Huawei VPC Endpoint User Manual

VPC Endpoint

User Guide (ME-Abu Dhabi Region)

Issue 01

Date 2020-11-06

HUAWEI TECHNOLOGIES CO., LTD.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specied in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every eort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.

VPC Endpoint User Guide (ME-Abu Dhabi Region) Contents

1 Service Overview..................................................................................................................... 1

1.1 What Is VPC Endpoint?..........................................................................................................................................................1

1.2 Product Advantages................................................................................................................................................................2

1.3 Application Scenarios............................................................................................................................................................. 2

1.4 Product Concepts.....................................................................................................................................................................3

1.4.1 User Permissions.................................................................................................................................................................. 3

1.4.2 Region and AZ...................................................................................................................................................................... 3

2 Getting Started........................................................................................................................ 5

2.1 Conguring a VPC Endpoint for Communication Across VPCs............................................................................... 5

2.1.1 Overview................................................................................................................................................................................. 5

2.1.2 Conguring a VPC Endpoint for Communication Across VPCs of the Same Domain..................................6

2.1.2.1 Operation Process............................................................................................................................................................ 6

2.1.2.2 Step 1: Create a VPC Endpoint Service......................................................................................................................6

2.1.2.3 Step 2: Create a VPC Endpoint.....................................................................................................................................9

2.1.3 Conguring a VPC Endpoint for Communication Across VPCs of Dierent Domains.............................. 12

2.1.3.1 Overview........................................................................................................................................................................... 12

2.1.3.2 Operation Process.......................................................................................................................................................... 12

2.1.3.3 Step 1: Add Domain IDs to Whitelist...................................................................................................................... 12

2.1.3.4 Step 2: Create a VPC Endpoint.................................................................................................................................. 13

2.2 Conguring a VPC Endpoint for Accessing OBS over Internal Networks..........................................................16

2.2.1 Overview............................................................................................................................................................................... 16

2.2.2 Step 1: Create a VPC Endpoint for Connecting to DNS........................................................................................17

2.2.3 Step 2: Create a VPC Endpoint for Connecting to OBS........................................................................................ 19

2.2.4 Step 3: Access OBS............................................................................................................................................................ 21

3 Management.......................................................................................................................... 23

3.1 VPC Endpoint Services......................................................................................................................................................... 23

3.1.1 Creating a VPC Endpoint Service................................................................................................................................. 23

3.1.2 Viewing a VPC Endpoint Service.................................................................................................................................. 26

3.1.3 Deleting a VPC Endpoint Service................................................................................................................................. 28

3.1.4 Managing Connections.................................................................................................................................................... 29

3.1.5 Managing Permissions.....................................................................................................................................................29

3.1.6 Viewing Port Mappings................................................................................................................................................... 30

VPC Endpoint User Guide (ME-Abu Dhabi Region) Contents

3.2 VPC Endpoints........................................................................................................................................................................ 30

3.2.1 Creating a VPC Endpoint.................................................................................................................................................31

3.2.2 Querying and Accessing a VPC Endpoint.................................................................................................................. 33

3.2.3 Deleting a VPC Endpoint.................................................................................................................................................34

4 FAQs.......................................................................................................................................... 36

4.1 What Is a Quota?.................................................................................................................................................................. 36

4.2 How Can I Check Network Congurations of the ECS Hosting the VPC Endpoint Service?...................... 36

4.3 What Are Statuses of VPC Endpoint Services and VPC Endpoints?.....................................................................36

A Change History...................................................................................................................... 38

NO TE

VPC Endpoint User Guide (ME-Abu Dhabi Region) 1 Service Overview

1 Service Overview

1.1 What Is VPC Endpoint?

The VPC Endpoint (VPCEP) service provides secure and private channels to connect your VPC to VPC endpoint services (cloud services on the current platform or your private services) without having to use EIPs.

VPCEP provides two types of resources: VPC endpoint services and VPC endpoints. For details, see Application Scenarios.

VPC Endpoint Services

VPC endpoint services are cloud services or users' private services that are congured in VPCEP. There are two types of VPC endpoint services: gateway and interface.

● Gateway VPC endpoint services are cloud services that are operations people and supported by VPCEP.

● Interface VPC endpoint services include cloud services operations people and private services congured by users.

● The cloud service platform congures some cloud services as VPC endpoint services by default. Users do not have the permission to congure such services but can select them (which vary by region) when creating a VPC endpoint.

