Public EIP

1.1 Product Introduction

1.1.1 Product Introduction

SCloud public network elastic IP (EIP) is a standard static IP address. Binding EIP with cloud host UHost, load balancing ULB, NAT gateway and other services can provide these services with the ability to access the public network.

1.1.2 Introduction to billing methods

In the SCloud platform, users can select different bandwidth usage modes for each EIP in the account. Currently, all regions in the cloud platform can provide billing methods such as standard bandwidth, traffic billing, shared bandwidth, and bandwidth post-payment.

 

Bandwidth billing

 

When purchasing an elastic IP, purchase the upper limit of egress bandwidth at the same time. When this billing method is selected, the public IP address (naked IP) is free, and traffic charges are not counted.

 

Traffic accounting

 

When purchasing an elastic IP, you can choose to set the upper limit of the egress bandwidth. According to the unit price of different regions, billing will be charged after the “egress traffic” generated according to the IP after zero o’clock every day. The specific billing information can be seen under the monitoring icon on the EIP details page. No charges when the daily traffic is lower than 1G. When this billing method is selected, the public IP address (naked IP) is charged, and the bandwidth fee is not included.

 

Shared bandwidth

 

 

Bandwidth postpaid

 

When this billing method is selected, the public IP address (naked IP) is free, and only the bandwidth fee is charged. The actual bandwidth of EIP is limited to the peak bandwidth. Peak bandwidth: guaranteed bandwidth is 5:1.

cost

The fee is charged in two parts: guaranteed bandwidth fee + post-paid fee.

(1) The guaranteed bandwidth fee is charged when the bandwidth is paid after purchase.

(2) The post-payment fee will be settled at zero o’clock on the next day, and the charge will be based on the average value of the bandwidth exceeding the guaranteed minimum, that is, the average of the shaded points in the figure below (one point is taken every five minutes, and if the bandwidth value of this point is lower than the guaranteed, it will be calculated as 0. If it is higher than the guarantee, it will be calculated as the bandwidth value – guarantee).

 

 

Precautions

1) When the bandwidth is adjusted for Postpaid Bandwidth method, the adjustment is about the guaranteed bandwidth value. After the guaranteed bandwidth value is adjusted, the corresponding peak bandwidth will be automatically adjusted.

2) EIP monitoring data-bandwidth usage rate is calculated according to the peak bandwidth.

3) The optional range of guaranteed bandwidth is 5-200Mbps.

4) Free quota of ingress bandwidth:

When the purchased egress bandwidth is less than 50Mbps, the ingress bandwidth is equal to 50Mbps. When the purchased egress bandwidth is greater than or equal to 50Mbps, the ingress bandwidth is equal to the egress bandwidth. (ingress bandwidth: from the Internet to SCloud; egress bandwidth: from SCloud to the public network)

 

1.2 Instructions

1.2.1 Apply for EIP

Usually when applying for a cloud host (UHost) or load balancing (ULB), a public EIP will be applied at the same time, and the IP will be bound with the applied resources.

In addition, you can also click on the Apply EIP button to apply on the All Products -> UNet -> EIP page.

 

In the application process, you can select the matched billing method and bandwidth according to the application type.

 

When you select “Specify IP”, you can select the unoccupied IP addresses that have been deleted within the last week.

Click the Purchase Now button to enter the payment page for confirmation. After the payment is completed, you can bind the newly applied EIP with existing resources.

 

1.2.2 Bind/Unbind public EIP

EIP and its bound resources (such as UHost) are independent to the degree of resources. This can ensure that when a resource needs to be deleted, the EIP address is reserved so that it can be bound to other resources.

There are now three entries for the operation of binding resources: EIP list, EIP details, and the specific product page.

 

Bind operation

Take the entry of the EIP details as an example, by selecting the unbound status EIP and  clicking … -> Bind, the bound pop-up window can be opened.

 

Then select the type of resource and search for the specific resource that needs to be bound through the drop-down list, and click OK.

 

Unbind operation

The unbind operation can also be performed by selecting the bound status EIP of the EIP list and clicking … -> Unbinding. You can also unbind the bound EIPs in batches by selecting multiple EIPs.

 

 

 

1.2.3 Adjust IP bandwidth

Bandwidth is a variable resource for EIP. Regarding the bandwidth of EIP, users can arbitrarily upgrade and downgrade it according to their needs, and it can take effect in real time without stopping the service, realizing network elasticity.

