Sannu, sunana Kostya Kramlich, Ni ne jagorar haɓaka rukunin Cloud Private Cloud a Yandex.Cloud. Ina aiki akan hanyar sadarwa mai kama-da-wane, kuma, kamar yadda zaku iya tsammani, a cikin wannan labarin zan yi magana game da na'urar Virtual Private Cloud (VPC) gabaɗaya da cibiyar sadarwa ta musamman. Kuma za ku kuma gano dalilin da ya sa mu, masu haɓaka sabis, muna darajar martani daga masu amfani da mu. Amma farko abubuwa da farko.
Menene VPC?
A zamanin yau, akwai zaɓuɓɓuka iri-iri don tura sabis. Na tabbata har yanzu wani yana riƙe sabar a ƙarƙashin teburin mai gudanarwa, kodayake ina fata irin waɗannan labarun suna raguwa kuma ba su da yawa.
Yanzu ayyuka suna ƙoƙarin motsawa zuwa gajimare na jama'a, kuma wannan shine inda suke cin karo da VPCs. VPC wani ɓangare ne na girgijen jama'a wanda ke haɗa mai amfani, kayan aiki, dandamali da sauran ayyuka tare, duk inda suke, a cikin Cloud ɗinmu ko bayan haka. A lokaci guda, VPC yana ba ku damar guje wa fallasa waɗannan damar zuwa Intanet ba dole ba; suna kasancewa cikin keɓantaccen hanyar sadarwar ku.
Yadda hanyar sadarwa mai kama da kama daga waje
Ta hanyar VPC muna nufin, da farko, cibiyar sadarwa mai rufi da sabis na cibiyar sadarwa, irin su VPNaaS, NATAas, LBaas, da dai sauransu. Kuma duk wannan yana aiki a kan kayan aikin cibiyar sadarwa mara kuskure, wanda aka riga aka tattauna. a nan Habre.
Bari mu dubi tsarin sadarwa na zamani da tsarinsa.
Bari mu kalli yankunan samuwa biyu. Muna samar da hanyar sadarwa mai kama-da-wane - abin da muke kira VPC. A zahiri, yana bayyana keɓancewar sarari na adiresoshin ku "launin toka". A cikin kowace hanyar sadarwa ta kama-da-wane, kuna da cikakken iko akan sararin adiresoshin da zaku iya sanyawa albarkatun ƙira.
Cibiyar sadarwa ta duniya ce. A lokaci guda, ana ƙididdige shi akan kowane yanki na samuwa a cikin nau'in mahallin da ake kira Subnet. Ga kowane Subnet kuna sanya CIDR mai girman 16 ko ƙasa da haka. Kowane yankin da ake samu na iya samun irin wannan mahaluƙi fiye da ɗaya, kuma koyaushe akwai fa'ida a tsakanin su. Wannan yana nufin cewa duk albarkatun ku a cikin VPC guda ɗaya za su iya "magana" da juna, koda kuwa suna cikin Wuraren Samuwa daban-daban. "Sadar da" ba tare da samun damar Intanet ba, ta hanyar tashoshin mu na ciki, "tunanin" cewa suna cikin hanyar sadarwa mai zaman kanta guda ɗaya.
Hoton da ke sama yana nuna yanayi na yau da kullun: VPCs guda biyu waɗanda ke haɗuwa a wani wuri a cikin adiresoshin su. Dukansu suna iya zama naku. Misali, daya don ci gaba, ɗayan don gwaji. Za a iya samun masu amfani daban-daban - a wannan yanayin ba kome ba. Kuma kowane VPC yana da injin kama-da-wane.
Bari mu kara da makirci. Kuna iya sa injin kama-da-wane guda ɗaya ya haɗa zuwa Subnets da yawa a lokaci ɗaya. Kuma ba haka kawai ba, amma a cikin cibiyoyin sadarwa daban-daban.
A lokaci guda, idan kuna buƙatar fallasa na'urori akan Intanet, ana iya yin hakan ta API ko UI. Don yin wannan, kuna buƙatar saita fassarar NAT na "launin toka", adireshin ciki, cikin "farar fata" - adireshin jama'a. Ba za ku iya zaɓar adireshin “farar” ba; an sanya shi ba da gangan daga wurin adireshin mu ba. Da zaran ka daina amfani da IP na waje, zai koma wurin tafki. Kuna biya kawai don lokacin da kuke amfani da adireshin "farar".