● Users can congure services or resources (such as elastic load balancers and ECSs) in their own VPC as VPC endpoint services.

congured by

VPC Endpoints

VPC endpoints are channels for connecting VPCs to VPC endpoint services. You can create an application in your VPC and endpoint can be created in another VPC in the same region and used as a channel to access the endpoint service. There are two types of VPC endpoints: interface and gateway.

congure it as an endpoint service. A VPC

VPC Endpoint User Guide (ME-Abu Dhabi Region) 1 Service Overview

● An interface VPC endpoint is an elastic network interface with a private IP address that serves as an entry point for trac destined to a VPC endpoint service.

● A gateway VPC endpoint is a gateway that is a target for a specied route to direct trac to a VPC endpoint service.

1.2 Product Advantages

● Excellent Performance: Each gateway supports up to 1 million concurrent connections in a variety of application scenarios.

● Immediately Ready for Use Upon Creation: VPC endpoints are easy to use and can take

● Easy to Use: You can use VPC endpoints to access resources across VPCs without having to use EIPs.

● High Security: VPC endpoints enable you to access VPC endpoint services without exposing server information, helping you minimize risks.

eect a few seconds after being created.

1.3 Application Scenarios

VPCEP provides:

● High-speed cloud migration

Connect your local data center to cloud services using a Virtual Private Network (VPN) connection or a high-speed Direct Connect connection over a private network to improve access

Figure 1-1

Figure 1-1 High-speed cloud migration

briey illustrates this application scenario.

eciency and security with low costs.

● Cross-VPC connection

Dierent VPCs cannot communicate with each other. To solve this problem, you can create an application in your VPC and congure it as a VPC endpoint

VPC Endpoint User Guide (ME-Abu Dhabi Region) 1 Service Overview

service. A VPC endpoint can be created in another VPC of the same region and used as a channel to access the VPC endpoint service.

Figure 1-2 briey illustrates this application scenario.

Figure 1-2 Cross-VPC connection

1.4 Product Concepts

1.4.1 User Permissions

The cloud system provides two types of user permissions by default, user management and resource management.

● User management refers to management of users, user groups, and user group permissions.

● Resource management refers to access control over cloud service resources.

VPCEP provides two types of resources: VPC endpoint services and VPC endpoints, both of which are region-level resources. The required permissions must be added for users in the project.

1.4.2 Region and AZ

Concept

A region and availability zone (AZ) identify the location of a data center. You can create resources in a

specic region and AZ.

VPC Endpoint User Guide (ME-Abu Dhabi Region) 1 Service Overview

● A region is a physical data center, which is completely isolated to improve fault tolerance and stability. The region that is selected during resource creation cannot be changed after the resource is created.

● An AZ is a physical location where resources use independent power supplies and networks. A region contains one or more AZs that are physically isolated but interconnected through internal networks. Because AZs are isolated from each other, any fault that occurs in an AZ will not

Figure 1-3 shows the relationship between regions and AZs.

Figure 1-3 Regions and AZs

aect other AZs.

Selecting a Region

Select a region closest to your target users for low network latency and quick access.

Selecting an AZ

When deploying resources, consider your applications' requirements on disaster recovery (DR) and network latency.

● For high DR capability, deploy resources in region.

● For low network latency, deploy resources in the same AZ.

Regions and Endpoints

Before you use an API to call resources, specify its region and endpoint. For more details, see Regions and Endpoints.

dierent AZs within the same

NO TE

VPC Endpoint User Guide (ME-Abu Dhabi Region) 2 Getting Started

2 Getting Started

2.1 Conguring a VPC Endpoint for Communication Across VPCs

2.1.1 Overview

VPCEP supports cross-VPC communication. With VPCEP, two VPCs created by the same domain or a private IP address to access resources across the VPCs despite of network isolation between them.

Figure 2-1 shows how an ECS in VPC1 accesses a VPC endpoint service in VPC2

using a VPC endpoint.

Figure 2-1

dierent domains can communicate with each other. You can use

Conguring a VPC endpoint for communication Across VPCs

The above is an example on how to congure VPC endpoints for communication across VPCs in the same region.

VPC Endpoint User Guide (ME-Abu Dhabi Region) 2 Getting Started

2.1.2 Conguring a VPC Endpoint for Communication Across VPCs of the Same Domain

2.1.2.1 Operation Process

Figure 2-2 shows how to congure networks between two VPCS of the same

domain using VPCEP.

Figure 2-2 Operation process

2.1.2.2 Step 1: Create a VPC Endpoint Service

Scenarios

This section describes how to create a VPC endpoint service by selecting an elastic load balancer as an example backend service.