The bandwidth of an EIP can be divided into two parts, one of which is selected when applying for an EIP, called the basic bandwidth; the other part is a bandwidth package that can be set for temporary tasks when needed and will take effect in the future. The sum of the packet and the basic bandwidth is the upper limit of the bandwidth that can actually be reached.

 

Adjust the basic bandwidth

You can check the statistics view of the current bandwidth and traffic of the IP in the monitoring on the detailed information page of the EIP. And you can click the Alarm Template button in the basic information on the left side of the page to set alarms on bandwidth usage monitoring data, so that you can keep abreast of resource usage and adjust the purchased bandwidth in time.

 

Note that: The basic bandwidth can be adjusted for both the standard bandwidth billing method and the traffic accounting method. In the shared bandwidth mode, there is no need to adjust the bandwidth of a single EIP. If the bandwidth needs to be adjusted, you can adjust the shared bandwidth.

 

 

Bandwidth package management

Temporarily adjust the bandwidth in the way of scheduled tasks.

 

Note that: EIP with shared bandwidth or traffic accounting method does not support bandwidth packages.

1.2.4 Set up an exit for host active access to the public network

When a host is bound to multiple public EIPs, if you need to specify an exit, you must introduce the feature of public EIP export priority. This feature can meet the needs of certain scenarios where the host actively accesses to public network and determines the access exit.

On the UHost details page, click the Network tab to view all public EIPs that have been bound to the resource.

 

Select the EIP that needs to be actively accessed, and click Set as exit. When the icon after the IP address turns green, it means that the IP has been used as the exit IP.

1.2.5 Release EIP

When the EIP is no longer needed, it can be released directly in the console.

Please make sure that the released EIP is not bound to any resource.

 

1.2.6 Change the EIP billing method

For the purchased EIP, the billing method can be changed in the operation menu. Select the EIP whose billing method needs to be changed, and then click the Edit billing method button in the menu column on the right.

 

In the pop-up window, click Traffic and OK to switch the existing bandwidth billing method to traffic accounting.

 

 

 

 

 

 

 

 

 

 

 

 

Shared bandwidth

2.1 Product Introduction

2.1.1 Product Introduction

Shared bandwidth is a bandwidth mode in which multiple hosts share the total amount of network bandwidth.

After the user switches EIP from standard bandwidth billing/traffic accounting to shared bandwidth mode, the funds for public network bandwidth and IP resources that have been purchased before will be refunded, and the new resources will be re-priced.

2.1.2 Business description

Before and after the network mode is switched, the public IP address will not change, which will not affect the network access of the user’s business;

Shared bandwidth cannot be used alone, it needs to be used in conjunction with the EIP bound to the UHost.

2.1.3 Billing instructions

After the shared bandwidth mode is turned on, the bandwidth resources and EIP that the user has previously purchased will stop billing, and the remaining amount will be refunded to the user’s account.

Currently, the minimum bandwidth that should be purchased for shared bandwidth is 20Mbps.

 

2.2 Instructions

2.2.1 Create shared bandwidth

1) In the UNet page, select the Shared Bandwidth tab to enter the shared bandwidth management page. Click the Create Shared Bandwidth button.

 

2) Select the bandwidth value and payment method required for the shared bandwidth, and select the EIP that needs to be added to the shared bandwidth, and the mode of these EIPs will be switched from standard bandwidth/traffic billing to shared bandwidth. You can also choose not to add it temporarily, and move the EIP in after the shared bandwidth is created.

 

 

3) Click Purchase Now to complete the creation.

 

2.2.2 Delete shared bandwidth

1) In the Shared Bandwidth page, you can delete it, and you can also delete it in the corresponding shared bandwidth details page. After clicking Delete, a delete dialog box will pop up.

 

2) Confirm the deletion information and complete.

 

2.2.3 Adjust the shared bandwidth

In the Shared Bandwidth page, click the Adjust bandwidth button to pop up a dialog box. Adjust the bandwidth value, and the fee will be processed by refund for any overpayment or a supplemental payment for any deficiency. Click OK to complete the adjustment.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Bandwidth package

3.1 Product Introduction

The bandwidth package can be bound to the EIP of bandwidth billing mode, and the EIP bandwidth can be temporarily increased and automatically applied by specifying the effective time and duration.

