Shulou(Shulou.com)06/02 Report--

As the most basic service of cloud computing, VPC (Virtual Private Cloud) plays an important role in the use of cloud computing. Let's make a detailed comparison of the VPC services provided in OTC and AWS.

Types of services provided

OTC: AWS:

OTCAWSVirtual Private CloudVirtual Private CloudRoute TableYour VPCsSubnet9SubnetsSecurity GroupRoute TablesElastic IP AddressInternet GatewaysVPC PeeringEgress Only Internet Gateways × × DHCP Options Sets

Elastic IPs

Endpoints

NAT Gateways

Peering Connections

Security

Network ACLs

Security Groups

× × × Connections

Customer Gateways

Virtual Private Gateways

× × × Connections

In terms of quantity, there are more types of services provided by AWS. Let's compare each service in detail.

1 、 VPC

OTC and AWS VPC services are basically the same. Recommended private IPV4 address range CIDR block

10.0.0.0Can 8-24

172.16.0.0Universe 12-24

192.168.0.0Compact 16-24

But AWS supports IPV6,OTC, not yet.

2 、 Subnet

OTC and AWS Subnet services are basically the same, but OTC can customize the gateway address. AWS uses the default gateway address.

The first four IP addresses and the last IP address in each subnet CIDR block of AWS are not available to you and cannot be assigned to an instance. For example, the following five IP addresses are reserved in a subnet with a CIDR block 10.0.0.0swap 24:

10.0.0.0: network address.

10.0.0.1: reserved by AWS for VPC routers.

10.0.0.2: reserved by AWS. The IP address of the DNS server is always the base address + 2 of the VPC network range; however, we also retain the IP address of + 2 for each subnet range. For more information, see Amazon DNS Server.

10.0.0.3: reserved by AWS for future use.

10.0.0.255: webcast address. We do not support broadcasting in VPC, so we will keep this address.

3 、 Route table

OTC's Route table is an attribute under VPC, which is completely different from the service provided by AWS's route table.

The main function of OTC Route table is When ECSs in a VPC need to access the Internet, add a route toenable the ECSs to access the Internet through the ECS that has an EIP bound.

Route table and SNAT should be used together to realize the function of connecting internet to ECS hosts without elastic IP.

To use the route table function provided by the VPCservice, you need to deploy the SNAT function on an ECS to enables other ECSsthat do not have EIPs bound in a VPC to access the Internet through this ECS.

AWS route table defines subnet routing rules

Example

target

target

10.0.0.0/16

Local

172.31.0.0/16

Pcx-1a2b1a2b

0.0.0.0/0

Igw-11aa22bb

AWS route table can define routes to a variety of specific gateways and connections, including

Routing table of Internet gateway

Routing table of NAT Devic

Routing table of virtual private gateway

Routing table of VPC peering connection

Routing table for VPC endpoints

OTC route table should refer to the implementation of the routing table of AWS NAT devices. Of course, this may also be because OTC does not provide other types of gateways.

4 、 Security Group

OTC and AWS security groups have basically the same functions. The security group acts as a virtual firewall for the instance to control inbound and outbound traffic.

5 、 Elastic IP

OTC and AWS elastic IP are basically the same. The elastic IP provided by OTC can limit the bandwidth. AWS has no bandwidth limit. OTC can apply for 50 flexible IP per account, but only 5 AWS. It may be because OTC does not have the service of internet gateway, so ECS needs EIP or SNAT to connect to internet.

6 、 VPC peering

OTC and AWS are basically the same.

To create VPC peering connections with other VPC, you need to understand the following restrictions and rules:

You cannot create a VPC peering connection between VPC with matching or overlapping IPv4 or IPv6 CIDR blocks. Amazon will always assign a unique IPv6 CIDR block to your VPC. If your IPv6CIDR block is unique but the IPv4 block is not unique, you cannot create a peering connection.

You cannot create a VPC peering connection between VPC located in different areas.

