经典迁移VPC对于目前的阿里云来说 是解决一个重大的历史遗留问题。在上古时期,公有云的租户不多,因为可以给每个实例分配一个EIP一个内网IP。隔离租户只用了安全组来实现,因此其实留下了蛮多问题的。比如:你可以ping通一个不是你的资源组里的实例的内网IP。这样就留下了很大的隐患。而VPC的出现,把租户的实例又通过VPCID来做了进一步的隔离。这样就让大家形成了一种彼此独立且隔离的局域网。而且用户可以自定义网段,并且可以和更多的阿里云的laas、PaaS以及SaaS产品产生共鸣,更好的体验云服务。
目前经典迁移VPC之后,如果要实现互联的方式是给VPC开启classiclink,用classiclink这种临时的手段可以打通VPC和经典,这种方法就类似于在VPC和经典网络的宿主机之间建立了一个VPN,如果开启claasiclink之后发现不不通的话可以了解一下:
https://help.aliyun.com/knowledge_detail/87623.html?spm=5176.11065259.1996646101.searchclickresult.1a4a7b45wq4mHd
The classic migration of VPC is a major historical legacy for the current Ali Clouds. In the ancient era, there were few public tenants who could be assigned an EIP-net IP for each example. The isolation of tenants was done only with a security group, leaving a lot of problems. For example: you can ping an inner IP that is not an example of your resource group. This leaves a great risk. The emergence of VPC, which separates the tenant from VPCID by using VPCID. This makes it possible to create an independent and isolated local area network similar to that of VPC. Users can define the web section and create a better experience service with the more Arion's laas, PaaS and SaaS products.
如果有数据库实例是经典网络的,迁移之后的话建议大家使用混访方案:https://help.aliyun.com/document_detail/96110.html?spm=5176.11065259.1996646101.searchclickresult.1a4a7b45wq4mHd 不过这也只是一种临时 过渡的方案,我们会给用户180天时间,让用户逐步把RDS也迁移到专有网络。 切记:一定要是同一个专有网络,即 VPCID一定要相同。
If there are examples of databases that are classic networks, it is recommended that a mixed visit programme be used after the migration: , but this is a temporary transition, and we will give 180 days to users to gradually move RDS to a dedicated network as well.
关于容器集群:
目前虽然有办法可以让不同VPC之间的实例通信、但是目前容器集群暂时无法添加不同VPC的实例。
With regard to packaging clusters:
currently, while there are ways in which examples between different VPCs can be communicated, it is not possible to add different VPCs for the time being.
关于两种网络类型,我们也有详细的介绍,可以了解一下:
https://help.aliyun.com/video_detail/67686.html?spm=5176.11065259.1996646101.searchclickresult.4a6414b14XWuCd
We also have a detailed description of the two types of networks:
>a href="https://help.aliyun.com/video_detail/67686.html?spm=5176.11065259.19966461.searchclickresult.4a6414bxWuCd" target="_blank"https://help.aliyun.com/video_detail/676.html?spm=5176.11065259.19966661.searchlickr4a6414b_WuCd
目前上述文档解决的基本上是打通网络隔离的事,我写这篇文档的初中就是为了让大家解决服务器内部应用的问题。这个是因为在VPC环境中,公网IP相当于绑定在阿里云的NAT网关上,通过ECS的实例ID,可以映射到不同的ECS上。所以在网络层其实源地址就是本地IP,目的地址就是服务器的内网IP。这样就给一些通过公网连接的软件,比如samba、ftp、nfs、zookeeper、dubbo等造成了困扰,因为有些情况下,在三次握手的过程中,客户端拿到的是服务器的内网IP,这样就无法建立连接。针对这种场景,很多情况下,提工单也不能很好的解决应用层的问题。 所以,我这里就要给大家推荐一种方法,【EIP直通车】。 通过EIP直通车的方式,我们可以尽量的还原经典网络公网网卡绑定在实例内部的场景,以解决我们的软件的通信的问题。
This is because, in the VPC environment, the IP on the public network corresponds to the NAT gateway, which is tied to Ali's cloud, and can be mapped to different ECSs through the ECS example ID. So, in many cases, it is the local IP, the address of which is the inner IP of the server. So I'm here to suggest a way to get some software connected through the public network, such as samba, ftp, nfs, zookeeper, dubbo, etc., because in some cases, during the three handshake, the client has access to the inner IP on the server, so it is not possible to build connectivity. In many cases, the bill of lading does not solve the problem of the application layer.
前置条件:
1.大家的实例是从经典迁移到VPC里面的,上古时期,经典实例大家购买实例的时候都是买了带宽的。而这种带宽一般情况下都是包年包月的,而且这种绑定在实例上的IP,我们把它叫做公网IP,而公网IP不是EIP,没法解绑和绑定。
2.为了实现把公网IP绑定在服务器内部,我们需要一个弹性辅助网卡(创建是免费、但是一定要记得和ECS实例在同一个VPC里面)
Pre-conditions:
1. The example is moved from classic to VPC. In ancient times, classic examples buy bandwidth when you buy it. This bandwidth is usually year-on-year, and it's strapped to the example IP, which we call the Open Net IP, which is not EIP and cannot be untied and tied.
2. In order to be able to bind IP to the server, we need an elastic support card (creation is free, but remembering that the ECS example is in the same VPC).
1.新建实例的场景下,我们可以选择给服务器添加弹性网卡,把EIP绑定在弹性网卡上即可。
1. On the scene of the new example, we can choose to add a elastic net card to the server and bind the EIP to the elastic net card.
