Welcome to the Alibaba cloud webinar series my name is Nadine Abbas Ali and I will be your host for this webinar in this particular webinar we are going to go over some basic concepts. Related to Alibaba cloud networking networking forms the fundamental fabric of communication for all services in the IT world and the cloud is no exception hence we at Alibaba. Cloud decided to run you guys through some of the fundamentals of cloud networking this will help you better design your networks in. Alibaba cloud environment this webinar is for anyone who’s aiming to work with a. Local cloud I will assume that you have some basic knowledge of network even if you don’t it’s alright however there might be a few sections.
Where you might feel a little lost if you have any questions you can submit them any time by. Clicking the question mark on the screen and I will be happy to answer them towards the end of the session so without further ado let us begin to begin with we are going to. Talk about why we create computer networks in the first place then. We will look at the basic elements of computer network and how they map to cloud networking you will explore some basic networking components of Alibaba cloud network and do a brief. Demo session on these then we will look at some additional components and do a couple of sessions on these components as well towards the end we will talk briefly. About some additional exploration areas in the Ali Baba cloud networking world for you to explore further and for us.
To cover in upcoming webinars at the very end there will be a question and answer session and I will be more than happy to ask answer any. Questions that you might have so let’s look at why do we network the reasons behind computer networking are very simple we network fundamentally to connect people across the world with. Each other for example using services like Skype and instant messaging etc or to connect people to services such as email. Online banking taxi services such as uber and so on and so forth and towards the end.
We will see that sometimes we use networking to connect services to other services what I mean by. That is let’s say you have a web server that’s trying to access database server so that’s a. Service trying to connect to a service or your computer. Trying to access DHCP or DNS services on the network when you look at any end user service usually it will be a combination of two. Or more of these scenarios now let’s look at the elements of a basic computer network at the core of a basic computer network is route the basic function of the router is.
To direct traffic between different networks may it be traffic coming in and going out of the internet or traffic that is flowing between different internal segments for simplicity’s sake. Let’s assume that a network segment is represented by a subnet so when we are trying to make subnets to talk to each other the traffic needs to go through the router. The next layer is our switches each switch is responsible for moving traffic between servers within the same. Network segment if however a server in one network segment needs to talk to a server. In another Network segment such traffic needs to go through the router the router has the particular locations for each of the switches and their respective subnets and is able to route traffic to. The correct switch and then eventually to the correct server intended going further we see as we discussed that we have our servers connected to the switches.
And these are primarily used to host certain services or applications as we discussed earlier the Internet is usually connected to our basic network wire the. Core router in the network of course there are firewalls in place that can be used to decide what kind of.
Traffic flows between internal network segments and between the internet and your basic network there are a number of other networking services and other networking devices that can be discussed for. That’s beyond the scope of this webinar and I think this the amount of knowledge that we have discussed today would suffice for what. We want to describe within the cloud networking world so when we.
Get into the Alibaba cloud network the first element that we need to discuss is called a virtual private cloud. Many launch services in Alibaba cloud you land up in what we call a VPC or virtual private cloud for sure a VPC is a. Logical isolation it came to present a company a department.
A division or whatever logical separation your organization wants to set up you can large number of cloud services inside the BBC some of these services like VPN and servers have the capability to communicate. To the outside world using public IPs and we will discuss this in detail shortly each user can come create multiple V pcs however note that they are isolated and elements.
Inside one V PC can not talk to elements inside another V PC using private networks you can use VPN and dedicated connections. To connect to V pcs in same or different regions or. A customer environment to Alibaba cloud maybe C when you launch a V PC based service and Alibaba cloud.
With the default V PC you get a router and a switch note. That you can have only one router in any V PC however you can have multiple switches each switch represents a particular subnet within the V. PC so let’s say in the example shown on the network block that we selected for our V PC was 1 7 2 16.
0 dot 0 / 6 T now this block can be further subdivided into subnets in. Our example we have two switches and each represent a different. Subnet if you look at the diagram there are two sub deaths that are visible 1 7 2 16 5 0 / 24 and 1 7 to 16.
1 0 / 24 there are both within the / 16 block provided by the BBC if you’re feeling a little lost with how these segments are created and wanders / 16. Mean and what the / 24 mean that I would suggest googling the topic of subnetting in Alibaba cloud when he launched cloud. Instances they are known as Elastic Compute service instances or easiest instances for short as can be seen when you launch in ECS it gets attached to a switch within the V. PC depending on which switch it gets – to the instance will get a private IP from the respective subnet in our example we.