Hakanan yana yiwuwa a ba injin damar Intanet ta amfani da misalin NAT. Kuna iya tuntuɓar zirga-zirgar ababen hawa zuwa misalan ku ta hanyar tebur mai a tsaye. Mun bayar da irin wannan harka saboda masu amfani wani lokacin suna buƙatar shi, kuma mun san game da shi. Saboda haka, a cikin kundin hotonmu akwai hoton NAT da aka tsara na musamman.
Amma ko da a lokacin da akwai shirye-shiryen NAT image, daidaitawa na iya zama hadaddun. Mun fahimci cewa ga wasu masu amfani wannan ba shine zaɓi mafi dacewa ba, don haka a ƙarshe mun ba da damar kunna NAT don Subnet ɗin da ake so a dannawa ɗaya. Wannan fasalin har yanzu yana cikin damar samfoti a rufe, inda ake gwada shi tare da taimakon membobin al'umma.
Yadda hanyar sadarwar kama-da-wane ke aiki daga ciki
Ta yaya mai amfani ke mu'amala da cibiyar sadarwa ta kama-da-wane? Cibiyar sadarwa tana kallon waje tare da API ɗin sa. Mai amfani ya zo API kuma yana aiki tare da yanayin da aka yi niyya. Ta hanyar API, mai amfani yana ganin yadda ya kamata a tsara komai da daidaita shi, yayin da yake ganin matsayi, yadda ainihin yanayin ya bambanta da wanda ake so. Wannan shine hoton mai amfani. Me ke faruwa a ciki?
Muna yin rikodin yanayin da ake so a cikin Yandex Database kuma je don saita sassa daban-daban na VPC ɗin mu. Cibiyar sadarwa mai rufi a cikin Yandex.Cloud an gina ta ne bisa zaɓaɓɓun abubuwan da aka zaɓa na OpenContrail, wanda kwanan nan ake kira Tungsten Fabric. Ana aiwatar da ayyukan cibiyar sadarwa akan dandamalin CloudGate guda ɗaya. A CloudGate, mun kuma yi amfani da wasu abubuwan buɗaɗɗen tushen tushe: GoBGP don sarrafa bayanan sarrafawa, da kuma VPP don aiwatar da na'ura mai ba da hanya tsakanin hanyoyin sadarwa da ke gudana a saman DPDK don hanyar bayanai.
Tungsten Fabric yana sadarwa tare da CloudGate ta hanyar GoBGP. Yana faɗin abin da ke faruwa a cikin hanyar sadarwa mai rufi. CloudGate, bi da bi, yana haɗa hanyoyin sadarwa masu rufi da juna da kuma Intanet.
Yanzu bari mu kalli yadda hanyar sadarwa mai kama-da-wane ke magance scalability da matsalolin samuwa. Bari mu yi la'akari da wani lamari mai sauƙi. Akwai yankin samuwa guda ɗaya kuma an ƙirƙiri VPC guda biyu a ciki. Mun ƙaddamar da misalin Tungsten Fabric guda ɗaya, kuma ya ƙunshi dubun dubatar cibiyoyin sadarwa. Cibiyoyin sadarwa suna sadarwa tare da CloudGate. CloudGate, kamar yadda muka fada a baya, yana tabbatar da haɗin kai da juna da kuma Intanet.
Bari mu ce an ƙara Yankin Samun Na biyu. Ya kamata ya kasa gaba daya ba tare da na farko ba. Don haka, dole ne mu shigar da wani misali na Tungsten Fabric daban a cikin yankin samuwa na biyu. Wannan zai zama keɓantaccen tsarin da ke sarrafa abin rufewa kuma ya san kaɗan game da tsarin farko. Kuma bayyanar da cibiyar sadarwar mu ta duniya ce, a zahiri, ta haifar da VPC API ɗin mu. Wannan shine aikinsa.
An yi taswirar VPC1 zuwa Samuwar Zone B idan Samar da Yankin B yana da albarkatun da suka tsaya cikin VPC1. Idan babu albarkatu daga VPC2 a cikin samuwa yankin B, ba mu zama VPC2 a cikin wannan yankin ba. Bi da bi, tun da albarkatun daga VPC3 sun wanzu ne kawai a yankin B, VPC3 ba ya wanzu a yankin A. Komai yana da sauƙi da ma'ana.
