Yang Xi: Veteran's views on hybrid cloud access
Created#More Posted time:Dec 30, 2016 14:20 PM
How to perform hybrid cloud access correctly
In this year’s Double 11 scenario, the hybrid cloud products provided significant support to the grand promotion activity of the group. In hybrid cloud practices, how to connect traditional IDC rooms to public clouds, and how to make the two work in concert are a very important topic. We can say that this topic concerns the success or failure of hybrid cloud.
In addition to the Double 11, hybrid cloud will be applied to a variety of scenarios in the future. Today we have Yang Xi, a network veteran from Alibaba Cloud, with us. The Double 11 this year marks the fifth one that Yang Xi has participated in. Yang will discuss how to connect to the hybrid cloud correctly and the pitfalls he once met.
Two keys of the hybrid cloud:
Security comes first. The first challenge after the business is moved onto the public cloud is the issue of security. Without correct practices, the data security of the enterprises' clients is hard to guarantee in a public environment.
The second problem is network connectivity. Take Alibaba for example. Its existing server room system is very large. The years of business development has generated more and more sharing. In addition, the middleware components are deployed within the group, like BUC, HSF Configserver, the commodities, transactions and other information that the Taobao businesses are dependent on. The system launch needs to go through Aone for packaging and releasing. Like many enterprises in the cloud migration process, not all businesses are unitized and can be independently deployed. If they fail to be connected over the network, cloud migration will become empty talk.
Solution: We will take the Alibaba Cloud VPC as an example to talk about how to solve these two problems and how to add more accesses for the hybrid cloud application behind. So what is the Alibaba Cloud VPC? Alibaba Cloud Virtual Private Cloud (VPC) helps to structure an isolated network environment based on Alibaba Cloud. You can have full control over your own VPC, including choosing your preferred IP address range, network segment, route table, and gateway.
In general, typical VPC scenarios are listed as follows:
• Scenario 1: You can create a VPC and VSwitches according to your own network plans. Then, you can create and use cloud product instances (such as ECS, RDS, SLB, and OCS) in this VPC. The network environment is fully isolated from external users, meeting the full isolation requirements of the group.
• Scenario 2: You can connect your own data center to Alibaba Cloud VPC through a physical connection. This enables intranet communication between your network and Alibaba Cloud VPC. With two lines working in a link aggregation mode, the two networks can be configured to work in an active/active or active/standby mode.
VPC provides the above basic features to help us solve the network security and connectivity issues. But in complicated situations such as the Double 11 shopping carnival, we also need to perform some adjustments to adapt to the environment requirements of the Double 11.
Hybrid cloud network access scheme of the group
Typical business architecture of the hybrid cloud network of the group
Case studies of hybrid cloud network architecture in Double 11 promotions:
1. The isolation of the group business and external businesses in public cloud scenarios are achieved through VPC network isolation. The security personnel have validated the isolation performance and confirmed it is in line with the group’s security strategies and isolation requirements.
2. The ExpressConnect leased lines are used to achieve connection with the group’s ACTN and VPC.
3. The internal IP addresses of the VPC are under the uniform planning by network personnel of Alibaba group to ensure their uniqueness in the group (The group’s resource lifecycles should be managed uniformly in the Armory so as to make sure that the Aone and Alimonitor among other systems can recognize the on-cloud resources for corresponding O&M and management operations).
4. On the database layer, we adopt TDDL+TDS solutions. RDS is fully compatible with AliSQL, requiring no changes to be fully migrated. With the help of the DTS tool, the existing data in the group can be conveniently migrated to the cloud.
5. The data access still adopts the internal TDDL in the group. For applications, this can be transparent with zero changes.
6. The IDB management access can be easily achieved through DBfree entry of RDS databases. The on-cloud RDS can be understood as creating a new data unit.
7. The discovery of middleware-layer HSF route can be achieved through Skywalk to support mutual discovery of EDAS and internal configserver routes. The mutual invocation of off-cloud and on-cloud HSF is supported.
8. MQrouter supports synchronization of on-cloud and off-cloud messages, easily solving the message forwarding consumption issue.
9. At present, Aone has supported on-cloud grouped independent releasing and management and cloud units and non-cloud units are differentiated.
10. Data backflow is performed through the TT client to the group’s ODPS cluster for uniform offline analysis of elastic internal data.
Powered by Alibaba Cloud's ExpressConnect technology, different network environments can be connected up. As a result, the group production with seven networks isolated and elastic external environment can communicate with each other reliably and securely without the need to go through the internet. You will be able to enjoy the low latency and high bandwidth for overseas businesses like you are using the intranet communication. Meanwhile, Alibaba Cloud ExpressConnect supports redundancy of multiple leased lines. The products and the group's infrastructure enjoy equivalent SLA support to ensure the stability and reliability of internetwork communications. Whether for multi-center deployment, integrated networks comprising physical server rooms and on-cloud resources, or multiple leased lines for disaster tolerance, the flexible network topology provided by ExpressConnect facilitates the implementation, making ExpressConnect especially suitable for overseas business demands.
At present, we have implemented: interconnection between Hangzhou region, Shanghai region, Hong Kong region, Singapore region, the US region and elastic internal ExpressConnect. In future, we plan to expand the connection to Beijing region, Shenzhen region and Germany region based on business demands. In one word, all the available public cloud regions of Alibaba Cloud are now interconnected with the elastic internal networks based on the business requirements.
What's more important, the expert support service is also available during the process: At present, Alibaba Cloud has a dedicated expert service team supporting the cloud migration of enterprises and businesses in and out of the group in a uniform way. They can help to analyze the actual business demands and provide a most reasonable architecture solution to complete business migration.
1. The cloud computing is not simple virtualization of physical servers. Instead, it is more of the embodiment of computing and service capabilities. So we cannot stick to the idea of traditional IDC resources to use the cloud resources, and so is the case with VPC.
2. Many techies hope to call the underlying layer of Alibaba Cloud to control the physical resources directly. Alibaba Cloud’s Apsara scheduling system has implemented many allocation optimizations on the scheduling (security, fragmentation, and scheduling policies). But if physical servers are used directly, the meaning of using cloud computing will be lost.
3. The code transformation after the business is migrated to the cloud is unavoidable, like you always need to buy something new and discard something old to move to a new home. Currently the on-cloud products are mostly the results of technical accumulation inside Alibaba Cloud. I hope everybody can embrace cloud computing with an open mind.