Have two switches and if you look at the top switch its. Subnet is 1 7 2 16 5.0 / 24 and this ECS instance is connected have taken IP from the 1 7 2 16.
5 subnet if let’s say two instances in the same subnet need to communicate then the traffic is routed through the switch however if the instance needs to communicate to. A instance in another switch then this traffic needs to go through the router the router maintains a routing table which contains information for all subnets and for for the respective switches these. Are maintained automatically and manual routes can be added to the. Router this is a topic that we will touch upon later so now let’s quickly touch the topic of internet-based services let’s say you wanted to offer.
A service on your easiest instance to the world at large why the internet now remember that we discussed that even though the VPC is logically isolated environment elements launched inside of a. PC can communicate with outside board and that’s where public or elastic IPS come in all the public IP is in the Oliver of a. Cloud world is not an IP that is mapped to the private IP of your ACS instance now what does this mean this means that if someone on the Internet accessed let’s say. 47:23 55.63 which we have assumed as the public IP for our instance and it’s shown in orange in. The diagram then the traffic would be directed to value up a cloud and within a leap of a cloud the ECS instance with the IP 1. 7 to 16 5.20 so if you were to launch a website on this easy as instance then this would be accessible from the outside world there is also what.
Other kind of public IP in Alibaba cloud called elastic IP it has all the properties of a public IP with the added advantage that it can be moved from one easiest instance. To the other the public IP that we talked about earlier is fixed to the easiest instance and cannot be detached from it so let’s say you had a public IP on an. ECS instance if you decommission that instance the IP would disappear. However if you had an elastic IP you could detach it from the instance and attach it to a new. Instance an important part of Alibaba cloud network is called security groups so what do security groups – these can be used. To define allow and deny rules for communications with our cloud instances in Alibaba cloud the default security group in Alibaba cloud allows ICMP SSH in RDP access to ECS.
Instances all other incoming access is blocked all outgoing access is opened by default on all ports if you have easiest instances that share the same security requirements. You can bundle them together in a single single security group let’s say for example you had a few. Web service where you can want it to open port 80 and port 443 depending on if it’s HTTP.
Or HTTPS so you could set up a security group with incoming traffic allowed on these ports and then apply this to your. Group of ECS instances security groups can also be used. To create logical security domains so let’s say you wanted to block all ICMP. Traffic on your database servers so what you would do is you would create a new security group and you would create a. Rule to deny ICMP traffic and then you can add all your database servers to the security. So any ICMP traffic that is directed towards these servers will be blocked by this particular security there’s one more thing that you need to understand.
About security groups and how they affect the public and private IP is alike what you have to understand about public IPS in Alibaba cloud is. That they’re nothing but matted IPS to the private interfaces hence in this example where we allowed for a tea on a.
Set of web servers this Poli would also be accessible from the internet or the outside world so as to say all right so now let’s look at our first. Demonstration okay for the first demo we are going to go through. The steps of creating a vbc creating a couple of switches and assigning a couple of machines to these switches looking at the security group rules how they are. Created and then see how security group rules can impact traffic across instances within these switches alright so the first step is to create the VPC so what you see in front of. You is the ibaba cloud console will go to virtual private cloud here we will go to the VPC section.
And let’s say we are going to select Singapore as Ari so let’s say we are going to select us West Silicon Valley as our selected region. Now do note that any existing VPC is there this is created by default for every single region that we have in Alibaba cloud but for.
Completion sake we need to create one of our own so let’s create a new vbc we. Will call it webinar BBC one we will use the same for the. Description and we will use the CIDR block as benign to 1600 / 16 so this is the block which will be.
Further distributed into subnets when we create switches now the moment you press create VPC it says your VPC has been created and do you want to take the next steps. So there it asks you to create a V switch now we will call this one webinar the switch one select zone all. Right so P since we are in a region with multiple zones we have to select which zone this switch resides in so we will select.