Procedure

1. Log in to the management console.

2. Click

3. Click Service List and choose VPC Endpoint under Network.

4. In the navigation pane on the left, choose VPC Endpoint > VPC Endpoint Services and click Create VPC Endpoint Service.

The Create VPC Endpoint Service page is displayed.

Congure parameters by referring to Table 2-1.

in the upper left corner and select the required region and project.

VPC Endpoint User Guide (ME-Abu Dhabi Region) 2 Getting Started

Table 2-1 Required parameters

Parameter Description

Region Species the region where the VPC endpoint service is

located.

Resources in dierent regions cannot communicate with each other over internal networks. Select the nearest region for lower network latency and faster access to resources.

VPC Species the VPC where the VPC endpoint service is located.

Service Type Species the type of the VPC endpoint service. The value

can only be Interface.

Connection Approval

Species whether the connection between a VPC endpoint and a VPC endpoint service requires approval from the owner of the VPC endpoint service.

You can determine whether to enable or disable the connection approval.

If connection approval is enabled, any VPC endpoint for connecting to the VPC endpoint service needs to be approved. For details, see step 5.

Port Mapping Species the protocol and ports used for communication

between the VPC endpoint service and VPC endpoint. The protocol is TCP.

● Service Port: A service port is provided by the backend service bound to the endpoint service.

● Terminal Port: A terminal port is provided by the VPC endpoint, allowing you to access the VPC endpoint service.

The service and terminal port numbers range from 1 to

65535. A maximum of 50 port mappings can be added at a

time.

NOTE

Accessing a VPC endpoint service from a VPC endpoint is to access the service port from the associated terminal port.

VPC Endpoint User Guide (ME-Abu Dhabi Region) 2 Getting Started

Parameter Description

Backend Resource Type

Load Balancer

Species the type of the backend resource that provides services to be accessed.

This parameter can be set to Elastic load balancer or ECS.

● Elastic load balancer: Select this value if the backend resource is an elastic load balancer. Backend resources of this type suit services that receive high access

trac and demand high reliability and disaster recovery (DR) performance.

● ECS: Select this value if the backend resource is an Elastic Cloud Server (ECS). Backend resources of this type serve as servers.

Example: Elastic load balancer

NOTE

Security groups use the whitelist mechanism. For the security group of the backend resource you need to add an inbound rule for the whitelist, where the source IP address is 198.19.128.0/20. For details, see Adding a Security Group Rule in the

congured for the VPC endpoint service,

Virtual Private Cloud User Guide

When Backend Resource Type is set to Elastic load balancer, select the load balancer that provides services from the drop-down list. Only elastic load balancers are supported.

NOTE

If an elastic load balancer is used as the backend resource, the source IP address received by the VPC endpoint service is not the real address of the client.

Tag This parameter is optional.

Species the VPC endpoint service tag, which consists of a key and a value. You can add a maximum of 10 tags to each VPC endpoint service.

Tag keys and values must meet requirements listed in Table

2-2.

Table 2-2 Tag requirements for VPC endpoint services

Parameter

Requirement

Tag key ● Cannot be left blank.

● Must be unique for each resource.

● Can contain a maximum of 36 characters.

● Cannot start or end with a space or contain special characters =*<>\,|/

VPC Endpoint User Guide (ME-Abu Dhabi Region) 2 Getting Started

Parameter Requirement

Tag value ● Cannot be left blank.

● Can contain a maximum of 43 characters.

● Cannot start or end with a space or contain special characters =*<>\,|/

6. Click Create Now.

7. On the displayed page, click Back to VPC Endpoint Service List to view the newly-created VPC endpoint service.

8. In the VPC endpoint service list, locate the target VPC endpoint service and click its name to view the details.

2.1.2.3 Step 2: Create a VPC Endpoint

Scenarios

Procedure

This section describes how to create a VPC endpoint in another VPC of your own for connecting to the VPC endpoint service.

1. In the navigation pane on the left, choose VPC Endpoint > VPC Endpoints.

2. On the displayed page, click Create VPC Endpoint.

Congure parameters by referring to Table 2-3.

Table 2-3 Required parameters

Parameter

Region Species the region where the VPC endpoint is located. This

Service Category

Description

region is the same as that of the VPC endpoint service.

There are two options: Cloud services or Find a service by name.

● Cloud services: Select this value if the target VPC endpoint service is a cloud service.

● Find a service by name: Select this value if the target VPC endpoint service is a private service of your own.

Example: Find a service by name

+ 29 hidden pages