Some time ago, according to statistics, the company takes up 50% of the cost of network bandwidth. Find a way to optimize this part of the resources

Current problems encountered

  • 1. Network requests cause a large amount of bandwidth consumption, but some instances do not require external bandwidth.
  • 2. Elastic bandwidth supply cannot be achieved without centralized management.
  • 3. If the network cannot be isolated, attacks may harm all services under the Intranet (Intranet communication). Opening the Internet may cause port scanning.
  • 4. Requests cannot be filtered due to centralized and configurable upstream and downstream management networks.

Ideas:

socks5 NAT forwarding
Fall to the ground A proxy machine is directly connected to all the machines on the Intranet to proxy their TCP requests. Use open source software :shadownsocks-go Configure port forwarding using iptable
advantage Simple, convenient and easy to understand. Wall climbing is a similar technique Convenient and efficient, combined with cloud service providers to provide A VPC portfolio, enterprise-level management
disadvantage Not efficient enough. In other words, all requests have to be forwarded once at the TCP/IP layer. The number of machines will increase the pressure on the server side, and the requirements such as configuration, filtering and isolation cannot be achieved. The learning cost is higher than soCKS5, which is an enterprise-level solution after all
scenario Suitable for personal use, over the wall, or Intranet penetration, personal NAS scenarios Suitable for enterprise network management

For more information, please refer to the introduction of each cloud platform in VPC.

Take a look at the documentation and put it into practice with questions:

  • 1. How do HOSTS in a VPC expose ports?
  • 2. What are the landing scenarios of acLs?
  • 3. What is the practical significance of a subnet?
  • 4. What is the practical significance of customizing routing tables?

After the actual implementation

  • 1. Ports in a VPC can be exposed through port forwarding.
  • 2. You can configure configurations to prevent malicious consumption of Intranet resources. After being attacked, the hijacked machine will most likely communicate with the external network. This is where the threat of an invasion can be effectively addressed
  • 3. Subnets are for redundancy, backup, and isolation. (After the resources on the subnet are attacked, other resources are secure and the damage range is effectively controlled
  • 4. User-defined routes can be used when the external exposed port is inconsistent with the internal port. (For example, external port 2222 corresponds to port 22 of the internal board jumper.)

The original/existing network topology (simplified for easy understanding) shows that the VPC takes over the network of the original cluster. The resource can be managed and configured.

Summarize the capabilities of a VPC and their application scenarios:

Ability to scenario
VPC Construct a virtual network to take over the inbound and outbound behaviors of all services (web-server, Redis, mysql, nginx) on the Intranet. The current Ucloud purchase hosts are under the default VPC
subnet A network structure separated by different network segments. Can achieve internal orderly management, management granularity is finer The division of this layer can correspond to the internal organizational structure of the company
NAT gateway Services on the Intranet can be exposed externally For example, some test interfaces were accessed directly through 9000, 9989, 9988
Intranet VIP Assign an IP address to an instance manually The machine itself has an internal IP(ucloud’s own gateway) and can also be assigned a VIP (customer’s own gateway), which makes it quite flexible in networking. In this way, the internal interaction can be closed loop almost without going to the external gateway.
ACL Manages the rules for entering and exiting the network. You can add a network whitelist for a machine so that the machine cannot communicate with the outside world even after being attacked.
The routing table Custom routes can be used when the external exposed port is inconsistent with the internal port External ports are connected to port 2222, which corresponds to port 22 of the internal board jumper

How about if you like my article, you can follow my official number: VM-321 and get learning materials