A Virtual Private Network (VPN) tunnel allows you to connect a local developer PC to an Alibaba Cloud Virtual Private Cloud (VPC) instance to enable mutual calling of High-speed Service Framework (HSF) services between them.

Background

Note This solution is only used when cloud-terminal joint debugging is unavailable.

VPN deployment structure

Term Description Example
IP address of OpenVPN Server The public IP address used by a VPC instance to access a VPN server. 116.62.136.60
Developer PC IP address The IP address of the developer PC. It is an IP address that can be routed to the VPC through the VPN. 192.168.255.6
CIDR block of a developer PC A range of IP addresses that can be assigned to VPC instances connected to a developer PC through a VPN. Only one IP address can be assigned to a VPC instance. 192.168.255.0/24
IP address of the VPN container gateway The IP address assigned by a Docker bridge to the OpenVPN container. In this topic, OpenVPN Server works in the Docker bridge mode. 172.31.254.2
Private IP address of the Elastic Compute Service (ECS) instance The IP address of the ECS instance in the VPC. One ECS instance corresponds to one private IP address. 172.16.0.86
Container IP address The IP address that Enterprise Distributed Application Service (EDAS) assigns to the Docker container of each application. When multiple containers are enabled on an ECS instance, multiple container IP addresses are assigned. One EDAS application container has only one container IP address. 10.0.64.3

Install a OpenVPN server on an ECS instance in a VPC through Docker

  1. Run docker pull kylemanna/openvpn to pull an OpenVPN image.
    Pull an OpenVPN image
  2. Run the following command to generate configurations.
    OVPN_DATA="/root/ovpn-data"
    IP="xxx.xx.xxx.xx"
    mkdir ${OVPN_DATA}
    docker run -v ${OVPN_DATA}:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u tcp://${IP}
    Note In this case, the IP address must be the public IP address or elastic IP address of the ECS instance on which the OpenVPN is installed. Ensure that the developer PC can connect to this IP address.
    Generate OpenVPN configurations
  3. Run docker run -v ${OVPN_DATA}:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki as prompted, and enter the password and CN to generate a server certificate.
    Generate a server certificate
  4. Run docker run -v ${OVPN_DATA}:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass to generate a client certificate.
    Generate a client certificate
  5. Run docker run -v ${OVPN_DATA}:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > ${OVPN_DATA}/CLIENTNAME.ovpn to export client configurations to the CLIENTNAME.ovpn file.
    CLIENTNAME.ovpn
  6. Run docker run --name openvpn -v ${OVPN_DATA}:/etc/openvpn -d -p 1194:1194 --privileged kylemanna/openvpn to enable the VPN service.

Configure the OpenVPN client on a local developer PC

The following takes macOS as an example.

  1. Drag the CLIENTNAME.ovpn file obtained in the preceding step 5 to the configuration field in Tunnelblick to import the configurations.
  2. Click Connect to connect the OpenVPN client to the VPN.
  3. On the client, run ifconfig for macOS or ipconfig for Windows to obtain the IP address of the new virtual tunnel (VTun) network interface controller (NIC), and record it for subsequent use.

    The obtained IP address is the outbound IP address of the developer PC in the VPC.

  4. You can use a developer PC to directly gain access to the services provided through the private IP address of an ECS instance in the VPC or the IP address of EDAS Container.
    • Gain access to the services provided through the private IP address of an ECS instance:
    • Gain access to the services provided through the IP address of EDAS Container:

Configure a VPN route in the VPC

To connect an ECS instance in the VPC to the developer PC, you must connect the network between the OpenVPN host and the developer PC or connect the network between other ECS instances in the cluster and the developer PC.

  • Connect the network between the OpenVPN host to the developer PC network
    1. Run docker exec -ti openvpn bash to log on to the OpenVPN container.
    2. Run route -n to query the routing rule in the OpenVPN container.
    3. According to the developer PC IP address obtained in the preceding step 3, obtain the CIDR block for the corresponding routing rule.

