Concepts
<p><span style="font-size:18px"><strong>Network Domains</strong></span></p>
<p>Currently, Ping An Cloud has adopted the division of the financial industry network architecture to divide VPC into three default isolated network domains: DMZ, SF and PTR, facilitating service deployment.</p>
<p>• DMZ: Demilitarized Zone, commonly known as quarantine zone, can be connected to the internet through services such as NAT gateway, IGW gateway or ELB, and is usually used to deploy front-end systems.</p>
<p>• SF: Server Farm Zone, commonly known as the internal service area, is usually used to deploy application servers and database servers. It cannot be directly connected to the internet, but can be accessed by DMZ and PTR.</p>
<p>• PTR: The Partner Zone, commonly known as the Partner Access Zone, is used to access regulatory agencies and other partners to establish an internal leased line with the partner’s data center, typically used to deploy front-end or agent systems.</p>
<p>The network domains are isolated from each other and need to be configured with access policies to be able to communicate.</p>
<p>In the future, Ping An Cloud will adopt a new VPC architecture in new regions, cancel the concept of the network domain while the existing region will still retain the current VPC architecture.</p>
<p><span style="font-size:18px"><strong>Subnets</strong></span></p>
<p>You can create subnets in a network domain to meet your business requirements.</p>
<p>A subnet is a part of a network domain. A network domain can be logically divided into multiple subnets. The IP address of the cloud host in the subnet belongs to this subnet.</p>
<p>By default, cloud hosts in the same subnet under one network domain can communicate with each other.</p>
<p><strong><span style="font-size:18px">Regions</span></strong></p>
<p>A region is the geographical location of Ping An Cloud’s infrastructure, and each region provides independent services.</p>
<p>Currently, Ping An Cloud has opened the following regions: East China 1, South China 1, North China 1 and Hong Kong. We recommend that you create a VPC in the nearest region to reduce network latency. Each VPC can only belong to one region.</p>
<p><strong><span style="font-size:18px">Availability Zones</span></strong></p>
<p>To enhance usability, each region typically consists of multiple availability zones, each of which contains one or more machine rooms. The availability zone has independent power and network facilities. Even if a problem occurs in one availability zone, other availability zones are not affected. Availability zones are physically isolated, but can be interconnected through the internal network, which not only ensures the independence of the availability zones, but also provides low-latency network connections.</p>
<p><strong><span style="font-size:18px">Security Groups</span></strong></p>
<p>A security group is a virtual firewall with the ability to control inbound and outbound traffic. The security group and the network domain are bound together to form a logical grouping. It provides an important security protection policy for cloud hosts with the same security protection requirements and mutual trust in the VPC. The grouping of security group and network domain is an important means of isolation to secure network security.</p>
<p>After a security group is created, user can create an access rule in the security group to define the inbound/outbound direction, authorized IP address, port, and protocol and other attributes for each rule. After the cloud host is added in the security group, it will be protected by these access rules. The security group rules determine whether to release or block related traffic.</p>
<p>By default, traffic rules are as follows:</p>
<p>• Cloud resources in a network domain can communicate with each other without configuring security groups.</p>
<p>• The cloud resources in the VPC are accessed in the inbound direction and are blocked in the outbound direction. You need to configure the outbound security group to connect with other network domains.</p>
<p>• The inbound and outbound directions between different VPCs, VPC and the Internet, VPC and the tenant local data center are blocked. It requires to configure security group in both inbound and outbound direction for connection.</p>
<p><strong><span style="font-size:18px">Routing Tables</span></strong></p>
<p>A routing table is a list of management routing entries on a router. Each network domain has a separate routing table for communication between subnets.</p>
Did the above content solve your problem?
Yes
No
Submitted successfully! Thank you for your feedback, we will try our best to do better and better!