Skip to main content

Network Setup

Complete guide for network configuration and security on Huawei Cloud.

Network Architecture

VPC Design

VPC: 10.0.0.0/16
├── Public Subnet A: 10.0.1.0/24 (Zone A)
├── Public Subnet B: 10.0.2.0/24 (Zone B)
├── Private Subnet A: 10.0.10.0/24 (Zone A)
└── Private Subnet B: 10.0.11.0/24 (Zone B)

VPC Configuration

Create VPC

# Using Huawei Cloud CLI
huaweicloud vpc create \
  --name sbmcrm-vpc \
  --cidr 10.0.0.0/16 \
  --region ap-southeast-1

Subnet Configuration

Public Subnets

Subnet A:

  • CIDR: 10.0.1.0/24
  • Gateway: 10.0.1.1
  • DNS: 100.125.1.250, 100.125.129.250
  • DHCP: Enabled

Subnet B:

  • CIDR: 10.0.2.0/24
  • Gateway: 10.0.2.1
  • DNS: 100.125.1.250, 100.125.129.250
  • DHCP: Enabled

Private Subnets

Subnet A:

  • CIDR: 10.0.10.0/24
  • Gateway: 10.0.10.1
  • DNS: 100.125.1.250, 100.125.129.250
  • DHCP: Enabled

Subnet B:

  • CIDR: 10.0.11.0/24
  • Gateway: 10.0.11.1
  • DNS: 100.125.1.250, 100.125.129.250
  • DHCP: Enabled

Security Groups

Application Security Group

Name: sbmcrm-app-sg
Description: Security group for application servers

Inbound Rules:
  - Protocol: TCP
    Port: 80
    Source: ELB Security Group
    Description: HTTP from load balancer
  
  - Protocol: TCP
    Port: 443
    Source: ELB Security Group
    Description: HTTPS from load balancer
  
  - Protocol: TCP
    Port: 22
    Source: 203.0.113.0/24  # Management IPs
    Description: SSH access
  
  - Protocol: TCP
    Port: 3000
    Source: sbmcrm-app-sg
    Description: Internal API communication

Outbound Rules:
  - Protocol: All
    Port: All
    Destination: 0.0.0.0/0
    Description: Allow all outbound

Database Security Group

Name: sbmcrm-db-sg
Description: Security group for database

Inbound Rules:
  - Protocol: TCP
    Port: 5432
    Source: sbmcrm-app-sg
    Description: PostgreSQL from application servers

Outbound Rules:
  - None (database doesn't need outbound access)

Cache Security Group

Name: sbmcrm-cache-sg
Description: Security group for Redis cache

Inbound Rules:
  - Protocol: TCP
    Port: 6379
    Source: sbmcrm-app-sg
    Description: Redis from application servers

Outbound Rules:
  - None

Load Balancer Configuration

ELB Setup

Name: sbmcrm-elb
Type: Application Load Balancer
VPC: sbmcrm-vpc
Subnets:
  - sbmcrm-public-subnet-a
  - sbmcrm-public-subnet-b

Listeners:
  - Protocol: HTTPS
    Port: 443
    SSL Certificate: sbmcrm-ssl-cert
    Backend Protocol: HTTP
    Backend Port: 3000
    Health Check:
      Path: /health
      Interval: 30s
      Timeout: 5s
      Healthy Threshold: 2
      Unhealthy Threshold: 3

Backend Server Group

Name: sbmcrm-backend-servers
Protocol: HTTP
Port: 3000
Load Balancing Algorithm: Round Robin
Session Persistence: Enabled (Cookie-based)
Health Check:
  Protocol: HTTP
  Path: /health
  Method: GET
  Interval: 30s
  Timeout: 5s
  Max Retries: 3

Servers:
  - sbmcrm-api-01 (10.0.1.10)
  - sbmcrm-api-02 (10.0.2.10)

NAT Gateway Configuration

NAT Gateway Setup

Name: sbmcrm-nat
VPC: sbmcrm-vpc
Subnet: sbmcrm-public-subnet-a
Bandwidth: 100Mbps
Type: Small (supports up to 5,000 concurrent connections)

Route Table Configuration

Private Subnet Route Table:

Routes:
  - Destination: 10.0.0.0/16
    Next Hop: Local
    Description: Local VPC traffic
  
  - Destination: 0.0.0.0/0
    Next Hop: NAT Gateway
    Description: Internet access via NAT

DNS Configuration

Domain Configuration

Domain: api.yourdomain.com
Type: A Record
Value: ELB Public IP
TTL: 300

Domain: admin.yourdomain.com
Type: A Record
Value: ELB Public IP
TTL: 300

Internal DNS

For internal service discovery:

# /etc/hosts on ECS instances
10.0.10.20  postgres.internal
10.0.10.30  redis.internal
10.0.1.10   api-01.internal
10.0.2.10   api-02.internal

Network Security

WAF Configuration

Name: sbmcrm-waf
Domain: api.yourdomain.com
Protection Rules:
  - SQL Injection Protection: Enabled
  - XSS Protection: Enabled
  - CSRF Protection: Enabled
  - Rate Limiting: 1000 requests/minute per IP
  - Bot Protection: Enabled

DDoS Protection

Service: Anti-DDoS
Protection Level: Standard
Bandwidth: 5Gbps
Auto-Scaling: Enabled
Alert Threshold: 1Gbps

VPN/Private Connection

Site-to-Site VPN (Optional)

For connecting to on-premises infrastructure:

VPN Gateway:
  Name: sbmcrm-vpn-gateway
  VPC: sbmcrm-vpc
  Type: Standard
  Bandwidth: 10Mbps

VPN Connection:
  Local Gateway: Your office gateway IP
  Remote Gateway: VPN Gateway IP
  Pre-shared Key: [secure key]
  IKE Policy: IKEv2
  IPSec Policy: AES-256

Network Monitoring

Flow Logs

Enable VPC flow logs for network monitoring:

Flow Log:
  Name: sbmcrm-flow-logs
  VPC: sbmcrm-vpc
  Log Group: sbmcrm-logs
  Retention: 30 days

Network Metrics

Monitor key network metrics:

  • Bandwidth utilization
  • Connection count
  • Latency
  • Packet loss
  • Error rate

Troubleshooting

Common Network Issues

Cannot Connect to Database

# Check security group rules
# Verify database is in private subnet
# Check route table configuration
# Test connectivity
telnet 10.0.10.20 5432

High Latency

# Check network path
traceroute api.yourdomain.com

# Check bandwidth utilization
# Review ELB metrics
# Check for network congestion

Connection Timeouts

# Check security group rules
# Verify NAT gateway is working
# Check DNS resolution
nslookup api.yourdomain.com

Best Practices

  1. Network Segmentation: Separate public and private subnets
  2. Least Privilege: Restrict security group rules to minimum required
  3. Multi-AZ: Deploy resources across multiple availability zones
  4. Monitoring: Enable flow logs and network monitoring
  5. Documentation: Document all network changes
  6. Testing: Test network changes in staging first
  7. Backup Routes: Configure redundant network paths

Next Steps

  1. Review Cloud Architecture for complete setup
  2. Use Terraform for infrastructure as code
  3. Configure High Availability for production