2.下面我们来实践迁移过来的实例让公网IP显示在服务器内部的过程
Here's an example of what we're doing with the migration so that IP shows the process inside the server.
2.1公网IP转换成弹性公网IP
请参考文档:
https://help.aliyun.com/document_detail/67455.html?spm=5176.11065259.1996646101.searchclickresult.b26a45aaE1zZg6
其实转换就是在控制台点击一个按钮,但是为什么要留个链接呢?这里就是想让大家看一下需要满足的限制。
对于包年包月的:
如果是包年包月的实例,那么将是无法看到这个选项的,这个时候需要做一件事情,就是选择实例降配,降配的时候会有把包年包月的公网IP转换成按量计费的IP的选项。转换的时候会把之前付的包年包月的公网IP的钱退还到您的账户
Please refer to the document:
一定要选对专有网络和交换机,绑定好之后这个网卡的ACL规则也是受到安全组影响的
这里暂时不要把弹性辅助网卡绑定到ECS上,不然无法把EIP在OS可见模式下绑定到服务器上
2.3 解绑弹性IP
前置条件:我们刚才已经把从经典迁移过来的实例的公网IP转换成了弹性公网IP,这个时候我们可以解绑这个弹性公网IP,然后把它绑定到弹性辅助网卡上。
Precondition: We have just converted the IP from the classic migration to the flexinet IP, and then we can untie the flexinet IP and bind it to the flexinet card.
2.4 绑定弹性IP
解绑之后我们再到EIP控制台,把这个EIP绑定到弹性辅助网卡上面
绑定弹性辅助网卡的具体设置可以参考一下,一定要勾选OS可见模式,这样才能在服务器内部以eth0的方式展现出来
We're going to the EIP control table and we're going to tie this EIP to the specific setup of the flex support card
>br>, and we're going to check the OS visible mode so that it can be displayed within the server
2.5 弹性辅助网卡绑定到服务器上
2.6 进入操作系统验证
这样我们就在服务器内部看到了一个公网网卡啦,是不是跟经典网络没有区别,有木有!~~ 兴不兴奋 开不开心 高不高兴。
So we see a net card inside the server, and it's no different from the classic network, there's wood!
感受:
1.经典迁移VPC是必然的趋势,对大家都好,不要用自己的躯体去挡历史前进的车轮,不然会被碾的粉碎。
Feel:
1. Classic migration of VPC is an inevitable trend, in the best interests of all, not to use their bodies to block the wheels of history, or to be crushed.
2.对于IDC用户来说,习惯性的喜欢看到服务器内部一张公网网卡,一张私网网卡,如果软件确实需要这样搞,可以参考一下这种EIP直通车的办法。
2. For IDC users, it is customary to see a public network card inside the server, a private network card, and if the software does need to do so, reference can be made to this type of EIP direct traffic.
3.对于经典迁移VPC后软件授权码(基于机器码授权的) 这种目前没有办法解决。可以通过工单的方式 联系到阿里云给到迁移声明,可以用迁移声明联系到软件供应商获取新的授权。一般来说正规的软件公司都会给通过的,比如ERP系统里面用的某某公司的某某报表,或者一些其它的软件 ex.....
3. There is no solution at this time for the classic VPC post-relocation software authorization code (based on machine code authorization). This can be done by contacting Aliun with the migration statement, and by contacting the software provider with the migration statement to obtain a new authorization.
4.如果实在不想迁移VPC那就耗着吧,耗着阿里云也不会强制给迁,除非给到了强制迁移声明的,那个是没有经典的宿主机了,不迁没有办法了。
4. If there is a real desire to relocate VPC, it will be drained, and Aliun will not be forcibly relocated unless a declaration of forced relocation is given, and there is no classic host and no alternative to relocation.
5.对于用户来说,如果还有大多数经典的实例,必须要提前做规划了,先拿镜像去VPC里面试试,软件起不起的动。程序跑不跑的起来。VPC的网段怎么划分,怎么隔离,提前规划好,不然以后一堆破事儿。
5. For users, if there are also most classic examples, it is necessary to plan ahead, take the mirrors to the VPC, and try the software. The program can't run. How the VPC network is divided, how it is isolated, how it is planned in advance, or there will be a lot of trouble in the future.
6.开发 预发布 正式环境最好通过VPCID来分开!不分开的运维怕是要挨打。 分开后 如果需要涉及调用的,请用云企业网打通。但是VPC下IP地址不能用子集。 也就是VPC1下互通网段 交 VPC2下互通网段=空集。
6. Development of pre-dissemination The formal environment is best separated by VPCID. Unseparated carriers are afraid to be beaten. When separated, contact the cloud company network if necessary. But the IP address under VPC cannot be used as a subset. VPC1 is an interconnection section handed over to VPC2 network = an empty set.
7.阿里云的资源用子账号管理!通过授权不同的资源组 给到开发、测试、运维。不要建一大堆号,如果现在已经建立了一大堆号的 尽量整合吧。
7. Aliun's resource management sub-accounts! By authorizing different groups of resources to develop, test, and transport. Don't build a lot of numbers, if you've already built a lot of numbers, try to integrate them.
还有不了解详情的 请留言给江措小朋友,江措小朋友偶尔会看看博客的,谢谢大家~ 此处应该有花花~!
If you don't know the details, please leave a message to Kang-soo, who will see the blog once in a while. Thank you very much.
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论