Bari mu ɗan zurfafa mu ga yadda takamaiman mai watsa shiri a Y.Cloud ke aiki. Babban abin da zan so a lura shi ne cewa duk runduna an tsara su iri ɗaya ne. Muna tabbatar da cewa mafi ƙarancin sabis ɗin da ake buƙata kawai yana gudana akan kayan masarufi; duk sauran suna gudana akan injina. Muna gina ayyuka masu girma bisa tushen ayyukan samar da ababen more rayuwa, kuma muna amfani da Cloud don magance wasu matsalolin injiniya, misali, a zaman wani ɓangare na Ci gaba da Haɗuwa.
Idan muka kalli takamaiman mai watsa shiri, zamu iya ganin cewa akwai abubuwa guda uku da ke gudana a cikin rundunar OS:
- Compute shine bangaren da ke da alhakin rarraba albarkatun kwamfuta akan mai masaukin baki.
- VRouter wani ɓangare ne na Tungsten Fabric, wanda ke tsara abin rufewa, wato, yana ɗaukar fakiti ta cikin ƙasa.
- VDisks guda ne na haɓakawa na ajiya.
Bugu da kari, inji mai kama-da-wane suna gudanar da ayyuka: ayyukan samar da ababen more rayuwa na Cloud, ayyukan dandamali da karfin abokin ciniki. Ƙarfin abokan ciniki da sabis na dandamali koyaushe suna zuwa rufi ta hanyar VRouter.
Ayyukan ababen more rayuwa na iya shiga cikin abin rufe fuska, amma galibi suna son yin aiki a cikin ƙasa. An makale su a cikin ƙasa ta amfani da SR-IOV. A gaskiya ma, muna yanke katin zuwa katunan cibiyar sadarwar kama-da-wane (ayyukan kama-da-wane) kuma muna tura su cikin injunan kayan more rayuwa don kada a rasa aiki. Misali, ana ƙaddamar da CloudGate iri ɗaya azaman ɗaya daga cikin waɗannan injunan kayan more rayuwa.
Yanzu da muka yi bayanin ayyuka na duniya na hanyar sadarwa mai kama-da-wane da kuma yadda aka tsara ainihin abubuwan da ke cikin girgije, bari mu kalli yadda daidaikun sassa daban-daban na cibiyar sadarwa ta zamani ke mu’amala da juna.
Mun bambanta yadudduka uku a cikin tsarin mu:
- Config Plane - yana saita yanayin tsarin. Wannan shine abin da mai amfani ke daidaitawa ta API.
- Jirgin Kulawa - yana ba da ƙayyadaddun ƙayyadaddun bayanai na mai amfani, wato, yana kawo yanayin Jirgin Data zuwa abin da mai amfani ya bayyana a cikin Tsarin Tsarin.
- Jirgin Data – kai tsaye sarrafa fakitin mai amfani.
Kamar yadda na fada a sama, duk yana farawa tare da mai amfani ko sabis na dandamali na ciki yana zuwa API kuma yana kwatanta wani yanayi na manufa.
Ana rubuta wannan jihar nan da nan zuwa Database na Yandex, maido da ID na aikin asynchronous ta API, kuma ya ƙaddamar da injin mu na ciki don samar da yanayin da mai amfani yake so. Ayyukan daidaitawa suna zuwa ga mai sarrafa SDN kuma gaya wa Tungsten Fabric abin da ake buƙatar yi a cikin rufi. Misali, suna ajiyar tashoshin jiragen ruwa, hanyoyin sadarwa na zamani, da makamantansu.
Jirgin Config a Tungsten Fabric yana loda yanayin da ake buƙata zuwa Jirgin Sarrafa. Ta hanyarsa, Config Plane yana sadarwa tare da runduna, yana gaya musu ainihin abin da zai gudana a kansu nan gaba.
