Migration to Huawei Cloud

Module 5: Core Services of Huawei Cloud

 Objectives
⚫ Upon completion of this course, you will:
 Understand the core services of Huawei Cloud that will be used
during the migration, including:
 Access control and security
 Network configuration
 High availability (HA) and disaster recovery (DR)
 Monitoring and automated deployment
 RDS cross-region replication
3
 Contents
1. Global Infrastructure of Huawei Cloud

2. Security Considerations on Huawei Cloud

3. Network Design of Huawei Cloud

4. High Availability and Disaster Recovery on the Cloud

5. O&M Automation on the Cloud

6. RDS Cross-Region Replication

4
 One-Stop Services for Global Customers
Beijing

Shanghai
Intelligent EdgeCloud (IEC)

29
Guangzhou

Guizhou Hong Kong (China)

Regions Intelligent EdgeSite
Thailand
(IES)
Inner Mongolia
NEW

78
Indonesia
< 5 ms
< 10 ms Latency
< 30 ms circle
AZs Anhui UAE
Intelligent EdgeFabric (IEF)

South Africa

2800
CDN nodes
Singapore
Brazi
l
Huawei Cloud Stack
Full-stack on-premises cloud
Argentina solution

NEW
Ireland Mexico
…

CloudOcean CloudSea CloudLake

Global center Regional center Edge access
5
 Huawei Cloud Infrastructure Architecture

Long distance 1 to n
Independent network power supplies data center
No spillover impacts in the event no "standby"
of a disaster
AP-Singapore AP-Bangkok
ap-southeast-3 ap-southeast-2

AZ 1 AZ 2 AZ 3
ap-southeast-2a ap-southeast-2b ap-southeast-2c

AF- Logically
Johannesburg interconnected
network between
Private network communication in a region (LAN) AP-Bangkok
af-south-1
regions ap-southeast-2

6
 Infrastructure at Different Levels Covers More
Scenarios Edge rendering and ultra-low
Core area On-demand/flexible, intensive effect latency ensure the optimal VR
experience of the National
220+ cloud services Library of China in the 5G age.
Central region 210+ solutions

Nearby access, stable latency

5G/WiFi6
Hotspot area Huawei
Cloud
30+ cloud services | < 10 ms
latency IE
Multi-line networking IEC
S CDN
On-premises DC Hierarchical management, data stored on-premises, and local latency

10+ cloud services | < 5 ms 80+ cloud services

latency Multi-level services
At least 4 nodes and Dedicated
cabinet-level delivery IES region • The network latency is 1–5 ms
Service site Limited resources, real-time processing and the MTP is ≤ 20 ms to
prevent VR dizziness.
< 1 ms latency | 200+ AI applications
128 MB memory • Cloud-edge collaboration allows
IEF users to obtain diverse VR
content and the latest version
Sensors OT devices Robots Cameras Drones Smartphones VR from the cloud in a timely
One distributed One distributed Consistent One management system manner.
cloud network environment • Cloud VR content is managed and
All-scenario Convenient and Consistent Refined enterprise pushed in a unified manner,
coverage secure access experience governance protecting VR copyright.
7
 Contents
1. Global Infrastructure of Huawei Cloud

2. Security Considerations on Huawei Cloud

3. Network Design of Huawei Cloud

4. High Availability and Disaster Recovery on the Cloud

5. O&M Automation on the Cloud

6. RDS Cross-Region Replication

8
 Huawei Cloud Shared Responsibility Model
Client-side data encryption Networking traffic
Data & Server-side encryption protection
Tenant data
security data integrity (file system/data) (encryption/integrity/ident
authentication ity)

Custom tenant configurations

Tenant IAM
Application Huawei Cloud Tenant

IAM
security application service application service

Huawei Cloud IAM

Virtual networks, gateways, advanced

IAM
protection, platforms, applications,
data, identity management, key
Platform Huawei Cloud Tenant
management, etc.
security platform service platform services

Infrastructure as
Compute Storage Database Network
Infrastructu a service (IaaS)
re
security
Physical infrastructure Regions Availability zones (AZs) Edge locations

Green: Huawei Cloud responsible for security Blue: Customers responsible for security in the
of the cloud cloud

9
 Huawei Cloud Security Certifications
ISO 27001:2013 DJCP Classified Protection of
Cybersecurity

ISO 27017:2015
SOC audit
Singapore Multi-Tier Cloud
Security (MTCS) Level 3
Certification PCI DSS Certification

ISO 20000-1:2011
CSA STAR Gold

ISO 20018:2014
TRUCS Gold O&M Assessment
ISO 22301:2012
ITSS Cloud Computing Service
International Common Criteria Capability Assessment by the MIIT
EAL3+ Certification Cybersecurity Review by the
Cyberspace Administration of China
(CAC)
Trusted Cloud Service (TRUCS) Certification for the Capability
of Protecting Cloud Service User
Data
10
 IAM Features

⚫ Basic functions:
 Identity authentication
 Access management
⚫ Refined permissions management

Identity and Access Management ⚫ Huawei Cloud service authorization

(IAM) ⚫ Identity federation with third-
party identity providers

11
 Identity Authentication Method 1

⚫ Open the Huawei Cloud console

login page.
⚫ Use the IAM username and password
to log in.
⚫ Perform fine-grained permissions
management on the IAM console.

