from a VPC".
2020-12-17 This issue is the twenty-eighth official release, which

● Added restrictions in section "Notes and Constraints".
● Added a figure to illustrate the VPC peering connection.
2020-11-03 This issue is the twenty-seventh official release, which

● Adjusted sections under VPC and Subnet.
● Added "Denying Access from a Specific IP Address" to
section "Network ACL".
● Deleted FAQ "Will the EIP Bound to an ECS Be Changed
After the ECS Is Stopped and Then Started?"
2020-10-23 This issue is the twenty-sixth official release, which

Optimized sections under "Security Group".
2020-09-18 This issue is the twenty-fifth official release, which

● Modified the steps in section "Changing the Security
Group of an ECS".
● Added the L2CG function.
2020-09-07 This issue is the twenty-fourth official release, which

● Added FAQ "What Should I Do If My Security Group Rules
Do Not Take Effect?"
● Deleted FAQ "How Do I Handle the VPC Peering
Connection Failure?"
● Modified FAQ "Why Did Communication Fail Between
VPCs That Were Connected by a VPC Peering
Connection?"
● Modified FAQ "Why Can't the Virtual IP Address Be
Pinged After It Is Bound to an ECS NIC?"
2019-07-23 This issue is the twenty-third official release, which

Added parameter IP address group to security group
sections and added section "IP Address Group".

2020-06-09 This issue is the twenty-second official release, which

● Added FAQ "Why Can't I Ping an ECS with Two NICs
Configured?"
● Added IPv4/IPv6 dual stack function.
2020-05-20 This issue is the twenty-first official release, which

● Added FAQ "Why Does My Server Can Be Accessed from
the Internet But Cannot Access the Internet?"
● Added section "Cloning a Security Group".
● Modified FAQ "How Can I Delete a Subnet That Is Being
Used by Other Resources?"
2020-04-15 This issue is the twentieth official release, which

● Added FAQ "Can an EIP Be Bound to a Cloud Resource in
Another Region?"
● Added FAQ "How Do I Query the Region of My EIPs?"
● Added FAQ "Can I Transfer an EIP to Another Account?"
● Added FAQ "Can I Assign a Specific EIP?"
● Added FAQ "Will an EIP Be Changed After I Assign It?"
● Added FAQ "How Do I Change an EIP for an Instance?"
● Added FAQ "How Do I Switch to a Private DNS Server?"
2020-03-30 This issue is the nineteenth official release, which

● Added basic information to sections "Security Group
Overview" and "Network ACL Overview".
● Added FAQ "Does a Security Group Rule or a Network
ACL Rule Immediately Take Effect for Its Original Traffic
After It Is Modified?"
● Added section "Billing".
● Added category "Billing and Payments" to FAQs.
2020-03-20 This issue is the eighteenth official release, which

Deleted FAQ "Which Security Group Rule Has Priority When
Multiple Security Group Rules Conflict?"
2020-02-18 This issue is the seventeenth official release, which

● Added FAQ "How Is an EIP Charged?"
● Optimized FAQ "Can I Bind One EIP to Multiple ECSs?"

2019-12-23 This issue is the sixteenth official release, which incorporates

Updated the document based on the navigation path and
function changes of Subnets and Route Tables.
2019-12-03 This issue is the fifteenth official release, which incorporates

the following change:
Optimized description and figures in section "Service
Overview".
2019-11-20 This issue is the fourteenth official release, which

● Added FAQ "What Is the EIP Assignment Policy?"
● Added FAQ "What Are the Differences Between Static
BGP and Dynamic BGP?"
2019-10-15 This issue is the thirteenth official release, which

● Added section "VPC Flow Log (OBT)".
● Updated the screenshots of adding security group rules.
● Added FAQ "Why Is Access from a Specific IP Address Still
Allowed After a Network ACL Rule That Denies the
Access from the IP Address Has Been Added?"
2019-10-09 This issue is the twelfth official release, which incorporates

● Added FAQ "Can I Bind an EIP to an ECS, to Another
ECS?"
● Added FAQ "Will the EIP Bound to an ECS Be Changed
After the ECS Is Stopped and Then Started?"
2019-09-26 This issue is the eleventh official release, which incorporates

● Optimized the sections in "VPC Peering Connection".
● Added section "Common Ports Used by ECSs".
● Added FAQ "Why Are Some Ports Inaccessible?"
2019-09-12 This issue is the tenth official release, which incorporates the
following changes:
● Deleted section "Deleting a VPN".
● Added FAQ "What Is the Relationship Between
Bandwidth and Upload or Download Rate?"
● Added content to FAQ "What Are the Restrictions on
Deleting a Security Group?"

