Updated on 2023-12-21 GMT+08:00

Huawei Cloud Network Service Overview

Huawei Cloud provides various network services to help you build secure and scalable networks on the cloud, connect cloud and on-premises networks in a high-speed and reliable way, and connect your on-premises data center to the Internet.

Figure 1 Network services

Virtual Private Cloud (VPC)

A VPC is logically isolated, configurable, and manageable virtual network for cloud servers, cloud containers, and cloud databases. It improves resource security and simplifies network deployment on the cloud.

Each VPC consists of a private CIDR block, route tables, and at least one subnet. When you create a VPC, you need to specify a CIDR block for the VPC and the system automatically generates a default route table for the VPC. All resources in a VPC must be deployed on subnets. The default route table ensures that all subnets in the VPC can communicate with each other.

Figure 2 VPC

VPC can work together with other network services for more flexible network connectivity.

  • Connecting to the Internet

    Resources in a VPC can communicate with the Internet through elastic IP addresses (EIPs). You can also use a NAT gateway to enable resources in a VPC to share an EIP.

  • Connecting a VPC and an on-premises network

    Direct Connect, Enterprise Switch, or VPN can be used to connect a VPC to an on-premises data center.

  • Connecting VPCs

    A VPC peering connection enables communication between two VPCs in the same region.

    Cloud Connect enables high-speed and stable communication between VPCs in different regions.

For details about VPC, see What Is Virtual Private Cloud?

Elastic IP (EIP)

The EIP service enables your cloud resources to communicate with the Internet using static public IP addresses and scalable bandwidths. EIPs can be bound to or unbound from ECSs, BMSs, virtual IP addresses, load balancers, and NAT gateways.

You can also purchase the following for your EIPs:

  • Shared bandwidth

    Shared bandwidth allows ECSs, BMSs, and load balancers that are bound with EIPs in the same region to share the same bandwidth.

  • Shared data package

    A shared data package provides a quota for data usage. Shared data packages take effect immediately after your purchase. If you have subscribed to pay-per-use EIPs billed by traffic in a region and buy a shared data package in the same region, the EIPs will use the shared data package. After the package quota is used up or the package expires, the EIPs will continue to be billed on a pay-per-use basis.

  • Bandwidth add-on package

    A bandwidth add-on package is used to temporarily increase the maximum bandwidth of a yearly/monthly EIP.

For details about EIP, see What Are EIPs?

NAT Gateway

Public NAT gateway

Public NAT gateways provide network address translation (NAT) with 20 Gbit/s of bandwidth for servers in a VPC, such as ECSs, Bare Metal Servers (BMSs), and Workspace desktops, or for servers that connect to a VPC through Direct Connect or VPN in on-premises data centers, allowing these servers to share EIPs to access the Internet or to provide services accessible from the Internet.

NAT gateways provide source NAT and destination NAT functions.

  • Source NAT (SNAT)

    SNAT translates private IP addresses into EIPs, allowing servers in a VPC to share an EIP to access the Internet in a secure and efficient way.

  • Destination NAT (DNAT)

    DNAT enables servers in a VPC to share an EIP to provide services accessible from the Internet through IP address mapping or port mapping.

Figure 3 Public NAT gateway

Private NAT gateway

Private NAT gateways provide network address translation (NAT) for servers, such as ECSs, BMSs, and Workspace desktops, in a VPC, and allow multiple servers to share a private IP address to access or provide services accessible from an on-premises data center or a remote VPC.

A private NAT gateway translates IP addresses between your VPC and your on-premises data center or another VPC, allowing you to keep legacy networks unchanged after migrating some of your workloads to the cloud.

Private NAT gateways support SNAT and DNAT.

  • SNAT allows multiple servers across AZs in a VPC to share the transit IP address to access an on-premises data center or a remote VPC.
  • DNAT enables servers that share the same transit IP address in a VPC to provide services accessible from an on-premises data center or a remote VPC through IP address or port mapping.
Figure 4 Private NAT gateway

For details, see What Is NAT Gateway?