12
 Identity Authentication Method 2
Use an access key (AK/SK) to verify your identity.
Each IAM user can create two pairs of access keys.

An AK contains 20 characters, and an Example command in hcloud

SK contains 40 characters.
An AK/SK pair is used only for API
access.

13
 Permissions Management

Developers
Best practices for permissions assignment

Principle of least privilege (PoLP)

Testers
IAM administrator

Production personnel
14
 IAM User Groups
⚫ An IAM user group is a collection of IAM users.
⚫ An IAM user can belong to different IAM user groups.
⚫ User groups make it easier to manage permissions.

Development
Test group
group

Sam Jack Emma Sam Andy Lucy

15
 IAM Permissions
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:bucket:ListBucket",  IAM permissions are defined in JSON
"obs:bucket:Get*"
],
"Resource": [ documents.
"obs:*:*:bucket:*"
],
"Condition": {
 JSON documents can be encapsulated
"StringEndWithIfExists": {
"g:UserName": into policies for repeated use.
["specialCharactor"]
},
"Bool": {"g:MFAPresent":
["true"]}
}
}
]
}
16
 IAM Policies
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:bucket:ListBucket", IAM
],
"obs:bucket:Get*" policies
"Resource": [
"obs:*:*:bucket:*" ⚫ System-defined policies
],
"Condition": {  Maintained by Huawei Cloud
"StringEndWithIfExists": {
"g:UserName":
["specialCharactor"] ⚫ Custom policies
},
"Bool": {"g:MFAPresent":  Maintained by users
["true"]}
}
}
]
}
17
 IAM Policy Attachment

Development Attach
group

IAM policies
Add
Associate

Sam

IAM agency
(Agencies are not
the focus of this
course. They will be
described in another
course.)
18
 IAM Permissions
⚫ IAM authentication process
Final decision: Final decision:
Deny Allow

Yes Yes

Evaluate all No No
Access Includes Includes Final
applicable
request Deny? Allow? decision: Deny
policies.

19
 Using DEW to Manage Secrets in Applications
⚫ Key management
 The master key is stored within the
service and not exposed to leakage
risks.
 You can generate, encrypt, and decrypt
data encryption keys (DEKs).

Data Encryption Workshop (DEW) ⚫ Secret management

⚫ Centralized storage of database
and server passwords
 You no longer need to write them in
your code or configurations.

20 ⚫ Seamless access with IAM

 Cloud Trace Service
• Cloud Trace Service (CTS) allows you to collect, store, and
query operation records of cloud resources.
• Trace recording: CTS records operations performed on the console or triggered by
APIs or other cloud services.
• Trace query: Operation records of the last seven days can be queried on the
management console from multiple dimensions, such as the trace type, trace source,
resource type, filter, operator and trace status.
• Trace transfer: Traces can be transferred to Object Storage Service (OBS) buckets
periodically. In this process, traces are compressed into trace files by service.
• Trace file encryption: Trace files can be encrypted using keys provided by Data
Encryption Workshop (DEW) during transfer.
21
 Contents
1. Global Infrastructure of Huawei Cloud

2. Security Considerations on Huawei Cloud

3. Network Design of Huawei Cloud

4. High Availability and Disaster Recovery on the Cloud

5. O&M Automation on the Cloud

6. RDS Cross-Region Replication

22
 Virtual Private Cloud (VPC)
 Is a software-defined network.

 Provides an isolated and internally network on

Huawei Cloud.

VPC  Allows you to configure IP address ranges,

subnets, routes, and firewalls in a VPC.

 Can use an EIP to connect to the Internet.

23
 VPC CIDR Block
⚫ A VPC can have a custom primary IPv4 CIDR block and a custom secondary IPv4 CIDR block.
 A secondary CIDR block is not required if the network is planned well.

⚫ A VPC supports IPv4 and IPv6 dual stack.

⚫ The IP address range for a VPC is defined using Classless Inter-Domain Routing (CIDR) notation.