2019-08-15 This issue is the ninth official release, which incorporates the
following changes:
● Added the example of allowing external access to a
specified port in the section "Security Group
Configuration Examples".
● Added billing information in section "Modifying EIP
Bandwidth".
● Added FAQ "How Do I Change the Billing Mode?"
● Added FAQ "How Do I Change the Bandwidth Billing
Option from Bandwidth to Traffic or from Traffic to
Bandwidth?"
● Added FAQ "Can I Increase My Yearly/Monthly Bandwidth
Size and Then Decrease It?"
2019-02-28 This issue is the eighth official release, which incorporates

the following change:
● Added section Shared Data Package.
2018-12-30 This issue is the seventh official release, which incorporates

● Modified the description about how to switch to the
security group, network ACL, EIP, and shared bandwidth
pages based on the changes made on the management
console.
● Added section "Network ACL Overview".
● Added section "Network ACL Configuration Examples".
2018-11-30 This issue is the sixth official release, which incorporates the
following changes:
● Updated the document based on changes made to the
network ACL GUI.
– Added description about how to delete multiple
network ACL rules at a time and how to disassociate
multiple subnets from a network ACL at a time.
– Changed parameter Any to All.
● Modified FAQ "Why Does My ECS Fail to Obtain an IP
Address?"
2018-09-30 This issue is the fifth official release, which incorporates the
following changes:
● Added description about how to create multiple subnets
at a time to section "Creating a VPC".
● Added description about how to add multiple network
ACL rules at a time and parameter Description to section
"Adding a Network ACL Rule".

2018-08-15 This issue is the fourth official release, which incorporates

● Added sections under "Shared Bandwidth".
● Optimized sections under "Service Overview."
● Optimized sections under "Security Group".
2018-05-30 This issue is the third official release, which incorporates the
following changes:
● Added section "Monitoring".
● Optimized the words on button labels to ensure
consistency.
2018-04-28 This issue is the second official release, which incorporates

● Added section Exporting VPC Information.
● Modified EIP description.
2017-12-31 This issue is the first official release.

VPC Usermanual

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VPC Usermanual

Uploaded by

Copyright:

Available Formats

Virtual Private Cloud

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. i

1 VPC and Subnet....................................................................................................................... 1

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. ii

2.2.10 Importing and Exporting Security Group Rules.................................................................................................... 61

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. iii

5.4 Removing EIPs from a Shared Bandwidth................................................................................................................. 112

6 Shared Data Package......................................................................................................... 116

7 Route Tables......................................................................................................................... 119

8 VPC Peering Connection.................................................................................................... 137

9 VPC Flow Log....................................................................................................................... 173

10 Virtual IP Address............................................................................................................. 180

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. iv

10.2 Assigning a Virtual IP Address..................................................................................................................................... 182

11 Interconnecting with CTS............................................................................................... 194

A Change History.................................................................................................................... 206

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. v

1 VPC and Subnet

1.1 Network Planning

How Do I Determine How Many VPCs I Need?

Figure 1-1 VPC peering connection

Default VPC Quota

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. 1

How Do I Plan Subnets?

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. 2

How Do I Plan Routing Policies?

How Do I Connect to an On-Premises Data Center?

Figure 1-2 Connections to on-premises data centers

When planning CIDR blocks for VPC 1, VPC 2, and VPC 3.

How Do I Access the Internet?

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. 3

For more information about EIP, see EIP Overview.

For more information, see NAT Gateway User Guide.

In high-concurrency scenarios, such as e-commerce, you can use load balancers

For more information, see Elastic Load Balance User Guide.

1.2.1 Creating a VPC

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. 4

Figure 1-3 Creating a VPC and subnet

Table 1-1 VPC parameter descriptions

Parameter Description Example Value

Region Regions are geographic areas CN-Hong Kong

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. 5

Parameter Description Example Value

Name The VPC name. VPC-test

CIDR Block The CIDR block of the VPC. 192.168.0.0/16

Enterprise The enterprise project to default

Tag The VPC tag, which consists of ● Key: vpc_key1

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. 6

Parameter Description Example Value

Description Supplementary information N/A

Table 1-2 Subnet parameter descriptions

Name The subnet name. subnet-01

CIDR Block The CIDR block for the subnet. 192.168.0.0/24

IPv4 CIDR The CIDR block for the subnet. 192.168.0.0/24

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. 7

Parameter Description Example Value

IPv6 CIDR Specifies whether to set IPv6 -

Associated The default route table to Default

Advanced Click the drop-down arrow to Default

Gateway The gateway address of the 192.168.0.1

Issue 41 (2023-02-25) Copyright © Huawei Technologies Co., Ltd. 8