In this article, the Alibaba Cloud Network Team talked about the key features and use cases of the newly launched Smart Access Gateway (SmartAG).
At the main forum of the Computing Conference 2018 in Hangzhou, Jiang Jiangwei, General Manager of Alibaba Technology R&D, demonstrated how to build an enterprise Virtual Private Cloud (VPC) in just minutes.
The procedure involved only three steps: powering on a PC, connecting its WAN port to the Internet, and connecting its LAN port to another PC. The on-site PC successfully connected to the enterprise SAP system deployed on Alibaba Cloud through the VPC without any other operations on this PC.
In addition, the network quality test results showed that the network quality of the enterprise VPC built using SmartAG was improved in aspects of delay and packet loss.
The centralized configuration and automatic route learning capabilities of SmartAG are mainly implemented by one system and two components.
Apsara Virtual Network System is responsible for cloud networks in the Alibaba Cloud Apsara system. It provides various network products for Alibaba Cloud, such as Virtual Private Cloud (VPC), Server Load Balancer (SLB), Cloud Enterprise Network (CEN), and Smart Access Gateway (SmartAG). It is also the network infrastructure of more than 100 cloud products such as Elastic Compute Service (ECS), Relational Database Service (RDS), Object Storage Service (OSS), and Network Attached Storage (NAS). In addition, Apsara Virtual Network System supports many types of business for Alibaba Group and Ant Financial Services Group, such as e-commerce, payment, and logistics. It is now a world-leading cloud network system.
CCN can be understood as an access matrix that consists of Alibaba Cloud's distributed access points. Multiple SmartAGs can access one another after connecting to CCN. CCN can also connect to CEN, so that CCN and cloud resources, such as VPC and Virtual Boarder Router (VBR), can access each other.
CEN provides communication channels between cloud resources, and between cloud resources and Internet data centers (IDCs). Through automatic route distribution and learning, CEN also supports fast network convergence and high-quality cross-city communication. CEN is devoted to helping users build a globally interconnected enterprise-scale network with communication capabilities.
SmartAG is a one-stop cloud access solution provided by Alibaba Cloud. It enables an enterprise to access the nearest cloud resources through the Internet in encrypted mode and build an enterprise VPC in minutes. SmartAG provides enterprises with more intelligent, reliable, and secure cloud access experience.
This article shows you how you can connect multiple VPCs all together without the need of managing the complexity of a full mesh network by using a transit VPC.
"How can I design and build my network on Alibaba Cloud platform?" This is a common question that we have often been asked by many enterprises. It's also a very fundamental question that needs to be addressed before migrating to any cloud platform. But the answer may not be that straightforward, in many cases the right answer would be, "It depends". Today, I would like to offer a solution that incorporates best practices for traditional on-premises network practices and Alibaba Cloud VPC design, to fulfill the security and operation policies that most enterprises have.
The Transit VPC Solution is a combination of traditional networking concepts and Alibaba Cloud VPC networking features. By using this Transit VPC, you can connect multiple VPCs all together without the need of managing the complexity of a full mesh network. It simplifies network management and minimizes the connections that need to be managed, and provide the networking consistency of security and operation that as on-premises network.
Before we dive deep into the concept and design of Transit VPC, let's have a quick look at the typical networking design now. As shown in the following diagram, we often separate front tier, application tier, and data tier into different subnets and use security groups to create the security layer to control the access right for different subnets and ports. With products such as VPN and ExpressConnect, we can connect these groups to an internet data center (IDC) to create a hybrid network for an enterprise.
This is a very neat and simple design for many systems with the following pros and cons:
But in many cases, enterprise's IT wants the design to have the below capabilities:
In this article, we'll show you how to implement public IP addresses for VPC creation through the use of APIs.
As a private network carrier, a virtual private cloud (VPC) only supports the following major private CIDR blocks by default:
- 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16
However, to facilitate users' network planning, public IP addresses can be used for VPC creation. This function is not supported on the VPC console, but rather, it can be implemented through APIs.
Step 1: Log on to the web-based API platform at https://api.aliyun.com/
As shown in the preceding UI image, click Virtual Private Cloud (VPC). Enter CreateVpc, as shown in the following UI image.
Step 2: Set the parameters accordingly.
Set the mandatory parameters, marked with asterisks (*).
In CidrBlock, enter the custom CIDR block that is required. This parameter defines the address range available for the creation of the VPC.
In UserCidr, enter the custom CIDR block as required. This allows route forwarding of the CIDR block information in the VPC to be created.
In this tutorial, we will deploy a Debian 9 machine running OpenVPN and use Packer and to deploy the infrastructure, Terraform.
Securing a web application in terms of access management can be tricky, as there are multiple ways to do it in an acceptable way.