VPC peering does not support passed peering; in a VPC peering connection, your VPC does not have access to any other VPC that the peer VPC may peer to. This includes VPC peering connections that are established entirely in your own AWS account.

You cannot establish multiple VPC peering connections between the same two VPC at the same time.

7. × × ×

OTC and AWS are the same in function. All provide IPsec × ×.

AWS

An × × connection consists of the following parts.

Virtual private gateway

The virtual private gateway is a × × hub connected to one end of the Amazon.

For information about the number of virtual private gateways that you can set in each region, as well as other component limits of VPC, see Amazon VPC limits.

Customer gateway

A customer gateway is a physical device or software application that is connected to your end. If you create a × × connection, when the traffic is generated on your side of the × × connection, the × × tunnel will start. The virtual private gateway is not a launcher; your customer gateway must start the tunnel. If the connection goes through a period of idle time (usually 10 seconds, depending on the configuration), the tunnel is closed. To prevent this from happening, you can use a network monitoring tool, such as IP SLA, to generate a keep-alive Ping signal.

AWS supports the implementation of hardware and software.

* × × connection option

Description

AWS hardware × × ×

You can create an IPsec hardware connection between VPC and the remote network. On the AWS side of the × × connection, the virtual private gateway provides two × × × terminal nodes for automatic failover. Configure your customer gateway, which refers to a physical device or software application connected to the remote end. For more information, see adding hardware virtual private gateways and Amazon VPC network administrator guides to your VPC.

AWS Direct Connect

AWS Direct Connect provides a private connection from a remote network to VPC. You can use this connection with AWS hardware × × connection to create an IPsec encrypted connection. For more information, see what is AWS Direct Connect? (in the AWS Direct Connect user Guide).

AWS × × CloudHub

If you have multiple remote networks (for example, multiple branches), you can create multiple AWS hardware × × connections through VPC to enable communication between those networks. For more information, see using × × CloudHub to establish secure communication between sites.

Software × × ×

You can create an Amazon EC2 connection to a remote network by using an Amazon EC2 instance of a running software xxx device in VPC. AWS does not provide or maintain software × × devices; however, you can choose from a range of products provided by partners and the open source community. Look for software × × devices on AWS Marketplace.

AWS support devices, please refer to

Https://aws.amazon.com/vpc/faqs/#C9

OTC has only one setting.

Devices supported by OTC on the client side

Due to the symmetryof the tunnel, the × × parameters configured in the cloud must be the same asthose configured in your own data center. If they are different, the × × connection cannot be established.

To set up a × × connection, you also need to configure the IPsec × × on the router or firewallin your own data center. The configuration method may vary depending on yournetwork device in use. For details, see the configuration guide of the networkdevice.

Which Remote × × Devices Are Supported?

Table 4-1 lists theHuawei × × × devices supported by the remote end.

Table 4-1 Huawei × × × devices

Supported PeerDevice Description

Huawei USG6000series USG6320/6310/6510-SJJ

USG6306/6308/6330/6350/6360/6370/6380/6390/6507/6530/6550/6570:2048

USG6620/6630/6650/6660/6670/6680

Huawei USG9000 seriesUSG9520/USG9560/USG9580

Other devices thatmeet the requirements in the reference protocols described in section × × Reference Standards and Protocols can also be deployed. However, some devicesmay fail × × to add because of inconsistent protocol implementation methods ofthese devices. If the connection setup fails, rectify the fault by followingthe instructions provided in section 4.6How Can I Handle the × × ConnectionSetup Failure? Or contact customer service.

Let's take a look at the VPC services that are available in AWS but not in OTC

8 、 Network ACL

The Network access Control list (ACL) is an optional security layer of VPC that can be used as a firewall to control traffic to and from one or more subnets. You can set up a network ACL so that its rules are similar to your security group to add an additional security layer to your VPC.

Comparison between Security Group and Network ACL

The following table outlines the basic differences between security groups and network ACL.

