Got it

HCS8.0.3 Captain Secret Scripts !Episode 4 Free-flowing EIP Highlighted

Latest reply: May 16, 2022 02:07:42 338 3 4 0 0

The VMS communicates with the IoT device,  the EIP can.

The VMS communicates across regions,the EIP can

The VMS communicates across VPCs, the EIP can.

Which EIP accesses require a physical firewall to enable policies, and which EIP accesses cannot be controlled by a physical firewall?

This chapter focuses on the implementation, use and control of EIPs.

First, let's look at how EIP is implemented physically. Let's look at the LLD.


Oh, it belongs to a VRF, as we say in the second part. The routes in the VRF are assigned to the firewall. The firewall can be used as a security policy to enable the firewall to communicate with any place.


Yes, traffic on the EIP and Internet planes can be permitted to other planes through policies. This is why EIP is so versatile.

Essentially other planes can be free-flowing, but that would be confusing. Therefore, the address of this plane is used to implement Free-flowing.

Now let's take a look at how the EIP and VMS communicate with each other inside the cloud.

    How do I see the traffic path? Captain has a unique skill.

        1. Simple method, check the documentation, 'HUAWEI CLOUD Stack 8.0.3 Network Configuration Best Practices     (Zone Type I)'

        2. Other method, log in to the OC, select Network Cluster in the bottom right corner, select Service Flow Packet     Capture, fill in the source and destination addresses. (The legend cannot be provided.) The current source and     destination traffic paths are displayed. 

The following figure shows the traffic path obtained based on the service flow capture packets.


Experience.:It is best to capture packets in each scenario to obtain phenomena. A very high level of proficiency can be achieved by combining basic network knowledge, summarizing information, and understanding the causes and consequences.

According to the preceding figure, you can view the traffic access path and obtain a key information.

The EIPs of intra-cloud VMSs do not pass through physical firewalls. Traffic is directly switched on the BR node.

What is a BR node? This is a definition of a datacenter network. In EVPN, three types of leaf nodes are defined. The BR is used to connect to the core or PE. Server leaf nodes connect to servers, and service leaf nodes connect to value-added services (FW LB...).

For EIP, access within a region can be considered as in-cloud access. Access between two regions, or within a region to an IoT device is referred to as out-of-cloud access.

Now let's look at how EIPs in the cloud access the cloud outside the cloud.

Similarly, you can use the packet capture function provided by the OC to verify the information obtained by capturing packets in the service flow.


We can also get some very critical information from this path.

When the EIP exits the cloud, the private IP address is translated into an EIP address on the ENAT node. The EIP address enters the firewall through the Internet VRF. As mentioned earlier, the firewall has IP addresses of all planes and IP addressesof all customer network from VRF:gugan.

Now that you have the ability to communicate with all addresses, all you need to do is set up the required security policies.

    If a bastion host in the cloud needs to manage servers outside the cloud, assign an EIP to the bastion host and allow the EIP to communicate with the addresses of the servers outside the cloud at the firewall.

    If the VMS needs to communicate with an IoT device outside of the cloud, assign an EIP to the VMS and allow the EIP to communicate with the IP address of this IoT device at the firewall.

There are two other points to note.

    1. If you use HCS virtual firewall, you design whether the traffic for the physical firewall in configuring the virtual firewall policy. But in general, configure traffic for only one firewall. After all, setting up two separate firewalls could drive operations and maintenance staff into a frenzy.

    2. The virtual firewall cannot control EIPs in the same VPC because virtual firewalls are associated by subnet. If you can't zone subnets, you can't do mutual access control.

Well, now we've got two more secrets from Captain T.

Captain T's Secret Book #6: EIPs are used to implement intra-cloud communication.

1. The EIP implements intra-cloud mutual access. The ENAT performs address translation, and then the BR Note performs data exchange. The EIP traffic does not reach the core physical plane.

2. EIPs do not pass through the core physical plane. However, do not forget VXLAN traffic. Most VXLAN traffic passes through the tenant plane.

3. The access of EIPs in the cloud can be controlled by the virtual firewall. If the access is not controlled, EIPs in the cloud can communicate with each other by default. Therefore, virtual firewalls must be fully used in the service design phase. Ensures communication between service layers or servers of different layers.

For example, if only VPC A is allowed to proactively access other VPCs, you need to configure proactive inbound access for all other VPCs on the virtual firewall associated with VPC A.

Captain T's Secret Book #7: EIPs are used to enable out-of-cloud access.

1. Communication on the internal network cannot be configured. We only need to know about the traffic that passes through the internal network.

2. For traffic that needs to communicate but is not translated on the internal network, use a firewall policy to allow traffic between planes, or translate the traffic to EIPs and then allow the traffic.

  • x
  • convention:

Admin Created Apr 26, 2022 09:12:19

Thanks for your sharing!
It is a very good post about flowing EIP.
View more
  • x
  • convention:

Created May 8, 2022 04:57:44

Thanks for sharing
View more
  • x
  • convention:

Created May 16, 2022 02:07:42

Most informative.
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.