 

3.2 Instructions

3.2.1 Apply for bandwidth package

1) Log in to the console, select Products and Services -> UNet Network -> Bandwidth Package tab to enter the bandwidth package function page. Then click Apply for Bandwidth Package.

 

2) Select the bandwidth size, effective method and effective time.

 

3) Select the EIP that needs to be bound to the bandwidth package.

 

Note that: If multiple EIPs are selected, it means to bind a bandwidth package to each EIP.

4) Click Create to complete the payment. At this time, on the console list, you can see the information of the bandwidth package that has been purchased.

 

3.2.2 Delete bandwidth package

After the bandwidth package expires, it will be deleted automatically. You can also manually delete the bandwidth package that has been applied for.

1) In the bandwidth package list, select the bandwidth package to be deleted, and click the “Delete” button.

 

2) In the new pop-up window, confirm the deletion.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Firewall

4.1 Product Introduction

UFirewall is a software firewall provided for cloud hosts and physical cloud hosts on the SCloud platform.

Users can configure the UFirewall on the console, without logging in to the resource instance for internal adjustments, and can achieve public network access control to host resources.

The UFirewall supports quick operations such as batch resource switch and copy.

UFirewall rules are directly applied to the data center public entrance, and do not occupy host computing resources.

 

4.2 Instructions 

4.2.1 Recommended firewall

In order to provide users with convenience, two default recommended firewalls are provided on the console, namely Web server recommended and Non-Web server recommended. Except for Web server recommended, which has enabled 80, 443 port by default, the 22, 3389 ports are opened for both.

In addition to the opened ports, other ports are closed by default in firewall rules.

The default firewall rules cannot be modified, but you can click Copy from the default firewall details page to create a customized firewall with the same rules for modification.

Note that: The UFirewall only takes effect for the access from the public EIP.

4.2.2 Firewall basic functions

Create firewall

Click Create firewall in the console, fill in the Firewall Name and Add Rule by selecting the corresponding protocol. Fill in Port, Source Address, Action, Priority and Remarks (not required), click Confirm to complete the most basic creation process.

Note that: Recommended firewalls do not support modification, but you can click Copy to copy the default firewall to create a customized firewall with the same rules for modification.

 

Edit firewall rules

Note that: Except for the entries that have been added in rules, the firewall denies other access actions by default.

1) Agreement

The current firewall protocol supports “TCP”, “UDP”, “ICMP” and “GRE” protocols.

2) Port

The local port accessed by the source address, port range [1-65535].

3) Source address

The source address of the network data packet that accesses the cloud host resources. Support IP address and network segment, and separate the IP address network segment with a comma (support IP and network segment number ≤ 10). For example, “10.0.0.1,192.168.0.2/32”

4) Action

When the firewall is in effect, the processing behavior of data packets includes two actions: “accepting” and “rejecting”.

5) Priority

When adding rules in the firewall, the rules take effect in order of priority, and each rule contains three levels of priority: High, Medium, and Low.

6) Remarks (not required)

Remarks can be added to each rule to facilitate rule management and search.

 

Click the Quick Rule drop-down box, you can see a variety of commonly used protocols.

 

Agreement description

Basic protocol includes:

1) Designated port TCP: user-defined TCP protocol port

2) Designated port UDP: user-defined UDP protocol port

3) All port TCP: all TCP ports

4) All port UDP: all UDP ports

5) GRE: GRE protocol

6) ICMP: ICMP protocol

 

Quick rule includes:

1) FTP: TCP port 21

2) HTTP: TCP port 80

3) HTTPS: TCP port 443

4) PING: ICMP protocol

5) OpenVPN: UDP port 1194

6) PPTP: TCP port 1723

7) RDP: TCP port 3389

8) SSH: TCP port 22

 

Delete firewall rules

Firewall rules support single rule deletion or batch deletion.

 

Copy firewall

Duplicating a firewall can copy all the rules of the firewall except its own attributes, and is suitable for adding new rules on the basis of the original firewall.

 

Edit firewall

You can check the hosts bound with the firewall and edit them in the Details pop-up page of UFirewall.

 

Bound resource batch management

In the Uhost management page, you can select hosts in batches and change the firewalls in batches for the hosts selected. Select hosts and click … -> Edit Firewall.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Product price

5.1 Billing overview

Bandwidth is an attribute of public EIP.