Zone a so Y we will call it when I do one six eight dot one dot 0/24 as you discussed earlier if subnets are confusing to you. Just go over the topic of subnetting on your favorite networking website or just google subnetting and it should be very simple to understand we leave the description blank as you. See the block that we have selected is gonna allow us. 252 IPs within this particular network so what we do we switch and Veta alright so let’s look at the webinar we see that we just created if you go inside this. We see what you see is the details of the CIDR block and you see. Do we switch that we just created one more thing.
You got a notice is read out us and notice that every router has automatically been added so as we discussed earlier they. Can only be one read out for every V PC and you cannot. Add more however you can add multiple switches as you can see our routes have been automatically added for the switches that are defined alright now what we’re gonna do is we create another we. Switch we will call this V switch to again we will. Put it in zoning and we select 5.0 / 24 as the subnet just to be different and we say okay so as you can see we’ve got two V switches one is off. Subnet 1 9 2 1 6 8 1.0 and the other one is 1 9 2 1 6 8 5.0 now what we will.
Do is we’ll quickly launch a couple of instances in. These V switches and see how different subnets impact the instance is that a lot so what we’ll. Do is we’ll create easiest instance this takes us to a new window you select a as you go and we will select Silicon Valley zone. A remember that this is the region we have created a switch isn’t so. We’ll select select a small Linux machine for this you select our webinar V PC and for this one we’ll. Select webinar we switch one security group there is always a secure default security group that will.
Select and then we go through the security group later now as you can see the security group is allowing ICMP for. Twenty two and three eight nine and it’s asking us if we want to open already and for 44 sake of understanding. Will open these ports as well we will select a simple Ubuntu machine.
We’ll leave the default storage we set the password so that. We can login to it quickly oops how however in a production environment I would suggest that you use SSH keys instead of passwords and we say bye now alright activate there. We go so on the console you can see our instance should be launching so. Recover the instances and we can see our instance being.
Launched so now while this is being launched let’s launch another instance now this time we’ll connect it to. The second switch so we’ll select case you go again we will go in Silicon Valley is like zone a small machine. Webinar BBC however we switch to for security group you select the same security group as before then we will select a Ubuntu machine default storage. Set the password just for the ease of use now we’ll go to the console and we’ll start playing around with the machines all right so let’s look instances okay so.
We’ve got two instances that have been launched in u.s. West which is Silicon Valley zone yay so let’s try to connect. To these instances so okay so you will notice that an internet IP or a public IP has been assigned. To this instance by default now let’s try to SSH into this instance and see if it’s gonna allow us to do so so I’m gonna go here and say SSH surely it. Does allow us to search put in our password yeah all right so now something that I want you to notice. First of all let’s look at the IP that is assigned.
Private IP that is assigned to this instance this is when I do 1 6 8 1 or 198 and if you look at the second instance it’s on the. 5 subnet 1 I do 1 6 8 5 dollar ad say this is only because both of them are sitting. On two different V switches now let’s look at if God’s sake and surely you can see the IP that we were. Talking about 1 I do 1 6 8 1 Doug 190 now let’s try to ping. Our instance on the other subnet and see if we can so we do think we did this this is the thing and surely we can now remember that this is only.
Possible because we have a router in between which has the routes for the particular switches alright so there are two things that I would like to show you across these machines so the first. Thing that I would like to go through would be the security groups so we selected one of these security groups ah this one let’s because it’s got two instances so. Let’s look at the rules alright so since we were able to SSH we should have allowed port 22 incoming traffic which is surely. Allowed here also we are able to ping across them which means ICMP must be allowed which is also allowed now let’s say if I were to. Delete the ICMP rule it’s gone okay so now what I’m going to do is I’m going to try and ping one of these.
Instances from outside which means from the internet and see if I’m still able to ping them so I will take one of the public IP is let’s take this one and this is outside. As you can see I am unable to ping this Shing all right so. Now let’s go back to the security group and go to configure rules and we add the ICMP rule back so let’s see all.
Right we’ve allowed ICMP traffic from all networks and we say okay and that’s done and now if you. Go here and try to be in the same machine we should be able to ping it so that tell you how security groups allow us. To protect our machines from opening and closing of ports and exposing services to. The outside world alright so that’s it now let’s get back to the webinar all right so that’s it for this demo let’s get back to the slides the next component that we are. Going to discuss is the server load balancer or SLB for short honestly SLB is a very detailed service and it warns of a banana on its own however since this is an introductory. Session I will go over some prominent details of the service if you get a good response.