Security group

Network ACL

Operate at the instance level (first defense layer)

Operate at the subnet level (second defense layer)

Only allow rules are supported

Support for allow rules and deny rules

Stateful: the return data stream is automatically allowed and is not affected by any rules

Stateless: the return data stream must be explicitly allowed by the rule

We will evaluate all rules before deciding whether to allow data flow.

We will process all rules in numerical order when deciding whether to allow data flow.

The operation will be applied to the instance only if the security group is specified while the instance is started, or if the security group is associated with the instance later.

Automatically apply to all instances in the associated subnet (backup defense layer, so you don't have to rely on others to assign security groups for you)

The following figure shows the security layer provided by the security group and the network ACL. For example, the data flow from the Internet gateway is routed to the appropriate subnet through the path in the routing table. The network ACL rules associated with the subnet control the data flow that is allowed to enter the subnet. The security group rules associated with the instance control the data flow that is allowed to enter the instance.

9 、 Internet Gateway

Internet Gateway is a scale-out, redundant and highly available VPC component that enables communication between instances in VPC and Internet. Therefore, it does not pose an availability risk or bandwidth limitation to network traffic.

Internet gateways serve two purposes: one is to provide a destination for Internet routable traffic in the VPC routing table, and the other is to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

Internet gateways support IPv4 and IPv6 traffic.

10 、 NAT Gateway

You can use Network address Translation (NAT) gateways to allow instances in a private subnet to connect to Internet or other AWS services, but prevent Internet from initiating connections to those instances.

At the same time, AWS can use the same NAT instance as OTCSNAT to implement this function.

The differences between NAT gateways and NAT instances are as follows

Attribute

NAT Gateway

NAT instance

Usability

Highly available. The NAT gateways in each availability zone are implemented with redundancy. Creating a NAT gateway in each availability zone ensures that the architecture does not depend on the availability zone.

Use scripts to manage failover between instances.

Bandwidth

Support the upsurge of up to 10Gbps.

Depends on the bandwidth of the instance type.

Maintain

It is managed by AWS. You do not need to do any maintenance.

It is managed by you, for example, you need to install software updates or operating system patches on the instance.

Performance

The software is optimized to handle NAT traffic.

A generic Amazon Linux AMI that is configured to execute NAT.

Expenses

The cost depends on the number of NAT gateways you use, the length of time you use, and the amount of data you send through the NAT gateway.

The cost depends on the number of NAT instances you use, how long you use them, and the type and size of the instances.

Type and size

Integrated delivery; you do not need to select a type or scope.

Select the appropriate instance type and size based on your forecast workload.

Public IP address

Select the elastic IP address at creation time to associate with the NAT gateway.

Use elastic IP address or public IP address for NAT instances. You can change the public IP address at any time by associating the new elastic IP address with the instance.

Private IP address

Automatically select from the IP address range of the subnet when you create the gateway.

When you start the instance, assign a specific private IP address from within the IP address range of the subnet.

Security group

Unable to associate with the NAT gateway. You can associate security groups with resources behind NAT gateways to control inbound and outbound traffic.

Associate with resources after your NAT instance and NAT instance to control inbound and outbound traffic.

Network ACL

Use the network ACL to control traffic to and from the same subnet as your NAT gateway.

Use the network ACL to control traffic in and out of the same subnet as your NAT instance.

Flow log

Use flow logs to capture traffic.

Use flow logs to capture traffic.

Port forwarding

Not supported。

Manually customize the configuration to support port forwarding.

Fortress server

Not supported。

Used as a fortress server.

Flow index

Not supported。

View CloudWatch metrics.

Time-out behavior

If the connection times out, the NAT gateway returns an RST packet to any resource behind the NAT gateway and attempts to continue the connection (it does not send FIN packets).

If the connection times out, the NAT instance sends an FIN packet to the resource behind the NAT instance to close the connection.

IP segment

Supports forwarding IP segmented packets for the UDP protocol.

Support for reassembling IP segmented packets of UDP, TCP, and ICMP protocols.

