Huawei Cloud Architecture Setup

Complete guide for setting up the SBM CRM Platform infrastructure on Huawei Cloud.

Huawei Cloud Services Overview

Core Services Used

• ECS (Elastic Cloud Server) - Virtual machines
• RDS (Relational Database Service) - Managed PostgreSQL
• DCS (Distributed Cache Service) - Managed Redis
• ELB (Elastic Load Balancer) - Load balancing
• VPC (Virtual Private Cloud) - Network isolation
• SWR (Software Repository for Containers) - Container registry
• OBS (Object Storage Service) - Object storage
• Cloud Eye - Monitoring service

Step-by-Step Setup

1. Create VPC and Subnets

Create VPC

1. Log in to Huawei Cloud Console
2. Navigate to VPC → Virtual Private Cloud
3. Click Create VPC
4. Configure:
   • Name: sbmcrm-vpc
   • CIDR: 10.0.0.0/16
   • Region: ap-southeast-1

Create Subnets

Public Subnet A:

• Name: sbmcrm-public-subnet-a
• CIDR: 10.0.1.0/24
• AZ: ap-southeast-1a
• Gateway: Enable

Public Subnet B:

• Name: sbmcrm-public-subnet-b
• CIDR: 10.0.2.0/24
• AZ: ap-southeast-1b
• Gateway: Enable

Private Subnet A:

• Name: sbmcrm-private-subnet-a
• CIDR: 10.0.10.0/24
• AZ: ap-southeast-1a

Private Subnet B:

• Name: sbmcrm-private-subnet-b
• CIDR: 10.0.11.0/24
• AZ: ap-southeast-1b

2. Create Security Groups

Application Security Group

# Create security group
Name: sbmcrm-app-sg
Description: Security group for application servers

# Inbound Rules
- Port 80: Allow from ELB security group
- Port 443: Allow from ELB security group
- Port 22: Allow from management IPs (your office IP)
- Port 3000: Allow from same security group (internal)

# Outbound Rules
- All traffic: Allow

Database Security Group

# Create security group
Name: sbmcrm-db-sg
Description: Security group for database

# Inbound Rules
- Port 5432: Allow from application security group only

# Outbound Rules
- None (database doesn't need outbound access)

Cache Security Group

# Create security group
Name: sbmcrm-cache-sg
Description: Security group for Redis cache

# Inbound Rules
- Port 6379: Allow from application security group only

# Outbound Rules
- None

3. Create ECS Instances

Production ECS Configuration

Instance 1 (Zone A):

• Name: sbmcrm-api-01
• Flavor: s6.xlarge.2 (4 vCPU, 8GB RAM)
• Image: Ubuntu 20.04 LTS
• VPC: sbmcrm-vpc
• Subnet: sbmcrm-public-subnet-a
• Security Group: sbmcrm-app-sg
• Key Pair: sbmcrm-keypair
• Disk: 100GB SSD

Instance 2 (Zone B):

• Name: sbmcrm-api-02
• Flavor: s6.xlarge.2 (4 vCPU, 8GB RAM)
• Image: Ubuntu 20.04 LTS
• VPC: sbmcrm-vpc
• Subnet: sbmcrm-public-subnet-b
• Security Group: sbmcrm-app-sg
• Key Pair: sbmcrm-keypair
• Disk: 100GB SSD

Create Key Pair

# Generate SSH key pair
ssh-keygen -t rsa -b 4096 -f ~/.ssh/sbmcrm-keypair

# Upload public key to Huawei Cloud
# Navigate to ECS → Key Pairs → Import Key Pair
# Name: sbmcrm-keypair
# Public Key: Content of ~/.ssh/sbmcrm-keypair.pub

4. Create RDS PostgreSQL Instance

RDS Configuration

1. Navigate to RDS → PostgreSQL
2. Click Create DB Instance
3. Configure:
   • Name: sbmcrm-postgresql
   • Engine: PostgreSQL 13
   • Instance Class: rds.pg.c2.xlarge (4 vCPU, 8GB RAM)
   • Storage: 500GB SSD
   • VPC: sbmcrm-vpc
   • Subnet: sbmcrm-private-subnet-a
   • Security Group: sbmcrm-db-sg
   • High Availability: Enabled (Primary + Standby)
   • Backup: Automated daily backups
   • Backup Retention: 30 days

Database Configuration

-- Create database
CREATE DATABASE sbmcrm_production;

-- Create user
CREATE USER sbmcrm WITH PASSWORD 'secure_password_here';