Yanzu bari mu ga yadda tsarin yayi kama da runduna. Injin kama-da-wane yana da takamaiman adaftar hanyar sadarwa da aka toshe cikin VRouter. VRouter shine Tungsten Fabric core module wanda ke kallon fakiti. Idan akwai riga don wasu fakiti, ƙirar tana sarrafa shi. Idan babu kwarara, tsarin yana yin abin da ake kira punting, wato, yana aika fakitin zuwa tsarin mai amfani. Tsarin yana rarraba fakitin kuma ko dai ya amsa da kansa, kamar DHCP da DNS, ko ya gaya wa VRouter abin da za a yi da shi. VRouter zai iya sarrafa fakitin.
Bugu da ari, zirga-zirga tsakanin injunan kama-da-wane a cikin hanyar sadarwar kama-da-wane guda suna gudana a bayyane, ba a aika shi zuwa CloudGate. Rundunan da aka saka injunan kama-da-wane a kan su suna sadarwa da juna kai tsaye. Suna ratsa zirga-zirgar ababen hawa kuma suna turawa juna ta cikin ƙasa.
Jiragen sarrafawa suna sadarwa tare da juna a ko'ina cikin Samfuran Yankunan ta hanyar BGP, kamar dai tare da wani na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Suna gaya muku irin injinan da aka sanya a ina, ta yadda injinan kama-da-wane a yanki ɗaya su iya sadarwa kai tsaye da sauran injina.
Control Plane kuma yana sadarwa tare da CloudGate. Hakazalika, yana ba da rahoton inda da kuma waɗanne na'urori masu kama-da-wane aka shigar, menene adiresoshin su. Wannan yana ba ku damar jagorantar zirga-zirga na waje da zirga-zirga daga masu daidaitawa zuwa gare su.
Traffic wanda ya bar VPC yana zuwa CloudGate, a cikin hanyar bayanai, inda VPP tare da plugins ɗinmu ke tauna da sauri. Sannan ana harbi zirga-zirgar ko dai zuwa wasu VPCs, ko kuma a waje, zuwa masu amfani da hanyar sadarwa, waɗanda aka saita ta cikin Jirgin Kula da CloudGate kanta.
Shirye-shirye na nan gaba
Idan muka taƙaita duk abin da aka faɗa a sama a cikin ƴan jimloli, zamu iya cewa VPC a cikin Yandex.Cloud yana warware matsaloli biyu masu mahimmanci:
- Yana ba da warewa tsakanin abokan ciniki daban-daban.
- Haɗa albarkatu, ababen more rayuwa, sabis na dandamali, sauran gajimare da kan gaba cikin hanyar sadarwa guda ɗaya.
Kuma don magance waɗannan matsalolin da kyau, kuna buƙatar tabbatar da haɓakawa da rashin haƙuri a matakin gine-ginen ciki, wanda shine abin da VPC ke yi.
A hankali, VPC yana samun ayyuka, muna aiwatar da sabbin abubuwa, da ƙoƙarin inganta wani abu dangane da dacewa ga masu amfani. Ana bayyana wasu ra'ayoyin kuma an haɗa su cikin jerin fifiko godiya ga membobin al'ummarmu.
Yanzu muna da kusan jerin tsare-tsare masu zuwa na nan gaba:
- VPN azaman sabis.
- Misalan DNS masu zaman kansu – hotuna don kafa injuna da sauri tare da sabar DNS da aka riga aka tsara.
- DNS a matsayin sabis.
- Ma'aunin nauyi na ciki.
- Ƙara adireshin IP na "farar fata" ba tare da sake ƙirƙira na'ura mai mahimmanci ba.
An haɗa ma'auni da ikon sauya adireshin IP don injin da aka riga aka ƙirƙira a cikin wannan jerin bisa buƙatar masu amfani. A gaskiya, ba tare da bayyana ra'ayi ba, da mun ɗauki waɗannan ayyuka kaɗan daga baya. Sabili da haka mun riga muna aiki akan matsalar game da adireshi.
Da farko, ana iya ƙara adireshin IP na “fari” lokacin ƙirƙirar na'ura. Idan mai amfani ya manta yin wannan, dole ne a sake ƙirƙira injin kama-da-wane. Haka ke don cire IP na waje idan ya cancanta. Ba da daɗewa ba zai yiwu a kunna da kashe IP na jama'a ba tare da sake ƙirƙira na'urar ba.
Jin dadin bayyana naku sauran masu amfani. Kuna taimaka mana mu inganta gajimare kuma mu sami abubuwa masu mahimmanci da fa'ida cikin sauri!
source: www.habr.com