Elastic Load Balance (ELB)

ELB automatically distributes incoming traffic across multiple backend servers based on configured listening rules. ELB expands the capacities of your applications and improves their availability by eliminating single points of failure (SPOFs).

Figure 5 ELB

For details, see What Is ELB?

Direct Connect

Direct Connect allows you to establish a dedicated network connection between your on-premises data center and a VPC. With Direct Connect, you can easily build a secure and reliable hybrid cloud.

Direct Connect establishes a dedicated connection, and your data will not be transferred over the Internet.

Figure 6 Direct Connect

You can connect your data center to the cloud using either type of connection:

  • Standard connection

    You have more than one connection terminated at different locations. These connections work as a backup for each other, improving the reliability of connections. If you can select only one carrier due to special requirements, you must configure different physical routes.

    A standard connection provides an exclusive port. You can create standard connections on the management console.

  • Hosted connection

    You request a connection from a partner who has a line terminated at the Direct Connect location that is nearby to your on-premises data center.

    You share the port with others.

For details, see What Is Direct Connect?

VPN

VPN establishes a secure, encrypted communication tunnel between your data center and your VPC. With VPN, you can connect to a VPC and access the resources deployed there.

Different from Direct Connect, VPN establishes an encrypted tunnel that transfers data over the Internet.

Figure 7 Network topology

Enterprise Switch

Enterprise switches enable Layer 2 networking for VPCs, helping you to connect cloud and on-premises networks that are highly reliable, in a large scale, and of high performance.

Currently, enterprise switches only support Layer 2 connection gateways (L2CGs). An L2CG is a virtual tunnel gateway that can work with Direct Connect or VPN to establish network communications between cloud and on-premises networks at Layer 2. The gateway allows you to migrate workloads in data centers or private clouds to the cloud without changing subnets and IP addresses.

An enterprise switch is a tunnel gateway of a VPC and corresponds to the tunnel gateway of your data center. It can work together with Direct Connect or VPN to enable communications between a VPC and your data center at Layer 2. Figure 8 shows the networking diagram. You need to connect a VPC subnet to the enterprise switch and specify the enterprise switch to establish a connection with the tunnel gateway of your on-premises data center so that the VPC subnet can communicate with the data center subnet at Layer 2.
Figure 8 Layer 2 networking

Cloud Connect

Cloud Connect allows you to quickly build high-quality networks that can connect VPCs across regions and work with Direct Connect to connect VPCs and on-premises data centers. With Cloud Connect, you can build a globally connected cloud network with enterprise-class scalability and communications capabilities.

Figure 9 Network topology

VPC Endpoint (VPCEP)

The VPCEP service provides secure and private channels to connect your VPC to VPC endpoint services (cloud services or your private services) without having to use EIPs.

VPCEP applies to the following scenarios:

  • Access to your private services in a VPC through a VPC endpoint service

    You can create a VPC endpoint service to allow your services provided by ELB, ECS, and BMS in a VPC to be accessible.

    A service consumer uses a VPC endpoint to access the endpoint service.

  • Access to cloud services from a VPC through a VPC endpoint

    You can create a VPC endpoint to access the VPC endpoint services.

  • Access to cloud services from an on-premises data center through a VPC endpoint and VPN or Direct Connect

    VPN or Direct Connect can work together with a VPC endpoint to allow access to cloud services, such as OBS, DNS, and SWR, from an on-premises data center.

Figure 10 VPC endpoint

VPC Peering

By default, VPCs cannot communicate with each other. A VPC peering connection enables two VPCs in the same region to communicate with each other using private IP addresses as if they were in the same VPC. You can create a VPC peering connection between your own VPCs, or between your VPC and a VPC of another account within the same region. A VPC peering connection between VPCs in different regions will not take effect.

For details, see VPC Peering Connection Overview and VPC Peering Connection Configuration Plans.

Figure 11 VPC peering connection network diagram

For details about the differences between VPC peering connections and VPC endpoints, see What Are the Differences Between VPC Endpoints and VPC Peering Connections?