We can use Security Groups to limit the available ports for a given instance and leaving a specific company IP to have unrestricted access, but in this way we are giving reachability to anyone connected to that network, which in most occasions is not ideal. A problem of limiting the access to a given IP will be the fact of blocking-out an engineer trying to fix a problem from the outside during after-hours. Another way to approach access management would be to set up a key-server with a very limited set of authorized users registered. With a key-server we have the problem of the need to set it up in every instance we want secured, which in some situations is not very feasible due to network size or other multiple factors.
Today we are going to approach this using a VPN, giving an authorized user a tunnel to a VPC and making it fell like if its devices were directly connected to the network.
VPN stands for Virtual Private Network. Usually VPNs are used in corporate environments to protect the data transmission between branches located remotely in different cities or even countries. A VPN makes every computer connected to it operate like they were all in the same local network, making routing and maintenance very easy for the IT teams, as they can build an entire Intranet with many critical machines completely isolated from the Internet.
The short answer is yes. Focusing on the use-case of this tutorial, we will benefit from a VPN connection because our computer, as IT engineers, are going to have access to the resources in machines that don't even have public IPs. But what's more, VPN provides more security as data that travels through the VPN is encrypted and private.
Now that we have a clear idea what a VPN is and why we need one, let's plan the deployment. The system will be a Debian 9 machine running OpenVPN. To build the image we will use Packer and to finally deploy the infrastructure, Terraform. You'll need to have an Alibaba Cloud Elastic Compute Service (ECS) server ready, so check out this tutorial if you are not sure how to set up one. Now just create a folder for the config files... and go!
The Alibaba Cloud Interconnecting VPC with Express Connect and VPN Gateway course is designed to provide you with the fundamental knowledge to plan, configure and administer VPC connections. In this course we will discuss deployment best practices and use cases of interconnecting VPC using Express Connect and VPN Gateway.
The Interconnecting VPC using Cloud Enterprise Network(CEN) course is designed to provide you with the fundamental knowledge to plan, configure and administer VPC connections in Enterprise enviroment. In this course we will discuss deployment best practices and use cases of Cloud Enterprise Network (CEN).
What is VPN? It’s an extension of private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. In this clouder course, you’ll learn how to conveniently establish virtual private connection on Alibaba Cloud with VPN Gateway.
This topic describes how to create a Virtual Private Cloud (VPC) network with an IPv4 CIDR block. After you create a VPC network, you can create an Elastic Compute Service (ECS) instance in the VPC network, and associate an Elastic IP address (EIP) with the ECS instance to allow the instance to access the Internet.
To deploy cloud resources in a VPC network, you must set up network connections first. For more information, see Plan a VPC network.
To create a VPC network and a VSwitch, follow these steps:
Generally, you can select to create a Virtual Private Cloud (VPC) automatically and use the default network address when creating a Kubernetes cluster in Alibaba Cloud. In some complicated scenarios, plan the Elastic Compute Service (ECS) address, Kubernetes pod address, and Kubernetes service address on your own. This document introduces what the addresses in Kubernetes under Alibaba Cloud VPC environment are used for and how to plan the CIDR blocks.
The concepts related to IP address are as follows:
The CIDR block selected when you create a VPC. Select the VPC CIDR block from 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
The CIDR block specified when you create a VSwitch in VPC. The VSwitch CIDR block must be the subset of the current VPC CIDR block, which can be the same as the VPC CIDR block but cannot go beyond that range. The address assigned to the ECS instance under the VSwitch is obtained from the VSwitch CIDR block. Multiple VSwitches can be created under one VPC, but the VSwitch CIDR blocks cannot overlap.
The VPC CIDR block structure is as follows.
Pod is a concept in Kubernetes. Each pod has one IP address. You can specify the pod CIDR block when creating a Kubernetes cluster in Alibaba Cloud Container Service and the pod CIDR block cannot overlap with the For example, if the VPC CIDR block is 172.16.0.0/12, then the pod CIDR block of Kubernetes cannot use 172.16.0.0/16, 172.17.0.0/16, or any address that is included in 172.16.0.0/12.
Service is a concept in Kubernetes. Each service has its own address. The service CIDR block cannot overlap with the VPC CIDR block or pod CIDR block. The service address is only used in a Kubernetes cluster and cannot be used outside a Kubernetes cluster.
By the end of this course, you will be able to plan, configure and administer Alibaba Cloud VPC connection using Express Connect and VPN Gateway.
By the end of this course, you will be able to plan, configure and administer Alibaba Cloud VPC connection using Cloud Enterprise Network (CEN) and establish global connectivity.
A virtual private cloud service that provides an isolated cloud network to operate resources in a secure environment.
VPN Gateway is an Internet-based service that establishes a connection between a VPC and your on-premise data center.
Alibaba Clouder - February 25, 2020
Alibaba Clouder - December 27, 2018
Marketplace - February 21, 2019
Alibaba Clouder - January 23, 2018
Alibaba Clouder - November 29, 2017
Alibaba Clouder - February 25, 2020
More Posts by Alibaba Clouder