Segmentation of TCP and ICMP protocols is not supported. Segmented packets for these protocols will be deleted.

11 、 DHCP Options Sets

Dynamic Host configuration Protocol (DHCP) provides a standard for passing configuration information to hosts in a TCP/IP network. The options field in the DHCP message contains configuration parameters. These parameters include the domain name, the domain name server, and "netbios-node-type".

The DHCP option set is associated with your AWS account, so you can use these options across all Virtual Private Cloud (VPC).

DHCP option name

Description

Domain-name-servers

The IP address of up to four domain name servers (that is, AmazonProvidedDNS). The default DHCP option set specifies AmazonProvidedDNS. If you specify more than one domain name server, separate them with commas.

If you want the instance to receive the custom DNS hostname specified in domain-name, you must set domain-name-servers as the custom DNS server.

Domain-name

If you are using AmazonProvidedDNS in us-east-1, specify ec2.internal. If you are using AmazonProvidedDNS in another area, specify region.compute.internal (for example, ap-northeast-1.compute.internal). Otherwise, specify a domain name (such as MyCompany.com). This value is used to complete the unqualified DNS hostname.

important

Some Linux operating systems accept multiple domain names separated by spaces. However, Windows and other Linux operating systems treat this value as a single domain, which can lead to unexpected behavior. If your DHCP option set is associated with a VPC with multiple operating system instances, specify only one domain name.

Ntp-servers

The IP address of up to four Network time Protocol (NTP) servers. For more information, see Section 8.3 of RFC 2132.

Netbios-name-servers

The IP address of up to four NetBIOS name servers.

Netbios-node-type

NetBIOS node type (1, 2, 4, or 8). We recommend that you specify 2 (broadcast and multicast are not currently supported). For more information about these node types, see RFC 2132.

12 、 Endpoints

VPC endpoint allows you to create private connections between your VPC and other AWS services without having to access them through Internet, NAT devices, × × connections, or AWSDirect Connect. The end node is a virtual device. These are horizontally scaled, redundant, and highly available VPC components that allow communication between VPC and instances in AWS services without causing availability risks or bandwidth restrictions to network traffic.

important

Currently, we only support connected end nodes with Amazon S3. End nodes only support IPv4 traffic.

End nodes enable instances in VPC to use their private IP addresses to communicate with resources in other services. Your instance does not need a public IPv4 address, and you do not need an Internet gateway, NAT device, or virtual private gateway in your VPC. Use end node policies to control access to resources in other services. Traffic between your VPC and AWS services will not be separated from the Amazon network.

Networking differences in general scenarios

One of the big differences between OTC and AWS is that there is no Internet Gateway. Therefore, OTC does not have the concept of public subnet or private subnet, and can only be implemented through SNAT. No EIP instance is connected to internet.

Scenario: VPC with a single public subnet

The configuration for this scenario consists of a Virtual Private Cloud (VPC) with a single public subnet and an Internet gateway to enable Internet communication. If you want to run a single-tier, public-facing Web application, such as a blog or a simple Web site.

The configuration for this scenario includes:

VirtualPrivate Cloud (VPC) with / 16 IPv4 CIDR block (example: 10.0.0.0Universe 16). Provide 65536 private IPv4 addresses.

Subnet with / 24 IPv4 CIDR block (example: 10.0.0.0 Universe 24). Provide 256private IPv4 addresses.

Internet gateway. It connects VPC to Internet and other AWS services.

An instance with a private IPv4 address within the subnet range (example: 10.0.0.6), which allows the instance to communicate with other instances in the VPC, and a flexible IPv4 address (example: 198.51.100.2), which is the public IPv4 address that enables the instance to access from Internet.

The custom routing table associated with the subnet. Routing table entries enable instances in the subnet to use IPv4 to communicate with other instances in VPC and directly on the Internet. The subnet associated with the routing table that contains routes to the Internet gateway is called the public subnet.

The implementation of OTC

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.