Virtual Private Cloud and its Isolation in Alibaba Cloud
In this article we are talking about Virtual Private Cloud, short form VPC are logically isolated private network from other virtual networks in provided by Alibaba Cloud. We can have full control as an administrator on our VPC, We can specify IP address range in Class Less Inter Domain Routing (CIDR) IP addressing scheme (No Classfull IP Addressing Scheme supported). We can provision ECS Instance, RDS (Relational Database Services) and Software Load Balencer in our own Virtual Private Networks. Also in Alibaba Cloud we have Hybrid Connectivity Options to connect two or more Virtual Private Networks or Connection between VPC to On Premises Network.
We have two more important components in VPC 1. VRouter 2. VSwitch
When we create VPC in Alibaba Cloud its automatically creates VRouter with Route Table, VRouter is working like a Hub to connect our zones of VPC and its also working as a Gateway to connect our VPC with other networks as well. Another VPC component is VSwitch, by which we can create subnets (Small Address Range Groups of VPC Address Space, Segmentation of VPC is Subnets) So, If you want to create two separate subnets of your VPC than you need to create two VSwitches and these VSwitches are internally connected, That means your Application Web Servers you can deploy in one Subnet and your Data Server Instances you can deploy in another Subnet. VRouter will redirect requests to VSwitches either you want to access Application Web Server Zone or Data Server Instance zones. So, Both VSwitches are connected with VRouter.
As I mentioned in above paragraphs VPC follows CIDR Addressing Scheme so full Class 4 IP Address Space is available for you to define your VPC Address Range. But when we specify CIDR IP Address for our VPC e.g. 192.168.0.0/16 So in this IP Address Range of our own VPC out of 32 Bits IP Address means 192 - 8 Bits, 168 - 8 bits, 0 - 8 bits, 0 - 8 bits total 32 Bits, after /16 is a CIDR Value. That means Initial 16 Bits (192.168) are Network Address and Last 16 Bits out of 32 bits are Host Address So in this 192.168.0.0/16 VPC can have 2 raise to 16 = 65536 Instances we can accommodate. Now if we want to further segment our VPC in to subnet using VSwitches we can give CIDR IP Address to first VSwitch 192.168.0.0/24, That Means Initial 24 bits are for Network Address and last 8 bits out of 32 bits of VSwitch1 are for host address So, approx. 2 raise to 8 = 256 instances we can accommodate in first subnet. And if want another subnet for data server instances we can create VSwitch2 where we can specify 192.168.1.0/24 that means again approx. 256 Data Server Instance we can accommodate in another subnet of same VPC.
Another important concept in Alibaba Cloud VPC is mainstream tunneling technology in that here in Alibaba Cloud we have unique tunnel Id per VPC. So, each data packet travel across VPC Instances to Instances having unique tunnel Id encapsulated with each data packet header. So, ECS instances of two separate VPCs can not communicate with each other until hybrid connectivity between two communicating VPCs.
Another Logical component of VPC is Controller, Controller basically uses the self-developed protocol to forward the forwarding table to the VPC Gateway and VSwitches, completing the key configuration path. So here in VPC Data Path and Configuration Paths are different and have redundant Disaster Recovery that improves high availability of the VPCs in Alibaba Cloud.
Here, Alibaba Cloud is providing you very good Security Isolation, because Cloud Servers of different users are belongs to different Virtual Private Cloud and different VPCs having unique tunnel IDs. Different Cloud Server are using VSwitches to communicate with each other and Different Cloud Servers of different subnets of same Virtual Private Cloud using VRouter to communicate with each other. Also intranet connectivity of VPCs are completely isolated and can only be connected by external mapping of IPs. And third layer of isolation is each instance of Alibaba Cloud having Security Group Firewall to control the inbound and outbound control network access. One more advantages of Alibaba Cloud VPCs is software VPNs and Lease Line Connection are supported as a connectivity options.
We have two more important components in VPC 1. VRouter 2. VSwitch
When we create VPC in Alibaba Cloud its automatically creates VRouter with Route Table, VRouter is working like a Hub to connect our zones of VPC and its also working as a Gateway to connect our VPC with other networks as well. Another VPC component is VSwitch, by which we can create subnets (Small Address Range Groups of VPC Address Space, Segmentation of VPC is Subnets) So, If you want to create two separate subnets of your VPC than you need to create two VSwitches and these VSwitches are internally connected, That means your Application Web Servers you can deploy in one Subnet and your Data Server Instances you can deploy in another Subnet. VRouter will redirect requests to VSwitches either you want to access Application Web Server Zone or Data Server Instance zones. So, Both VSwitches are connected with VRouter.
As I mentioned in above paragraphs VPC follows CIDR Addressing Scheme so full Class 4 IP Address Space is available for you to define your VPC Address Range. But when we specify CIDR IP Address for our VPC e.g. 192.168.0.0/16 So in this IP Address Range of our own VPC out of 32 Bits IP Address means 192 - 8 Bits, 168 - 8 bits, 0 - 8 bits, 0 - 8 bits total 32 Bits, after /16 is a CIDR Value. That means Initial 16 Bits (192.168) are Network Address and Last 16 Bits out of 32 bits are Host Address So in this 192.168.0.0/16 VPC can have 2 raise to 16 = 65536 Instances we can accommodate. Now if we want to further segment our VPC in to subnet using VSwitches we can give CIDR IP Address to first VSwitch 192.168.0.0/24, That Means Initial 24 bits are for Network Address and last 8 bits out of 32 bits of VSwitch1 are for host address So, approx. 2 raise to 8 = 256 instances we can accommodate in first subnet. And if want another subnet for data server instances we can create VSwitch2 where we can specify 192.168.1.0/24 that means again approx. 256 Data Server Instance we can accommodate in another subnet of same VPC.
Another important concept in Alibaba Cloud VPC is mainstream tunneling technology in that here in Alibaba Cloud we have unique tunnel Id per VPC. So, each data packet travel across VPC Instances to Instances having unique tunnel Id encapsulated with each data packet header. So, ECS instances of two separate VPCs can not communicate with each other until hybrid connectivity between two communicating VPCs.
Another Logical component of VPC is Controller, Controller basically uses the self-developed protocol to forward the forwarding table to the VPC Gateway and VSwitches, completing the key configuration path. So here in VPC Data Path and Configuration Paths are different and have redundant Disaster Recovery that improves high availability of the VPCs in Alibaba Cloud.
Here, Alibaba Cloud is providing you very good Security Isolation, because Cloud Servers of different users are belongs to different Virtual Private Cloud and different VPCs having unique tunnel IDs. Different Cloud Server are using VSwitches to communicate with each other and Different Cloud Servers of different subnets of same Virtual Private Cloud using VRouter to communicate with each other. Also intranet connectivity of VPCs are completely isolated and can only be connected by external mapping of IPs. And third layer of isolation is each instance of Alibaba Cloud having Security Group Firewall to control the inbound and outbound control network access. One more advantages of Alibaba Cloud VPCs is software VPNs and Lease Line Connection are supported as a connectivity options.
No comments:
Post a Comment