Last updated：2020-06-17 14:36:35
VPC helps you build an isolated virtual network in Kingsoft Cloud. You have complete control over your virtual network, including selecting and dividing IP address ranges, and configuring route tables and gateways. In addition, you can also use Direct Connect or VPN to connect your on-premises data center to a VPC to build a customized network environment. This achieves seamless migration of applications to the cloud.
Cloud products of the basic network type are uniformly deployed in the public basic network of Kingsoft Cloud. Kingsoft Cloud is responsible for network planning and management. The basic network is more suitable for users with high requirements on network usability. A VPC is an isolated virtual network built in the basic network of Kingsoft Cloud. You can customize the VPC, such as defining the network topology and IP address range. Compared with the basic network, a VPC is more suitable for users who have network management capabilities and needs.
A security group is a logical group. This group consists of instances with the same security protection requirements and mutual trust.
In a basic network, instances in the same region can be divided into the same security group. In a VPC, a security group can only contain instances in the same VPC.
Security groups, similar to firewalls, are used to implement network access control on single or multiple KEC instances. Security groups provide an important means for security isolation.
Each instance must belong to at least one security group and the security group must be specified when you create an instance. By default, instances in different security groups cannot access each other over the internal network. You can authorize mutual access between two security groups.
The SLB service can be deployed in a VPC. For more information, see SLB documentation.
By default, KEC instances in a basic network cannot communicate with KEC instances in a VPC over the internal network. To enable the communication between them, you can deploy an internal leased line. For details, contact Kingsoft Cloud.
You can use Peering to enable VPCs to communicate with each other. To enable mutual access between KEC instances, you also need to configure security group rules to allow access.
After a VPC is created, the CIDR block of the VPC cannot be modified. If a subnet in the VPC does not have an associated KEC instance, you can delete the subnet and then create a new one.
KEC instances deployed in a VPC can access cloud products (such as KRDS and KS3) that are not in a VPC through NAT or endpoint subnets.
The conversion is not supported at present.
You can create a second NIC for a KEC instance in a VPC and then bind a second private IP address.
A KEC instance can be bound with only one EIP. A KEC instance can be attached to different SLB instances so that the KEC instance can be accessed from multiple public IP addresses.
You can use Direct Connect to connect your on-premises data center to a VPC.
VPC supports IPsec VPN.
VPC and VPN belong to different categories. A VPC is an isolated Layer 2 network environment, and VPN is a remote access technology that builds a private network over the Internet.
Currently, VPCs of the size between /21 and /8 can be created.
No. To change the size of a VPC, you must terminate the current VPC and create a new one.
At present, you can create up to 100 subnets for each VPC. To create more subnets, submit a ticket.
When you add a KEC instance to a VPC, the system assigns the instance a random private IP address from the specified subnet. After the instance is created, you can change its private IP address.
No. The isolated KEC instance still occupies the IP address in the VPC. This IP address can be reused only when the instance is deleted.
By default, broadcast and multicast are not supported. If you require either of them, contact Kingsoft Cloud Technical Support for consultation.
After you change the subnet, you must restart the KEC instance or restart the network service to obtain and use the new IP address.
By default, KEC instances in a VPC can access internal services of Kingsoft Cloud such as YUM and NTP.
Four IP addresses on each subnet cannot be allocated to hosts: network IP address, broadcast IP address, gateway IP address, and reserved IP address.
Kingsoft Cloud provides highly available local DNS service for each data center. By default, servers in VPCs can use the DNS service.
Yes. Cross-region Peering is a charged feature. For more information about fees, contact Kingsoft Cloud Business.
The regions cn_beijing_6 and cn_shanghai_2 support VPC.
Endpoint subnets do not support ACLs, and the services associated with endpoint subnets do not support security groups. KRDS provides the whitelist feature that allows you to configure security policies.
After the KEC instance is associated with an EIP or the VPC is configured with NAT, the KEC instance can access KS3 through the internal domain name of KS3.
A high-availability virtual IP address (HAVIP) can be configured in a VPC by using the following methods:
- Configure the unicast mode of Keepalived, or enable the multicast mode for the subnet where the KEC instance is located.
- Add a KEC instance route to the VPC route table when the VIP is accessed within the VPC.
- In the case of a failure, Keepalived will migrate the VIP to the backup KEC instance. However, the VIP migration does not take effect globally in the VPC.
- In the case of a failure, the notify mechanism of Keepalived is used. The API is called to delete the route destined for the master KEC instance, and add the route destined for the backup KEC instance. The VIP migration then takes effect.
Note: To apply for multicast, contact Kingsoft Cloud after-sales personnel.
No. Connection will fail in this scenario.
Cross-subnet access is not supported. However, KEC instances in the same security group can communicate with each other.
It is recommended that you use the reserved IP address ranges such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Note that reserved address ranges such as 198.18.0.0/15, 100.64.0.0/10, and 240.0.0.0/4 cannot be used.