VPC FAQs
What are the components of VPC?
The VPC of Baidu AI Cloud consists of multiple different services:
-
Subnet: You can customize the virtual private cloud segment and subnet segment.
The virtual private cloud (VPC) is a logically-isolated virtual network in Baidu AI Cloud, and defines the IP address space of VPC from the selected range. The subnet is a segment within the IP address range of VPC, and the isolated resources of all groups can be put in it.
-
Security group
The security group is a kind of stateful packet flitting virtual firewall, and used to control the egress and ingress traffic of a single cloud server or multiple cloud servers. It can accurately define the protocol and port dimensions.
-
Route table
The route table includes a series of route policies, and is used to define the network traffic trend of each subnet in the virtual private cloud.
-
NAT gateway
Internet connection: There are two kinds of flexible and high-performance Internet connection modes:
- The NAT gateway is a high-availability network address translation (NAT) service to facilitate Internet access by the resources in the private subnet.
- The elastic IP is a public network IP address available for independent application and used for public network access, and supports the dynamic binding and unbinding of instances (such as BCC, DCC, BBC, NAT gateway). It is mainly used to shield instance faults.
-
VPN gateway
It deploys hybrid cloud to connect your data center and VPC. The VPN connection is a kind of mode to connect your IDC and virtual private cloud through the encrypted channel of public network.
-
Peer connection
The peer connection provides the VPC-level network interconnection services to help users to realize the traffic interoperability among different virtual networks. The same user and different users can realize the virtual network interconnection in the same region or across regions.
-
ACL
The ACL (Access Control List) is a fire wall component in VPC, and used for control of the subnet-level security policy. The traffic of one or more subnets is set flexibly to satisfy the security requirements of different network deployments of the users.
How to start using VPC?
You can select to use VPC in the Baidu AI Cloud console or by API.
- For the management console, please refer to Operation Guide.
- API: Refer to VPC Api.
How many virtual private cloud, subnets, route tables, NAT gateways, peer connections, and VPN gateways can each user create?
Refer to VPC Resource Quota. If you have more requirements, please fill in a Ticket for application.
Can I apply for increase of VPC quota when the VPC quota is full?
You can submit a Ticket for application.
What's the range of IP addresses which can be used in VPC and subnet?
The virtual private cloud supports the intranet IPs of three network segments: 172.b.0.0/16 (b belonging to 16-31), 192.168.0.0/16 and 10.0.0.0/16.VPC CIDR can use the three network segments above or a part of the network segments.
The number of IPs included in the network block is 2^ (32-mask), so the 10.0.0.0/16network block includes a maximum of 65536 IP addresses.
Can the intranet IP of the cloud server be modified? How to operate? How to operate it?
Yes. The operation steps are as follows:
- Enter the cloud server console, and click the cloud server BCC in the left navigation bar to enter the page of BCC list.
- Click the cloud server ID to enter the details page of BCC.
- Click the key of "Change Intranet IP" at the side of intranet IP information.
- Enter a new IP and click "Confirm". The changed new IP can become valid only after you restart the server or enter the BCC operation system to restart the network card.
Does Baidu AI Cloud have the differences in VPC and classic network?
No. Baidu AI Cloud only provides VPC services based on the consideration of user business and product security. Baidu AI Cloud doesn't provide the general network and classic network.
Can VPC communicate with the public network or other VPC (cross-region and cross-account) or user data center?
| Connection demand | Baidu AI Cloud Service |
|---|---|
| Access to public network | Elastic IP, NAT gateway (high performance) |
| Other VPCs | peer connection (supporting cross-region and cross-account) |
| User data center | VPN connection and dedicated access |
What's the configuration when I only want to allow some resources in one VPC to flow out of the public network via the gateway?
Method 1: When you bind EIP to the resource instance in VPC which needs to access the public network, the instance can access the public network by EIP.