Billing method Billing rule Charges
Bandwidth billing Based on fixed bandwidth Bandwidth cost
Traffic accounting Based on the traffic consumed by the outbound bandwidth and calculated at 0 o’clock every day Traffic cost + IP cost
Bandwidth postpaid According to the guarantee + post-payment fee, the guarantee bandwidth fee is charged in advance, and the post-payment is charged based on the average value of the bandwidth exceeding the guarantee. Bandwidth cost
Shared bandwidth Multiple IPs shared bandwidth. Bandwidth costs and IP costs are charged separately. Shared bandwidth cost + IP cost

Note that: The purchased bandwidth value (peak value) is the egress bandwidth value. When the egress bandwidth is less than or equal to 50M, the ingress bandwidth is equal to 50M; when the egress bandwidth is larger than 50M, the ingress bandwidth is equal to egress bandwidth.

 

5.2 Traffic price 

In each statistical period (the current statistical period is days), if the traffic used by a single IP address is less than 1GB, no billing will be charged.

 

5.3 Bandwidth price

Bandwidth price is calculated in segment. The formula is

Price_1 * 5 + Price_2 * (bw-5),

where bw represents bandwidth, Price_1 is the unit price when bandwidth ≤ 5Mbps, and Price_2 is the unit price when bandwidth > 5Mbps

 

5.4 Bandwidth post-paid price

The price of the prepaid part is consistent with the bandwidth billing.

 

5.5 Shared bandwidth price

Shared bandwidth prices are not segmented.

 

5.6 IP address price

Naked IP is suitable for EIP under the traffic billing and shared bandwidth mode.

 

 

 

 

 

 

Billing instructions

6.1 Configuration change/Upgrade&Downgrade

6.1.1 Configuration change

The replenishment or refund rules in the configuration change operation are described as follows:

After the configuration change operation, the product expiration time remains the same, and the replenishment or refund amount is calculated based on the remaining service period. The value of the original service in the remaining period minus the value of the new allocation in the same period. If the result is greater than 0, the remaining amount will be refunded to your account after the allocation. If it is less than 0, you need to pay the corresponding amount of fees for the configuration change order.

 

6.1.2 Upgrade & downgrade refund formula

Steps Noun explanation (the time below is in seconds)
Step 1: A = Time used ÷ Time purchased Time used: current time minus order start time
Step 2: B = Amount spent * A Time purchased: order end time minus order start time
Step 3: C = Time after change ÷ Time purchased Amount spent: the amount paid for the original order
Step 4: D = Amount to spend now * C Time after change: order end time minus current time
Step 5: Refundable amount = Amount spent – (B+D) Amount to spend now: the amount obtained according to the current configuration and payment method (duration)

 

6.2 Delete resource and refund

6.2.1 Prepaid resources

When the resource is deleted and it has not expired, the system will automatically refund the remaining amount.

Refund amount = current effective order amount + unstarted order amount – resource used value

  • Current effective order amount: the amount of cash/credit payment after discount.
  • Unstarted order amount: the amount of cash/credit payment after discount.
  • Resource used value: On the day the user initiates the refund, it will be deducted at the monthly unit price of the used time.
  • If the used value of the resource > (current effective order amount + unstarted order amount), the refund amount will be 0, and no additional fees will be charged.
  • In the refund amount, the part of the couponused when purchasing resources is not refundable, and the part of the non-coupon used at the time of purchase will be returned to the payer’s SCloud account according to the payment method (cash/gift) and payment ratio.
  • For resources billed annually, the used value will be calculated based on the actual use time and monthly unit price of the resource (that is, the annual payment discount will not be enjoyed when the annual resource is used for less than one year).
  • The minimum billing unit for refunds is hour, and less than one hour is counted as one hour.

6.2.2 Package or one-time resources

There are no refunds for products such as UCDN, UFile, Anti-Defense, SMS package and other products purchased in the form of package or one-time amount. It should be noted that the coupon used when purchasing resources is not refundable.

 

6.3 Reclaim expired resource

6.3.1 Prepaid resources

If the resource expires and is not renewed in time, it will be suspended and reclaimed. Users can set automatic renewal for resources (automatic renewal is set by default when purchasing resources). Once the automatic renewal function is enabled, when the resource expires, the system will automatically deduct the user account balance for renewal.

The expiry processing rules are as follows:

Time period Processing rules
Before the resource expires

If the automatic renewal is not enabled for all resources, or the account balance is insufficient for renewal, the system will send the resource expiration alarm 7 days, 3 days and 1 day before the resource expiration (for monthly and annual billing resources).

