How Does CCE Communicate with Other Huawei Cloud Services over an Intranet?

Common Huawei Cloud services that communicate with CCE over the intranet include RDS, DMS, Kafka, RabbitMQ, VPN, and ModelArts. The following scenarios are involved:

• In the same VPC network, CCE nodes can communicate with all services. When the containers communicate with other services, you need to check whether the security group rules in the inbound direction of the container CIDR block are enabled on the peer end. (This restriction applies only to CCE clusters that use the VPC network model.)
• If CCE nodes and other services are in different VPCs, you can use a peering connection or VPN to connect two VPCs. Note that the two VPC CIDR blocks cannot overlap with the container CIDR block. In addition, you need to configure a return route for the peer VPC or private network. For details, see VPC Peering Connection. (This restriction applies only to CCE clusters that use the VPC network model.)

• This logic works for all Huawei Cloud services.
• Clusters using the container tunnel network model support internal communication between services. There is no need to configure additional settings.
• You need to pay attention to the following points when configuring a cluster using the VPC network model:
  1. The source IP address displayed on the peer end is the container IP address.
  2. Custom routing rules added on CCE enable containers to communicate with each other on the nodes in a VPC.
  3. When a CCE container accesses other services, you need to check whether the inbound security group rule or firewall of the container CIDR block is enabled on the peer end (destination end). For details, see Security Group Configuration Examples.
  4. If a VPN or VPC peering connection is used to enable communication between private networks, you need to configure a VPC peering connection route that points to the container CIDR block on the path and destination.
• Clusters using the Cloud Native 2.0 network model need to allow traffic from the container security groups based on service requirements. The default security group is named in the format of {Cluster name}-cce-eni-{Random ID}. For details, see Security Group Rules in a CCE Turbo Cluster That Uses the Cloud Native 2.0 Network Model.