On this maybe we can do a detailed webinar just for us will be in the future so there are two kinds of SLB in Holly Weber cloud. Namely this will be for TCP traffic anis will be for HTTP or.
HTTPS traffic in addition to standard load balancing capabilities TCP and HTTP. Assemblies can defend DDoS attacks enhancing the protection capability of application servers the SLV can be launched in two modes namely internet and intranet what this means is you can have a load. Balancer that is internet facing and accessible from the outside. World or you could have load balancers between different layers of your servers let’s say you could have a load. Balancer for your database layer that your web server layer can.
Connect you now this would be an intranet based SLV and would be free of cost the internet facing s it’ll. Be however is a charged service you can put your ECS instances behind SL B’s to avoid single point of failure situations and. With the help of SLP you can do load balancing health monitoring and auto scaling all right now let’s look at. Some features of the server load balancer Alibaba cloud provides both layer 4 which is TCP and UDP and layer 7 HTTP and HTTPS load balancing services this allows customers to load balance the traffic. Easily across different SES instances load balancers also maintain a. Health check on back-end servers there are multiple levels of health checks that are performed including cluster level statuses TCP connections UDP connections and HTTP HTTP requests now that this really depends.
On what kind of load balancer you setup and the health check will vary accordingly on there are certain parameters of the. Health check that can be tweaked in order to cater for your needs if a back-end server becomes. Unhealthy the SLB stops distributing application requests to the server and it is removed. From the back-end servers until the issue is resolved so this is how the health check functionality of SLB ensures that you are always being served by a healthy. Set of back-end servers one more feature supported by server load balancer is session persistence you can set.
Listening rules to forward session requests from one client to the same back in easy as instance during session life cycle what. This essentially means is that in case you wanted to maintain sessions for an application on your easier servers and wanted the client to be served by the same easiest while the session was. Active then the SLB can take care of this as well summer load balancer supports a number of distribution algorithms now distribution algorithms are very basically algorithms that are used to decide where. The particular packet would go to within the SLP cluster so. The simplest one to begin with is the called round-robin as the name suggests.
The down robin algorithm distributes requests to servers in the sequence. And then circles back to the first one so let’s say. You had three easiest instances in a load balancing cluster that the first request would go to the first one the second request to the second one.
The third request to the third one and then for the. Fourth request was go back to the first ECS instance the second algorithm is weighted round robin WRR for short where in addition to the sequential distribution you. Can assign weights to the back-end servers so the highly weighted servers will receive more requests and the lowly weighted servers will get less requests in a. Loop cycle now let me try to explain this let’s say you have two easiest instances behind a load balancer one easiest instance has weight. 100 and other easiest instance as a weight of 50 so let’s look at how the requests will be distributed so the first request will go to the first ECS instance which is marked as. 100 the second request will also go to the ccs instance marked as.
100 the third request would go to the second easiest instance which is marked with a weight of 50 and then this loop would go back to. Sir ECS one the last one is called weighted lease connections which follows the same concept. Of weights but it does not do a round-robin while considering weights it looks. At the server which has the least number of connections and then distributes the requests to this particular server for layer seven HTTP and HTTPS protocols server load balancer forwards traffic to.
Different research groups which are nothing but different groups or back-end servers well let me. Try to explain this a little bit so let’s say you had a server load balancer in front of a set of ECA servers and you wanted to use. The same load balancer to let’s say load balance to different applications now these two different applications let’s. Assume are running on two groups two different groups of ECS servers so what you would do is you would create what we call V server groups for each of these ECS server groups and. Then you would create rules to redirect traffic based on the domain name of the application. So any draft packets directed to let’s say domain for a domain therefore application a would be directed to the we.
Server Group one and any traffic that is directed towards application B would be sent to the PCs group now the SLP can also be launched in a high availability set so. Let’s say if you are in a multi zone environment in Alibaba cloud then you could launch your SLP in Nha environment. Please note that Papa cloud terms a zone is representing an independent data center so let’s say. You launched an application in a multi zone environment as we are shown in this week so your primary SLB sits in one zone and is able to. Serve back in application servers from both zones now for any reason your first zone becomes unavailable then the SLP in the backup zone will take over and your service. To your customers will continue to function as before this allows.