If automatic renewal is enabled for all resources and the account balance is sufficient, the system will not send an alert that the resource is about to expire.

Notifications are sent in the form of emails, SMS messages and in-site messages (the actual receiving method is subject to the configuration of the user’s message subscription).

After the resource expires

If automatic renewal is not enabled for the resource, or the account balance is insufficient for renewal, the system will send a resource expiration notification (for monthly and annual billing resources) after the resource expires.

Notifications are sent in the form of emails, SMS messages and in-site messages (the actual receiving method is subject to the configuration of the user’s message subscription).

After the resource expires – before the resource is suspended

Resources without automatic renewal enabled: If the user does not renew, the resource will be suspended (PowerOff and retain data), and the system will send an alert 24 hours before the service is suspended that resources are about to be suspended. If the customer needs to continue to use the resource, he should renew it as soon as possible.

Resources with automatic renewal enabled: If the account balance is sufficient, the system will complete the automatic renewal; if the account balance is insufficient to renew, the resource will be suspended (PowerOff and retain data), and the system will send an alert 24 hours before the service is suspended that resources are about to be suspended. If the customer needs to continue to use the resource, he should renew it as soon as possible.

Resource is suspended

If the resource is not renewed after the expiration, the monthly and annual billing resources will be suspended on the 3rd day after the expiration and the suspension notice will be sent. Hourly billing resources will be suspended between 10:00 and 12:00 24 hours after expiration and the suspension notice will be sent.

Among them, resources that are less than 72 hours will be suspended after 1 hour of expiration.

After the resource is suspended, the user can renew the resource on the console to restore its working status.

Before the resource is reclaimed 24 hours before reclaiming, the system will send an alert that the resource is about to be reclaimed.
Resource is reclaimed

Before the resource is reclaimed, if the user has not renewed, the resource will be released, and its data will be cleared and cannot be recovered (the 10th day after the expiration, the UDB product is 14 days). Among them, the hourly billing resources are reclaimed between 15:00 and 18:00 24 hours after the expiration (UDisk hourly billing resources are still reclaimed in on the 10th day after the expiration, and UDB hourly billing resources are still reclaimed on the 14th day).

Notifications are sent in the form of emails, SMS messages and in-site messages (the actual receiving method is subject to the configuration of the user’s message subscription).

 

6.3.2 Post-paid resources

When the account balance is not enough to pay the generated order, the resource is in arrears. If the arrears order is not paid in time, the resource will be suspended and reclaimed.

The arrears processing rules are as follows:

Time period Processing rules
Resource in arrears If the resource generates an arrears order to be paid, the resource is in arrears, and the system will send an notification of arrears after the resource is in arrears. Notifications are sent in the form of emails, SMS messages and in-site messages (the actual receiving method is subject to the configuration of the user’s message subscription).
After the resource in arrears – before the resource service limited If the account balance is sufficient, the system will complete the automatic payment. If the account balance is insufficient to pay, the resource will be restricted service, and the system will send an alert 24 hours before the service restriction to notify the user that the resource service is about to be restricted. If the customer needs to continue to use the resource normally, he should renew it as soon as possible.
Resource service limited If the arrears order is not paid after the resource is in arrears, the service will be restricted and a service limited notice will be sent on the 3rd day of the arrears. After the resource is restricted, the user can pay the arrears order on the console and restore its working status.
Before the resource is reclaimed 24 hours before reclaiming, the system will send an alert that the resource is about to be reclaimed.
Resource is reclaimed

Before the resource is reclaimed, if the user has not paid the arrears order, the resource will be released, and its data will be cleared and cannot be recovered (on the 7th day after expiration, 30 days for UFile products).

Notifications are sent in the form of emails, SMS messages and in-site messages (the actual receiving method is subject to the configuration of the user’s message subscription).

 

Note that: The possibility of recovery after the resource expires or is deleted is extremely low. To reduce the risk, please renew in time and back up the data.

If there are special circumstances, please submit a work order and we will try our best to retrieve it for you.

 

6.4 Arrears

When the resource you purchased expires, the resource is in arrears status, and the arrears amount is calculated and obtained according to different scenarios.

The following three scenarios are covered by arrears orders.

1) The resource has expired and is deleted.

2) The resource has expired and has not been deleted.

3) Post-paid products when the account balance is insufficient.

