Features

Last updated: 2020-03-27 17:00:37

PDF

You can learn about the functions of Direct connect's access to each component through the following video.

Connection
Physical Direct Connect is a physical line used to connect Tencent Cloud with local IDCs. You can establish a network connection between your IDC and Tencent Cloud Direct Connect network access point through a third-party network service provider.

Dedicated Tunnel

Direct Connect tunnel is the network link segmentation of the physical Direct Connect.
You can create Direct Connect tunnels connected to different Direct Connect gateways to achieve interconnection between local IDCs and multiple VPCs.

Direct Connect Gateway
Direct Connect gateway is the entry for establishing Direct Connect tunnels between VPCs and physical Direct Connects. A VPC supports at most 2 Direct Connect gateways (one supports NAT and the other not).
Direct Connect tunnels can be established between a Direct Connect gateway and multiple physical Direct Connects to deploy a hybrid cloud connected with multiple regions.

4. Network Address Translation (NAT)

Network address translation is a solution to the IP conflict between the two ends of Direct connect when connecting to a hybrid cloud. You can configure network address translation rules on Direct connect gateway. Network address translation (NAT) includes IP translation and IP port translation.

IP Translation

IP translation refers to the original IP translation to the new IP to achieve network interconnection, which includes Local IP translation And Peer IP translation .
IP translation does not distinguish whether the access is initiated by the source or the destination. The mapped IP can either access or be accessed by the peer.

Local IP conversion

1. Conversion description

  • Local IP conversion refers to the mapping of VPC's original IP to a new IP, and the exchange of visits with Direct connect and opposite under the new IP identity.
    You can configure more than one local IP translation rules and the network ACL for each local IP translation rule. The network ACL supports the configuration for source port, destination IP, and destination port.
    NAT rules will take effect only for network requests that meet ACL restriction requirements.
    The local IP translation does not impose any limit on the direction of network requests, which could be the active access of VPC to Direct Connect peer or vice versa.

2. Conversion exampl
If IP A 192.168.0.3 in a VPC is mapped to IP B 10.100.0.3, the network packet source IP of the active access of IP A to the Direct Connect peer is automatically changed to 10.100.0.3, and all network packets accessing 10.100.0.3 from the Direct Connect peer is automatically directed to IP A 192.168.0.3.

Opposite IP conversion

1. Conversion description
Refers to the original IP of user IDC mapping to new IP to achieve interconnection with the VPC IP with new IP.

  • Unlike Local IP conversion, opposite IP conversion does not support network ACL restrictions, so once opposite IP conversion rules are configured, it will take effect for all dedicated tunnel opposite.
    The peer IP translation does not impose any limit on the direction of network requests, which can be the active access of VPC to Direct Connect peer or vice versa.

2. Conversion exampl
Direct connect opposite IP D 10.0.0.3 Map to IP C 172.16.0.3 , then IP D 10.0.0.3 Active Access VPC's network packet source IP will be automatically modified to IP C 172.16.0.3 , all VPC Access IP C 172.16.0.3 Will automatically point to Direct connect opposite IP D 10.0.0.3 .

  • After configuring Local and opposite IP conversion, Direct connect gateway will only route the converted IP from deliver to Direct connect and opposite. Therefore, the original IP, without Local and opposite IP conversion will not be able to ping Direct connect and opposite. However, Direct connect gateway cannot replace professional network firewall. If you need advanced network protection, please configure security group and network ACL policy in VPC, and deploy professional physical network firewall Device in your IDC Data center.

When the Direct Connect gateway is also configured with Peer IP Translation , the Destination IP Of the ACL rule for local source IP port translation should be the Mapping IP of peer IP translation , instead of the original IP.

IP Port Translation

IP port translation refers to the original IP port mapping to the new IP port to achieve network interconnection, which includes Local source IP port translation And Local destination IP port translation .
IP port translation has direction. The source IP port translation accesses externally and the destination IP port translation is accessed by the peer.

Local Source IP Port Translation

1. Conversion description
Refers to the accesses to user IDC of Direct Connect peer using random port of random IP within specified IP pool when VPC IP access externally via the Direct Connect gateway:

  • Local source IP port translation supports configuring ACL rules. Only the network outbound Access that meets the ACL rules will match the address pool repost rule. By configuring different ACL rules for the address pool, you have the flexibility to configure network address translation rules for multiple third-party access.
    Custom Rules

  • Local source IP port translation only supports network Access requests initiated by VPC. If Direct connect and opposite need active IP ports in Access and VPC, additional configuration of Local destination IP port translation is required. Local source IP port translation the network request initiated by VPC actively is a stateful connection, without considering the problem of network return packet.

2. Example:
The VPC C network segment 172.16.0.0/16 Connects the third-party bank A and B via Direct Connect, where the peer network segment of bank A is 10.0.0.0/28 , requiring the connected network segment 192.168.0.0/28 , and the peer network segment of bank B is 10.1.0.0/28 , requiring the connected network segment 192.168.1.0/28 .

  • Address pool A 192.168.0.1 - 192.168.0.15 ; ACL Rule A; Source IP 172.16.0.0/16 ; objective IP 10.0.0.0/28 ; destination port ALL.
  • Address pool B 192.168.1.1 - 192.168.1.15 ; ACL Rule B; Source IP 172.16.0.0/16 ; objective IP 10.1.0.0/28 ; destination port ALL.

The VPC network request for active access to A or B will be translated into the random port of corresponding address pool based on ACL rule A or B to access the appropriate Direct Connect tunnel.

Local Destination IP Port Translation

1. Conversion description
Refers to an approach for the active access of Direct Connect peer to VPC. By mapping the specified port of specified IP in the VPC to the new IP and port, the Direct Connect peer can only communicate with the specified IP port in VPC by accessing to the mapped IP port. Other IP ports will not be exposed to the Direct Connect peer:

  • Local's destination IP port translation does not support ACL rule adaptation, therefore, IP port translation rules will take effect for all dedicated tunnel connected to Direct connect gateway. Local's destination IP port translation only takes effect for dedicated tunnel opposite active Access VPC. If VPC needs active Access Direct connect opposite, you can configure local source IP port translation. The network request for the port translation of Local's destination IP is a stateful connection, so there is no need to consider the problem of network return packets.

2. Conversion exampl
For the VPC C network segment 172.16.0.0/16 , if you only want to open sePCl ports for the active access of Direct Connect peer, you can configure as follows:
Mapping A: the original IP port 172.16.0.1:80 , the mapped IP port 10.0.0.1:80
Mapping B: the original IP port 172.16.0.0:8080 , the mapped IP port 10.0.0.1:8080
The Direct Connect peer can access Port 10.0.0.1:80 And 10.0.0.1:8080 To achieve the active access to Port 172.16.0.1:80 And 172.16.0.0:8080 In the VPC.

  • After configuring the local source and destination IP port translation, Direct connect gateway will only route the translated IP port from deliver to Direct connect and opposite. Therefore, the unconfigured Local IP port will not be able to initiate requests actively or accept requests passively. However, Direct connect gateway cannot replace professional network firewall. If you need advanced network protection, please configure security group and network ACL policy in VPC, and deploy professional physical network firewall Device in your IDC Data center.
    When both IP translation and IP port translation are configured, it will match IP translation first. If there is no match for IP translation, it will match IP port translation.

When the Direct Connect gateway is also configured with Peer IP Translation , the Destination IP Of the ACL rule for local source IP port translation should be the Mapping IP of peer IP translation , instead of the original IP.