For zonal level resilience on your applications now let’s look at a quick demo for server. Load balancer in the interest of time what I have done is I have already pre-created load balancer I’ve connected it to. Two ECS instances now these easiest instances are both running a web server I modified the default HTML file for each of these.
Web servers so that we can differentiate between the two all right so the idea of. This session is to just run you through a few options that you have available in the surf server load balancer and to make you. See it in action all right so let’s let’s go through the details so on the console if you go through the server load balance so this is the. One that I’ve created in uswest it is an internet facing load balancer since it’s a it has a public IP so let’s let’s dig.
Deeper into this so in the load balancer the first and foremost that you need to understand is the concept of listeners so what listeners do is. They allow the load balancer to listen on a particular port right and then redirect this traffic to the same or a different set port on its back-end.
Servers so we already have a listener define let’s look at a few things and try to recall what we went through during the slides. So let’s look at a few options as you can see that this listener listens on port 80 and then it sends. Traffic to the backend servers on 480 as well our scheduling algorithm I told you there were three of them via selected weighted round robin and this is. The V server group option which we discussed we would use in case we were using one load balancer.
To load balance more than one applications these are a few other options remember we talked about session persistence which is available here and a few other compression options and HTTP header. Options are available next we’ve talked about health checks and how SLB is able to maintain health check on multiple levels and these. Are different options that you can set for health check interval and thresholds for that matter for now we will disable the health check for. The demo purpose we just leave it here okay now the next thing.
You need to look at is back-end servers we’ve added two servers to the backend and let’s change this to 100 confirmed I’m just. Making sure they are all weighted equally so the both weighted equally you have two servers at the backend now let’s look at this load balancer.
In action so let’s get the public IP or the load balancer let’s try to access it from the. Internet so as you can see it is saying welcome to index 2 it’s in a standard nginx image I have just made. A small change so it says 2 here now if you. Start refreshing this you see this change is to 1 so this is the small change I’ve made so we. Can differentiate which easier server is responding to the request from. The SMB so now if you keep refreshing this this keeps going from 1 to 2 to 1 to 2 now this is.
Because inside our listener our forwarding rule is weighted round robin and if you go to the backend servers your. Weight is defined as being equal now let’s try to mess around with the weights a little bit so let’s say I make great 54 one of them’s let’s count this 250. All right so now according to what we discussed since this is 100 and this one’s 50 when I start throwing requests at the SLV two requests should be published should be sorry answered by. The this particular server and then one should be forwarded here so two here one here then to be here then one here let’s try to test its theory.
All right so let’s try to first access this and we are at one I refresh one more time it goes to 2. Then 1 then 1 again then 2 1 1 & 2. All right so and if you keep going what you would realize is that two requests are going to server 1 and then one request is going to server. 2 because server 2 is set to private 50 and this is set to 800 so you could use the weights to decide how you want to distribute. The particular load for a load balancer I mean this is a very quick overview of how load balancers work as I said during the presentation of. The slides the little surf server load balancer is a huge topic and it deserves a webinar of its own maybe in the future we can go through.
A detailed demo of how to configure a load balancer and how to look at all. The ways options that are available but I think that will be too much for the introductory session so this is it for this demo now let’s get back to the slides.
Now let’s look at the last item on the list which is VPN gateway. As we discussed earlier Alibaba cloud VPC is an isolated environment of the many ways to establish communications with the outside world one of the most commonly used ways is to leverage a.
VPN gateway you can use a VPN gateway in a number of scenarios let’s look at. A few of them let’s say you wanted to connect a V PC to another V PC in the same region yes do remember. V PC is a completely isolated even when they reside in the same region if you are let’s say. You want to connect a V PC to another will be.
C in a different region the third scenario talks about connecting your V. PC to a customer data center let’s say he has some on-premise servers that need to connect into the public cloud or. Let’s say for a hybrid in cloud model or let last. But not least connecting the V PC to another public cloud in order to understand the VPN gateway well let’s look at an example. With two bbc’s and how you would go about connecting them using a VPN gateway now in this example I’ve used to be PCs but effectively the same steps could be used to connect. Any two sites as long as one end is talking about the Alibaba cloud so in order to.
Form a connection between the two B pcs so that the instance is one-way PC can talk two. Instances in a in the other B PC or the private IP so so the idea is that the two the easiest instances in the 2v pcs can talk to each other. Without you having to be able to assign you know public IPS.
