FAQs on VPC

What is VPC?

VPC helps you build an isolated virtual network in Kingsoft Cloud. You have complete control over your virtual network, including selecting and dividing IP address ranges, and configuring route tables and gateways. In addition, you can also use Direct Connect or VPN to connect your on-premises data center to a VPC to build a customized network environment. This achieves seamless migration of applications to the cloud.

What are the differences between a VPC and a basic network?

Cloud products of the basic network type are uniformly deployed in the public basic network of Kingsoft Cloud. Kingsoft Cloud is responsible for network planning and management. The basic network is more suitable for users with high requirements on network usability. A VPC is an isolated virtual network built in the basic network of Kingsoft Cloud. You can customize the VPC, such as defining the network topology and IP address range. Compared with the basic network, a VPC is more suitable for users who have network management capabilities and needs.

What are the functions of security groups?

A security group is a logical group. This group consists of instances with the same security protection requirements and mutual trust.

In a basic network, instances in the same region can be divided into the same security group. In a VPC, a security group can only contain instances in the same VPC.

Security groups, similar to firewalls, are used to implement network access control on single or multiple KEC instances. Security groups provide an important means for security isolation.

Each instance must belong to at least one security group and the security group must be specified when you create an instance. By default, instances in different security groups cannot access each other over the internal network. You can authorize mutual access between two security groups.

How can I use SLB in a VPC?

The SLB service can be deployed in a VPC. For more information, see SLB documentation.

Can KEC instances in a basic network access KEC instances in a VPC over the internal network?

By default, KEC instances in a basic network cannot communicate with KEC instances in a VPC over the internal network. To enable the communication between them, you can deploy an internal leased line. For details, contact Kingsoft Cloud.

Can VPCs communicate with each other over the internal network?

You can use Peering to enable VPCs to communicate with each other. To enable mutual access between KEC instances, you also need to configure security group rules to allow access.

Can the CIDR block of a VPC be modified?

After a VPC is created, the CIDR block of the VPC cannot be modified. If a subnet in the VPC does not have an associated KEC instance, you can delete the subnet and then create a new one.

Can KEC instances in a VPC access cloud products outside VPCs?

KEC instances deployed in a VPC can access cloud products (such as KRDS and KS3) that are not in a VPC through NAT or endpoint subnets.

Can KEC instances of the basic network type be converted into KEC instances of the VPC type?

The conversion is not supported at present.

Can a KEC instance of the VPC type be bound with multiple private IP addresses?

You can create a second NIC for a KEC instance in a VPC and then bind a second private IP address.

Can a KEC instance in a VPC be bound with multiple EIPs?

A KEC instance can be bound with only one EIP. A KEC instance can be attached to different SLB instances so that the KEC instance can be accessed from multiple public IP addresses.

How does a KEC instance in a VPC access the Internet?

• Bind an EIP to the KEC instance.
• Bind NAT to the subnet where the KEC instance is located.

Does VPC support Direct Connect?

You can use Direct Connect to connect your on-premises data center to a VPC.

Does VPC provide the VPN function?

VPC supports IPsec VPN.

What is the difference between VPC and VPN?

VPC and VPN belong to different categories. A VPC is an isolated Layer 2 network environment, and VPN is a remote access technology that builds a private network over the Internet.

What is the size of a VPC that can be created?

Currently, VPCs of the size between /21 and /8 can be created.

Can I change the size of a VPC?

No. To change the size of a VPC, you must terminate the current VPC and create a new one.

How many subnets can be created for each VPC?

At present, you can create up to 100 subnets for each VPC. To create more subnets, submit a ticket.

How can I specify the private IP address of a KEC instance in a VPC?

When you add a KEC instance to a VPC, the system assigns the instance a random private IP address from the specified subnet. After the instance is created, you can change its private IP address.

After a KEC instance is isolated in a VPC, can another instance using the same IP address be started in the VPC?

No. The isolated KEC instance still occupies the IP address in the VPC. This IP address can be reused only when the instance is deleted.

Does VPC support multicast or broadcast?

By default, broadcast and multicast are not supported. If you require either of them, contact Kingsoft Cloud Technical Support for consultation.

Why can't I access a KEC instance in a VPC after changing the subnet for the instance?

After you change the subnet, you must restart the KEC instance or restart the network service to obtain and use the new IP address.

How can KEC instances in a VPC access internal services of Kingsoft Cloud such as YUM and NTP?

By default, KEC instances in a VPC can access internal services of Kingsoft Cloud such as YUM and NTP.

Why are some IP addresses in a subnet not available after the subnet is created in a VPC?

Four IP addresses on each subnet cannot be allocated to hosts: network IP address, broadcast IP address, gateway IP address, and reserved IP address.

How can servers in VPCs use DNS?

Kingsoft Cloud provides highly available local DNS service for each data center. By default, servers in VPCs can use the DNS service.

Does VPC support cross-region Peering?

Yes. Cross-region Peering is a charged feature. For more information about fees, contact Kingsoft Cloud Business.

Which regions support VPC?

The regions cn_beijing_6 and cn_shanghai_2 support VPC.

Do the services such as KRDS associated with VPC endpoint subnets support security groups and ACLs?

Endpoint subnets do not support ACLs, and the services associated with endpoint subnets do not support security groups. KRDS provides the whitelist feature that allows you to configure security policies.

How can a KEC instance in a VPC access KS3 over the internal network?

After the KEC instance is associated with an EIP or the VPC is configured with NAT, the KEC instance can access KS3 through the internal domain name of KS3.

Does a KEC instance in a VPC support the configuration of Keepalived to create a HAVIP?

A high-availability virtual IP address (HAVIP) can be configured in a VPC by using the following methods:

• Configure the unicast mode of Keepalived, or enable the multicast mode for the subnet where the KEC instance is located.
• Add a KEC instance route to the VPC route table when the VIP is accessed within the VPC.
• In the case of a failure, Keepalived will migrate the VIP to the backup KEC instance. However, the VIP migration does not take effect globally in the VPC.
• In the case of a failure, the notify mechanism of Keepalived is used. The API is called to delete the route destined for the master KEC instance, and add the route destined for the backup KEC instance. The VIP migration then takes effect.

Note: To apply for multicast, contact Kingsoft Cloud after-sales personnel.

Can RS associated with an internal Layer 4 SLB instance in a VPC access the VIP of the SLB instance?

No. Connection will fail in this scenario.

Can KEC instances in a VPC support access across Layer 3?

Cross-subnet access is not supported. However, KEC instances in the same security group can communicate with each other.

Which IP address ranges can be used by VPCs?

It is recommended that you use the reserved IP address ranges such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Note that reserved address ranges such as 198.18.0.0/15, 100.64.0.0/10, and 240.0.0.0/4 cannot be used.