-- Grant privileges
GRANT ALL PRIVILEGES ON DATABASE sbmcrm_production TO sbmcrm;

5. Create DCS Redis Instance

Redis Configuration

1. Navigate to DCS → Redis
2. Click Create Cache Instance
3. Configure:
   • Name: sbmcrm-redis
   • Engine: Redis 6.0
   • Memory: 8GB
   • VPC: sbmcrm-vpc
   • Subnet: sbmcrm-private-subnet-a
   • Security Group: sbmcrm-cache-sg
   • High Availability: Enabled
   • Password: Set strong password

6. Create ELB (Elastic Load Balancer)

ELB Configuration

1. Navigate to ELB → Load Balancers
2. Click Create Load Balancer
3. Configure:
   • Name: sbmcrm-elb
   • Type: Application Load Balancer
   • VPC: sbmcrm-vpc
   • Subnets: sbmcrm-public-subnet-a, sbmcrm-public-subnet-b
   • Bandwidth: 100Mbps
   • Listener: HTTPS (443) with SSL certificate

Backend Server Group

• Name: sbmcrm-backend-servers
• Protocol: HTTP
• Port: 3000
• Health Check: HTTP GET /health
• Servers: sbmcrm-api-01, sbmcrm-api-02

7. Create SWR (Container Registry)

SWR Setup

1. Navigate to SWR → Organizations
2. Create organization: sbmcrm
3. Create repository: sbmcrm-platform
4. Configure access:
   • Access Level: Private
   • Scanning: Enabled

8. Create OBS Bucket

OBS Configuration

1. Navigate to OBS → Buckets
2. Click Create Bucket
3. Configure:
   • Name: sbmcrm-uploads
   • Region: ap-southeast-1
   • Storage Class: Standard
   • Access Control: Private
   • Versioning: Enabled
   • Lifecycle Rules: Delete old versions after 90 days

9. Configure NAT Gateway

NAT Gateway Setup

1. Navigate to VPC → NAT Gateways
2. Click Create NAT Gateway
3. Configure:
   • Name: sbmcrm-nat
   • VPC: sbmcrm-vpc
   • Subnet: sbmcrm-public-subnet-a
   • Bandwidth: 100Mbps

Configure Route Table

Add route for private subnets:

• Destination: 0.0.0.0/0
• Next Hop: NAT Gateway

10. Set Up Cloud Eye Monitoring

Create Alarm Rules

High CPU Usage:

• Metric: CPU Utilization
• Threshold: > 70%
• Duration: 5 minutes
• Action: Send notification

High Memory Usage:

• Metric: Memory Utilization
• Threshold: > 80%
• Duration: 5 minutes
• Action: Send notification

Database Connection Count:

• Metric: Database Connections
• Threshold: > 80
• Duration: 5 minutes
• Action: Send notification

Network Topology

Internet
   │
   ▼
┌─────────────────┐
│   ELB (Public)  │
└────────┬────────┘
         │
    ┌────┴────┐
    │         │
    ▼         ▼
┌────────┐ ┌────────┐
│ ECS-01 │ │ ECS-02 │
│ Zone A │ │ Zone B │
└───┬────┘ └───┬────┘
    │          │
    └────┬─────┘
         │
    ┌────┴────┐
    │         │
    ▼         ▼
┌────────┐ ┌────────┐
│  RDS   │ │  DCS   │
│Primary │ │ Redis  │
└────────┘ └────────┘

Cost Estimation

Monthly Costs (Production)

• ECS (2x s6.xlarge.2): ~$200/month
• RDS (rds.pg.c2.xlarge): ~$300/month
• DCS (8GB Redis): ~$100/month
• ELB (100Mbps): ~$50/month
• OBS (500GB): ~$15/month
• NAT Gateway: ~$30/month
• Data Transfer: ~$50/month

Total: ~$745/month

Cost Optimization Tips

1. Use Reserved Instances (30-40% savings)
2. Right-size instances based on actual usage
3. Use auto-scaling to scale down during off-peak
4. Enable compression for data transfer
5. Use lifecycle policies for OBS

Security Best Practices

1. Network Isolation: Use VPC and private subnets
2. Security Groups: Least privilege access
3. Encryption: Enable encryption at rest and in transit
4. Access Control: Use IAM for fine-grained access
5. Monitoring: Enable Cloud Eye and audit logs
6. Backup: Automated backups with retention policy
7. Updates: Regular security patches

Next Steps

1. Configure Networking for detailed network setup
2. Use Terraform for infrastructure as code
3. Set up High Availability configuration