⚫ A VPC supports the following CIDR blocks:

 10.0.0.0/8-24
 172.16.0.0/12-24
 192.168.0.0/16-24

For example, 172.16.0.0/16 contains all IP addresses from 172.16.0.0 to 172.16.255.255.

Network architects need to coordinate, design, and plan the CIDR blocks of each VPC and data center.
24
 How Do I Plan a Subnet?
⚫ Basic Rules Region
 The IP addresses of a subnet must be in its VPC.
VPC
 The CIDR blocks of subnets in a VPC cannot overlap.

 IP addresses provided by a subnet can be used by resources

from a different AZ.
Subnet for
⚫ Design Principles external
access
 Subnet design is important for your network architecture.

 One-to-one mapping between subnets and nodes

◼ Deploy only one type of node in each subnet. Front-end
subnet
◼ Deploy nodes with the same function in the same
subnet.
◼ Subnets are logical concepts and are not restricted
Data subnet
by traditional physical devices.
AZ a AZ b
 Make full use of VPC CIDR block.
ap-southeast-3
◼ Use subnets with a large CIDR block instead of many
small subnets.
26
 Elastic IP (EIP)
⚫ An EIP is a public IP address.
⚫ An EIP can be bound to or unbound from an ECS.
⚫ An EIP can use public network bandwidth for Internet access.

Various billing options:

 Pay-per-use
EIP  By bandwidth
 By traffic
VPC
Subnet
 Yearly/Monthly
 Shared data package and
bandwidth add-on package
ECS NAT Gateway ELB

Can I use an EIP if my ECS needs to access the Internet?

27
 Public NAT Gateway
If your servers need to access the Internet, you can use a public NAT gateway and add a Source Network Address Translation
(SNAT) rule. In the route table associated with the subnet where your servers are deployed, add a rule to route outbound
traffic to the gateway.

Public NAT gateways have the following advantages:

⚫ Security: Private IP addresses of your servers are not exposed when they access the Internet.

⚫ Ease-of-use: NAT Gateway is hosted and maintained by Huawei Cloud, so high availability and throughput are ensured.
High availability
with multiple EIPs
EIP 1 EIP 2 added in one SNAT
rule EIP 1 EIP 2 EIP 3

VPC 1 NAT gateway

Subnet 1 Subnet 2

VPC

28
 How Do I Ensure VPC Security?

VPC Router

Multiple firewall components:

Network ACL Network ACL
 Security group

Subnet 1 Subnet 2
 Network ACL

Security Security
group group

29
 Differences Between Security Groups and Network
ACLs
Item Security Group Network ACL

Protected object ECSs Subnets

Action Supports both Allow and Deny rules. Supports both Allow and Deny rules.

If there are conflicting rules, the first security

group associated will take precedence over those
If there are conflicting rules, only the rule
Priority associated later, then the rule with the highest
with the highest priority takes effect.
priority in that security group will be applied
first.
You cannot select a network ACL when creating a
subnet. You must create a network ACL, associate
By default, a security group must be selected during
Application subnets with the network ACL, add inbound and
ECS creation and the security group will be
operation outbound rules, and enable the network ACL.
automatically applied to the ECS.
Then, the network ACL takes effect for the
associated subnets and ECSs in the subnets.
Supports packet filtering based on 5-tuple
Only supports packet filtering based on 3-tuple
Packets (protocol, source port, destination port, source
(protocol, port, and peer IP address).
IP address, and destination IP address).
30
 How Do I Connect On-premises Data Centers to
Huawei Cloud to Build a Hybrid Cloud Network?

Huawei Cloud On-premises data center

VPC
?
ECS ECS Server Server Server

31
 Virtual Private Network (VPN)
⚫ Connects on-premises data centers to VPCs at Layer 3.

⚫ Creates secure encrypted tunnels over existing networks.

⚫ Has only one VPN gateway in a VPC.

⚫ Establishes VPN connections with routing devices in on-premises data centers.

Region 1

Customer On-premises
VPN connection gateway data center

On-premises Huawei Cloud Huawei Cloud Region 2

data center Customer VPN VPC VPC VPN
gateway gateway gateway

Customer On-premises
gateway data center

CIDR blocks of subnets need to be planned.

32
 Direct Connect
⚫ Direct Connect establishes a dedicated network connection that enables an on-premises
data center to access VPCs over a private network.
⚫ Generally, optical fibers are used for network connectivity.
⚫ Direct Connect features compliance and security and can provide stable performance.