 

6.5 FAQ

How to use the coupon?

The coupon has an amount and a validity period. It can be used for new purchases and renewal orders, but cannot be used for automatic renewal orders. You can check the coupon related information in User Center -> UBilling -> Coupon. Only one coupon can be used at a time.

 

When using coupons to purchase resources, if payment failure or delivery failure occurs, the coupons will be refunded in full.

However, the three situations where the coupons are not refundable are as follows:

1) For successful payment with coupon, refund is not supported;

2) After the user resources are deleted, the amount deducted by coupons will not be refunded;

3) One coupon is only used to offset the cost of one resource purchase or renewal. If the fee is less than the amount of the coupon, refunds are not supported for the excess part.

 

How to change the billing method?

1) Enter User Center -> UBilling -> Renew

2) Find the corresponding resource and click Changing charging mode

 

3) Choose a new charging method and confirm.

 

 

Order deduction priority

The priority from high to low is as follows: 1. Coupon 2. Gift card amount 3. Cash amount 4. Credit card

 

 

Troubleshooting

7.1 Use mtr to troubleshoot network abnormalities

The main function of the mtr tool is to check abnormal points and collect paths when packets are lost at two points. It is a combination of ping and tracert. Compared with ping, it will display routing nodes, and compared to tracert, it will display the packet loss of intermediate routing nodes. It can simply analyze possible abnormal nodes based on the packet loss gradient and give feedback to the corresponding operator.

Due to the possible asynchronous routing of the backbone public network path (that is, the back and forth path of the packet is inconsistent. There may be no obvious abnormalities in one direction, but abnormalities in the other direction) and ECMP (operator performs load balancing on multiple paths, a certain root causes some IP packet loss), it is recommended to provide two-way mtr.

 

7.1.1 Use mtr under Windows

take winmtr as an example

1) Input the target domain name or IP address (note that no spaces should be added in the front), and click Start to start detection.

 

2) After running for a certain period, click Stop to stop the detection. At the same time, you can choose Copy Text to clipboard: Copy the test results to the clipboard in text format.

 

 

7.1.2 Use mtr under Linux

Download and install

Centos system can be installed with yum install -y mtr, other operating systems are recommended to use related download tools

Usage

1) mtr + target domain name or IP address, and press Enter to execute the command.

2) Wait for the traceroute to end.

 

 

7.1.3 Use mtr under Mac

mtr + target domain name or IP address, press Enter to execute, and wait for the traceroute to end.

 

 

FAQ

8.1 Questions about bandwidth

Does the bandwidth I purchased indicate the egress bandwidth or the ingress bandwidth. Is there a limit to the ingress bandwidth?

The purchased bandwidth is the egress bandwidth, that is, the bandwidth from SCloud to the public network is restricted.

When the egress bandwidth is less than 50Mbps, the ingress bandwidth is fixed at 50Mbps; when the egress bandwidth is greater than 50Mbps, the ingress bandwidth is equal to the egress bandwidth.

 

How can I adjust the purchased bandwidth?

EIP bandwidth can be adjusted directly on the console, and it will take effect in real time without PowerOff.

 

How to temporarily increase bandwidth?

The bandwidth can be temporarily increased by purchasing a bandwidth package.

 

Does it support multiple hosts to share one bandwidth?

Yes, just use shared bandwidth.

 

8.2 Public network access and isolation

8.2.1 Public network access

Can the EIP bound to the ULB be re-bound to the host?

Yes, EIP supports binding to multiple types of cloud resources, such as ULB, UHost, NAT gateway, etc.

 

My host only has an private IP, how can I access this machine?

Method 1: Log in through the emergency login function in the cloud host management interface.

Method 2: Access by configuring port mapping on a host with an public IP.

The user must have two hosts in the same computer room at the same time, and one of the hosts has an public IP. Take the Centos system as an example:

Assume the private IP of machine A: 1.1.1.1, public IP: 2.2.2.2. The private IP of machine B: 1.1.1.2

Use the ssh command to map port 22 of the target host B IP to a port of host A public IP.

Command format:

ssh -C -f -N -g -L local port: target IP: target port username@target IP

Log in to host A first and execute the ssh command:

ssh -C -f -N -g -L 5000:1.1.1.2:22 root@1.1.1.2

After that, the public network can access host B through the following command:

ssh 2.2.2.2 -p 5000

 

Why can’t I access my server on SCloud in a certain place?