Method 2: The NAT gateway is used to access the public network. Place the cloud server which needs to access the public network in a subnet, and configure route policies for the subnet in the route table to enable the data packet with the destination address of public network to access the public network by the NAT gateway. Specific steps are as follows:
- Create a subnet, and place the cloud server which needs to access the public network in the subnet. Purchase the cloud server in the console, and select the subnet in purchase of the network configuration.
- Purchase and configure the NAT gateway. Refer to Operation Steps.
- Configure route policies for the subnet in the route table to enable the data packet with the destination address of public network to access the public network by the NAT gateway.
Can cloud servers be created in different available zones in one VPC? How to operate?
Yes, but there are two preconditions:
- The cloud servers can be created only in the different available zones under the region in which the same VPC is located. For example, if your VPC is in South China - Guangzhou, you can create cloud servers in available zone A and available zone B in Guangzhou. However, you cannot simultaneously create cloud servers in Guangzhou available zone and Beijing available zone in the VPC.
- To create a cloud server in an available zone, you should first create a subnet of the available zone.
How to connect the VPC with the traditional data center?
By the VPN or Express Tunnel ET services, the VPC and the user IDC network are interconnected, a secure and custom hybrid cloud network is built to realize the easy and secure migration of the original business to the cloud.
Which resources can be created in the VPC?
Currently, the following products can be used in the VPC: cloud server BCC, exclusive server DCC, physical server BBC, elastic public network EIP, cloud disk CDS, express tunnel ET, Baidu MapReduce (BMR), simple caching service SCS, SQL database RDS, load balance BLB. Other cloud products are being gradually supported, please pay attention to the information on the official website.
Is the intranet interworking available among VPC?
By default, different VPCs are completely isolated from each other, and the intranets of different VPCs don't interwork. If interworking is needed, the users can subscribe to the peer connection services to realize the high-speed interconnection among VPCs. Moreover, the VPN gateway can be used to realize the intranet interworking or EIP can be used to realize the extranet interworking.
Can the intranets interwork under the same VPC?
Yes. All the subnets under the same VPC interwork by default.
How does a instance without a public IP address access the Internet?
The instance can access the Internet by the NAT gateway. By creation of the NAT gateway and configuration of the route table associated with the subnet, the instances in the subnet can access the Internet. Please view the detailed Operation Steps.
Can one VPC connect with multiple IDCs by VPN?
Yes. Currently, multiple VPN gateways can be established for a virtual private cloud, and one VPN channel is established on each VPN network. In this way, multiple local IDCs can be connected.
How to guarantee the network quality between the virtual private cloud and IDC connected by VPN?
The virtual private cloud and IDC are connected by the public network. Depending on the network quality of the public network, the time delay, packet loss, buffeting problems may occur. If you need a more stable communication quality, you are recommended to use the dedicated access services. The VPN background will monitor the network quality throughout the day, including keepalive and network time delay. In case of any network abnormalities, the operation and maintenance staff will timely process them. You can also monitor the traffic status of the VPN gateway and channel in the console in real time. Please contact us timely if finding any abnormalities.
How to build high-availability virtual IP services by the Keepalived software in VPC?
Build VIP services in VPC by the following steps:
- Set the unicast mode in Keepalived, and establish heartbeat with peer;
- Select an IP address beyond the VPC segment for VIP, or the validity verification will fail in the route configuration;
- In the VPC route table Configure Instance Type Route, and direct the next hop of VIP to the main instance;
- Configure the switching action in the notify script of Keepalived. In case of a fault, call the Route Table API Interface to delete the instance route with the next hop of VIP as the main instance, add the route with the next hop of VIP as the backup instance to realize the VIP drift.
How to make a periodical complete inspection of the configuration condition of the security group?
You can subscribe the "Cloud Advisor" services to regularly obtain the inspection reports of resources on cloud in security, availability, performance and cost. The reports include several security group related inspection items, e.g.: Security group - unrestricted access, security group - specific port unrestricted, etc. Understand or subscribe the "Cloud Advisor" services. Please go to Home Page of Cloud Advisor.