⚫ Scenarios:
 Large-scale data transmission
 Scenarios where stable network performance and low latency are required
 Scenarios where strict compliance requirements must be meet

33
 Contents
1. Global Infrastructure of Huawei Cloud

2. Security Considerations on Huawei Cloud

3. Network Design of Huawei Cloud

4. High Availability and Disaster Recovery on the Cloud

5. O&M Automation on the Cloud

6. RDS Cross-Region Replication

34
 A Robust Architecture Ensures a Stable System

35
 Criteria That Make a Robust Architecture

Monthly
Yearly Downtime Daily Downtime Availability (%)
Downtime

36.5 days 3.04 days 2.4 hours 90%

Availabilit 3.65 days 7.3 hours 14.4 minutes 99%

y 8.76 hours 43.8 minutes 1.44 minutes 99.9%

52.56 minutes 4.38 minutes 8.64 seconds 99.99%

5.26 minutes 26.28 seconds 0.86 seconds 99.999%

For details about Service Level Agreements (SLAs), visit

https://www.huaweicloud.com/intl/en-us/declaration/sla.html.

36
 A Better Scalability Design for Improved
Reliability

If one backend server is unhealthy, the overall

processing capacity is reduced. If this happens,

the system will automatically add a healthy backend

server to ensure stable performance.

37
 Cross-AZ Deployment for Active-Active DR

 Servers are deployed in multiple

AZs to run stateless services.
 ELB or DNS is used to route
traffic evenly across ECSs

Server
deployed in multiple AZs.
Server
 If the health check identifies a
server unhealthy, traffic would
not be routed to this server.

RDS instance RDS instance  RDS instances are deployed in

(primary) AZ 2 (standby)
AZ 1 multiple AZs.
Region
38
 Three Data Centers Are Deployed in Two Cities
 In addition to the active-active architecture, an
additional ECS and primary RDS instance are deployed in
another region.
DNS  DNS is used to route traffic to the given region.

Server Server Server

RDS instance (primary) RDS instance (standby) RDS instance (primary)

AZ 1 AZ 2 AZ 1
Region 1 Region 2
39
 Contents
1. Global Infrastructure of Huawei Cloud

2. Security Considerations on Huawei Cloud

3. Network Design of Huawei Cloud

4. High Availability and Disaster Recovery on the Cloud

5. O&M Automation on the Cloud

6. RDS Cross-Region Replication

40
 Cloud Eye: Be Aware of Your Systems

⚫ Cloud Eye offers comprehensive monitoring for

your service systems.
⚫ Cloud Eye is not really a monitoring system. It
also:
 Collects data.
 Is not tightly coupled with other services.
Cloud Eye
⚫ Cloud Eye can monitor application components
all on the same console.
⚫ Visualized dashboards and alarms are provided.
41
 How Cloud Eye Works

SMN topics Emails

LTS alarms
Application logs

LTS dashboards SMS messages

Customer Log Tank Service
applications (LTS)
Custom metrics of
applications Log metrics

Invoke a function.

Dashboards on Alarms
the console
ECSs

Built-in metrics of
Huawei cloud
services
Cloud Eye
42
 DR Switchover with Website Monitoring

Primary site Secondary site

SMN topics
Domain Name
Service (DNS)

Invoke a Servers
Servers function.

Alarms
Website monitoring - detection

Relational Database
Databases Service (RDS)
Cloud Eye
databases
On-premises data center A region on the cloud

43
 Using Data to Truly Sense the System

⚫ Code-based application environment creation

 Text in YAML or JSON format
 Application-based management, rather than
resource-based

⚫ Automatic deployment, initialization, and

Resource Formation Service (RFS) revocation
⚫ Deployment of almost all Huawei Cloud
services
⚫ Easy cross-region migration
44
 How RFS Works

VPC

Create stack
Cache

NAT Gateway Web server

RFS template RFS engine Primary database
Front-end Data subnet
Subnet for
subnet
external
access

RFS starts all components in order and dependency as specified by the template.

45
 Contents
1. Global Infrastructure of Huawei Cloud

2. Security Considerations on Huawei Cloud

3. Network Design of Huawei Cloud

4. High Availability and Disaster Recovery on the Cloud

5. O&M Automation on the Cloud

6. RDS Cross-Region Replication

46
 RDS Cross-Region Replication
⚫ RDS for MySQL instances can be deployed in the production center and DR center. DRS
replicates data from the primary instance in the production center to the DR instance
in the DR center, keeping data synchronous across the regions.

Production center (Region 1) DR center (Region 2)

VPC 1 VPC 2
Primary CC/VPN/EIP/Direct Primary
Connect
DRS
Standby Read Standby Read
replic replic
a a

Log capturing Log parsing and combination Log replay

47
 Thank You.
Copyright©2023 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating
results, future product portfolio, new technology, etc. There are a number of
factors that could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements. Therefore, such
information is provided for reference purpose only and constitutes neither an
offer nor an acceptance. Huawei may change the information at any time
without notice.

48