You can use a third-party ping tool to check whether the server is reachable in multiple places. If it is not reachable, you can check whether the server is running normally. If many places are unreachable, it might be the backbone network faulty. If it’s just one place unreachable, it may be a local routing problem in that place, and you can appeal to the local operator.

 

Can different regions achieve intranet interoperability?

It can be realized through SCloud’s high-speed channel (UDPN), please consult technical support or account manager for details.

 

8.2.2 Intranet isolation

Is the network between different users isolated? Can others use tcpdump to capture my data?

Layer 2 and Layer 3 between different users are completely isolated, and it is impossible to use packet capture tools to obtain other user data.

 

What is the bandwidth of the intranet server?

There is currently no additional restriction on intranet bandwidth. However, if there is abnormal traffic such as intranet DDoS, the system will automatically limit the speed and isolate it.

 

Can hosts in one subnet be moved to another subnet?

Not supported.

 

Why is the intranet latency high?

Please first check whether the load of the host is high? (For example, whether the CPU, memory, and bandwidth are full-load) If it is not caused by the host, you can contact technical support to assist in troubleshooting.

 

8.3 Firewall

Why the firewall has opened a certain port, but still can’t connect?

Please confirm the following 2 points: (1) The firewall rules have been applied to the host (2) The internal iptables of the host has been closed. Whether the port is open can be checked through the nc command, such as nc -nv 10.3.1.2 22. If the port is open, but serve unavailable, please check if the service is running normally.

There is also a situation that causes inaccessibility. ISP operators actively block certain ports, such as port 445, due to high-risk ports and other reasons. Currently, the port block list reported from the operator is:

TCP: 42, 135, 137, 138, 139, 445, 593, 1025, 1068, 1434, 3127, 3130, 3332, 4444, 5554, 6669, 9996, 12345, 31337, 54321

UDP: 135, 445, 593, 1026, 1027, 1068, 1434, 4444, 5554, 9996

 

Why can’t the host be pinged?

Please confirm the following two points: (1) The firewall rules have allowed icmp and applied to the host (2) The internal iptables of the host has been closed

 

How to open a port to all IPs?

Write source IP as: 0.0.0.0/0

 

How to restrict certain malicious users’ access to my host?

If you can get the access IP of the malicious user, you can add a block (Drop) rule containing the source IP in the host firewall

 

Does the internal network have ACL function?

Yes, the network ACL can realize the security isolation at the subnet level.

 

How to isolate my intranet host from other people’s hosts?

SCloud’s intranet uses software-defined networking (SDN) technology to achieve intranet isolation between different user hosts.

 

After modifying the firewall, will the new rules take effect immediately?

When using a firewall, users sometimes encounter the problem that the modified rules do not take effect. This is caused by the long tcp connection.

Normally, firewall rules take effect immediately. However, in some situation, the firewall rule does not take effect immediately.

Taking Nginx as an example. Nginx will send a FIN packet after triggering keepalive_timeout (65 seconds by default), so that nf_conntrack_tcp_timeout_established will no longer work. And it triggers the nf_conntrack_tcp_timeout_time_wait rule instead, and its default time is 120 seconds.

In this scenario, it takes up to two minutes for the firewall to take effect.

For a long connection situation similar to MySQL, the default expiration time of the system kernel and parameter of nf_conntrack_tcp_timeout_established is 5 days. Once the connection is established, it is difficult to block the connection immediately by modifying the firewall.

 

Remedial measures that the firewall did not take effect immediately:

As in the MySQL scenario mentioned above, its port is 3306. Assuming that in order to block the connection from 1.2.3.4, the “RAW” table of iptables can be used in the cloud host for processing.

iptables -t raw -I PREROUTING -s 1.2.3.4 -p tcp -m tcp –dport 3306 -j DROP

The reason why this method can take effect is that in the Netfilter of Linux system, a RAW table with a higher priority is inserted before the conntrack of PREROUTING and OUTPUT. Through the RAW table, the traffic that does not need conntrack can be separated.

 

After the firewall is modified, how will the connections that have been established previously be affected?

The firewall will not block the established connection, so it is not affected by the firewall

 

8.4 Questions about EIP

What are the billing methods for public EIP, and what are the specific charging rules?