To these instances and the communication should be private and secure for this we will. Follow what a five step process first we configure a VPN gateway in V PC one now this can be done as the Alibaba cloud VPN gateway which is service provided by Alibaba cloud. Or you could use any VPN gateway from the Alibaba cloud marketplace now we do the same configuration on. A VP a new VPN gateway in B PC to you have to note that when configuring the VPN there are a number of settings that.
You need to take care of normally when you’re connecting two sites you would use an IPSec VPN now when you configure the VPN. On both sides ensure that security settings on both sides match otherwise you will not be able to establish a successful connection next what. Do you do you make the connection and ensure that the tunnel is up once this.
Is done you ensure that the traffic for the respective private network is allowed via the tunnel what this. Means is that for certain VPN gateway configurations you might have to explicitly allow traffic for certain subnet on both sides and finally what do you do you have to add. Routes to the router to ensure that the VPN traffic is routed through the VPN gate there are a few things that I would like not the above steps might not be in. The same order depending on which VPN gateway you’re using for example the configuration to allow traffic on the tunnels which is step 4 as far as we are concerned can sometimes. Be part of VPN gateway configuration which is step 2 and remember this is just an example you would more or less use the same step to create any VPN tunnel.
Across any two environments the specifics will however the general gist remains the same alright so on this slide I’ve put down a list of some services that we can. Further explore in the future the first one is the cloud DNS service which is a service that you can use for domain. Name resolution services the second is called CDN or content delivery network now this allows customers to accelerate their services globally using a combination of caching and acceleration methodologies the third one is valve. Which is Web Application Firewall that can help customers protect their web applications.
Against malicious attacks Express Connect is also an Alibaba cloud service and it is a convenient and efficient way that allows a fast stable secure and private or dedicated network communication between different cloud. Environments including VPC intranet communications and dedicated leased line connections across regions and users whoa that was long and finally Aintree does which allows customers to protect their services against globally distributed.
Denial of service attacks you can find all the information for these services on a documentation portal on the Alibaba cloud website also we might be able to cover some of them in the webinars. In the future so folks that’s it from me for the day let me see if there are any questions that have been raised and I will try my. Best to answer them to the best of my knowledge okay folks so it looks like we have a couple of questions today so the first question that came in. Was does the public IP change if you power of an instance the quick answer is no it does.
Not if you power off an instance and then power it back on. The public IP remains the same if however you release the instance then you will lose the public IP along with Tencent’s the second question. I received was from Arnold and he asked when will we.
Be able to download this webinar for future reference the answer is yes the webinar will be made available on the Alibaba cloud website within 24 hours of this session you can. View it at any time for future reference however you will not be able to download it as a third question has come in as asking if we can.
Leverage Alibaba cloud networking when it comes to integrating with multi cloud systems let’s say. If a customer the specific question is with regards to if. A customer has machines deployed on another clock so the answer is yes when it comes to Alibaba cloud you. Can connect to your Alibaba cloud VPC using several technologies that we discussed today a couple of them to mention would be VPN Express Connect and also you could.
Do a dedicated leased line into the power cloud center all right so I just received one more question they are somebody’s asking if we. Will put this up on YouTube as well yes I just confirm this. And we will put it on YouTube as well so let me just confirm if there are any more questions or not before I conclude today’s session somebody’s send a comment. Saying thank you for decision it was very informative thank you very much for tuning in really appreciate. It alright so we’ve received a question on install on VMware if you need to install VMware for installing network. Equipment know everything that runs in Alibaba cloud runs on what we.
Call the app server stack and there’s no need to install any VMware networking equipment in this case there is also a question on config how do we go about configuring VP scenes. If you were to go back to this recording of this session and you what you you realize that in the beginning and the. First demo we did configure one V PC so all you would do is select a couple of regions and use the first demonstration to deploy a couple.
Of V pcs the configuration steps for VPN is something that is a little more elaborate for me to. Verbally explain however what I can do is I can check with the team and if this can be published as part of the YouTube or or the question and. Answers on the web site okay I think that’s it for today thank you to everyone who joined us as I said before a recording.
Of this session will be available on that ababa cloud web site for anyone who wants to. Refer to it in the future once again thank you and. Have a very nice day ahead.