      In this example, the obtained IP address is 192.168.255.6, which corresponds to the CIDR block 192.168.255.0/24 in the preceding figure. In other words, the destination IP address is 192.168.255.0, and the subnet mask is 255.255.255.0.

    4. In the OpenVPN container, run docker exec -ti openvpn bash to obtain the IP address of the eth0 NIC, which is also the IP address of the VPN container gateway.
    5. Run route add -net 192.168.255.0 netmask 255.255.255.0 dev docker0 gw 172.31.254.2 to add the rule for routing from the host to the VPN container.

      Route the traffic generated for the preceding CIDR block to the docker0 NIC by using the IP address obtained in the previous step as the gateway.

    6. On the host where the VPN is located, run ping 192.168.255.6 to check whether the network of the host is connected to the developer PC.
  • Connect the network between other ECS instances in the cluster to the developer PC.
    1. Log on to the VPC console and add a routing rule. For more information, see Add a custom route entry.

      Destination CIDR block is the CIDR block of the developer PC: 192.168.255.0/24. The next IP address is the IP address of the ECS instance where OpenVPN is installed.

    2. Enable the firewall of the ECS instance where the VPN is installed and run the iptables -I FORWARD -i eth0 -o docker0 -j ACCEPT to configure the traffic from eth0 to docker0.
    3. On other ECS instances in the cluster, run ping to check whether their networks are connected to local developer PCs.

Obtain the EDAS environment configuration to debug the RPC service

  1. Download the Pandora package taobao-hsf.tgz that is authenticated on the cloud.

  2. After downloading to the Pandora package locally, run tar -xvf taobao-hsf.tgz to obtain the taobao-hsf.sar folder.

    For example, the folder is stored in the following directory: /Users/jiangyu.zjy/demoSpasKey/pandora/taobao-hsf.sar.

  3. On an ECS instance running in the online EDAS environment, run cat /home/admin/.spas_key/default to obtain authentication parameters and write them to a local file on a developer PC.

    Notice The configurations vary with namespaces. Keep the authentication configuration parameters secret to avoid security risks.

    For example, the directory is /Users/username/demoSpasKey/default.

  4. On the ECS instance that runs EDAS and is in the same namespace as the application to be debugged, run ps -ef|grep java |grep tomcat |grep project.name to obtain other configuration parameters.

    project.name The ID of the application to be debugged. 00de7116-d8eb-4d57-ba6a-caf6fccb7484
    ecc.id The ID of the application instance. df0724b3-1057-44ef-b14f-f291d562a457
    JM.CONTAINER.ID The ID of the Tomcat container for the application. The value is the same as the ID of the application instance. df0724b3-1057-44ef-b14f-f291d562a457
    address.server.domain The domain name of Address Server. addr-hz-internal.edas.aliyun.com
    address.server.port The port number of Address Server. 8080
    configserver.client.port The port number of the registration center. 8000
  5. Configure startup parameters of the consumer.

    pandora.location The absolute path of the local taobao-hsf.sar folder. /Users/jiangyu.zjy/demoSpasKey/pandora/taobao-hsf.sar
    spas.identity The absolute path of the local authentication information file. /Users/jiangyu.zjy/demoSpasKey/default
    project.name The ID of the application to be debugged. 00de7116-d8eb-4d57-ba6a-caf6fccb7484
    tenant.id The ID of the tenant. 5f18a6c8-da89-456e-a3e5-0eabc411d1ed
    address.server.domain The domain name of Address Server. addr-hz-internal.edas.aliyun.com
    address.server.port The port number of Address Server. 8080
    configserver.client.port The port number of the registration center. 8000
    hsf.server.ip The IP address of the developer PC. 192.168.255.6
  6. Start the local consumer application to gain access to the online HSF service.

  7. Configure the startup parameters for the provider application. The configurations are the same as those on the consumer application.

  8. Call the local HSF service through the online service.