1) In the normal bandwidth mode (non-shared bandwidth), you can apply for the traffic accounting IP, or switch the stock IP to the traffic accounting. And the shared bandwidth mode does not support the public IP of traffic accounting;

2) Under traffic accounting, traffic fees and IP fees are paid separately:

  • IP (no bandwidth) fees: can be paid on demand. Monthly orannual payment  (naked IP);
  • Traffic fees: The price is different in different regions, and the feesis calculated according to the traffic used by each IP at 0 o’clock each day.

Note that:

  • No bandwidth fee will be charged for the traffic billed IP;
  • Traffic statistics only count the egresstraffic, not the ingress traffic;
  • For the traffic billed IP, the trial rules are the same as the ordinary IP, and the trial IP traffic will not be charges;
  • If the stock IP is switched to the trafficaccounting IP, the purchased bandwidth will be automatically refunded;
  • Traffic accounting IP does not support binding bandwidth packages;

3) If the deduction fails, it will be deducted again on the next day.

 

How long does it take to bind an EIP?

Under normal circumstances, it takes effect within 5 seconds.

 

Can a cloud host be bound to multiple public EIPs?

Yes.

 

Does an EIP support binding multiple cloud hosts?

A single EIP can only be tied to one cloud host, but it can be transferred to another cloud host by unbinding and binding. The need to bind multiple hosts can be solved by using a NAT gateway.

 

8.5 Other questiongs

Using MTR and traceroute, find serious packet loss in a certain hop, is your connection quality poor?

According to the principle of traceroute, if the packet loss of the (N+1)th hop is less than the packet loss of the Nth hop, it means that the packet loss of the Nth hop is caused by the router’s ICMP restrictions or other policies, not a network problem. If the packet loss keeps increasing after a certain hop, it may be a network problem. Please contact technical support for help.

 

After optimizing the tw_recycle parameter, the connection to the cloud host often times out.

Please check if the result of the following command is 1:

sysctl -a | grep tw_recycle

The result 1 will cause timeout when the client behind NAT connects to the cloud host. At present, most Internet access scenarios are NAT, such as Internet access at home (via wireless routing), company Internet access (via gateway). The timeout reason is Linux tw_recycle and NAT is not compatible. Linux has requirements for the timestamp value in the socket that uses timestamp. The reason why there is no problem with Windows is that Windows does not use the TCP timestamp function.

 

After using a cloud host as an public network gateway, do I need to add other routes?

Cloud host traffic can be divided into vertical traffic (public network traffic and ULB/UDB/UMem access traffic) and horizontal traffic (intranet communication between cloud hosts). After the default route is modified to the cloud host serving as the gateway, all traffic will become horizontal traffic, which not only affects the efficiency of vertical traffic, but also causes the failure to communicate with ULB/UDB/UMem (because the security rules of intranet IP forgery will not pass). The solution is to add a static route.

Linux add routing example:

# gateway 10.4.0.1

ip ro add 10.255.0.0/16 via 10.4.0.1

ip ro add 10.4.0.0/16 via 10.4.0.1

echo “ip ro add 10.255.0.0/16 via 10.4.0.1” >> /etc/rc.local

echo “ip ro add 10.4.0.0/16 via 10.4.0.1” >> /etc/rc.local

Note that: The above method of writing rc.local is invalid under CentOS 7, you need to write directly /etc/sysconfig/network-scripts/route-eth0

Windows add routing example:

# gateway 10.4.0.1

route add 10.255.0.0 mask 255.255.0.0 10.4.0.1 /p

route add 10.4.0.0 mask 255.255.0.0 10.4.0.1 /p

 

What is a cloud security protection strategy?

The cloud security system monitors the cloud platform in real time, and the monitoring mechanism mainly detects external attacks by monitoring the network packet volume.

When the security system finds that the amount of external access packets of a resource exceeds the normal threshold, the system will perform behavior analysis on the network data packets of the resource. If the analysis result shows that there is an attack, it will trigger the security protection mechanism for the resource, that is, the resource will enter Protection period.

Note that:

When the resource triggers the protection mechanism, the resource will still operate normally and provide public services, but network fluctuations may occur, so if you receive a security alert, please handle it in time. If you have any questions, please contact technical support.

 

My cloud host sometimes finds that some internal network addresses scan the TCP port 11. What is the reason?

The public cloud operation and maintenance system scans specific ports of the cloud platform to detect connectivity and confirm whether the network business of the public cloud platform is normal. This inspection will not cause any harm to the cloud host, nor will it affect your business.