Sawubona, igama lami ngingu-Kostya Kramlich, ngingunjiniyela oholayo wesigaba se-Virtual Private Cloud e-Yandex.Cloud. Ngisebenza kunethiwekhi ebonakalayo, futhi, njengoba ungase ucabange, kulesi sihloko ngizokhuluma ngedivayisi ye-Virtual Private Cloud (VPC) ngokujwayelekile kanye nenethiwekhi ebonakalayo ikakhulukazi. Futhi uzothola ukuthi kungani thina, abathuthukisi besevisi, sikwazisa impendulo evela kubasebenzisi bethu. Kodwa izinto zokuqala kuqala.
Iyini i-VPC?
Kulezi zinsuku, kunezinhlobonhlobo zezinketho zokuphakela izinsizakalo. Nginesiqiniseko sokuthi othile usagcina iseva ngaphansi kwedeski lomlawuli, nakuba ngithemba ukuthi izindaba ezinjalo ziya ngokuya ziba ziningi.
Manje izinsizakalo zizama ukuthuthela emafwini omphakathi, futhi yilapho zihlangana khona nama-VPC. I-VPC iyingxenye yefu lomphakathi elihlanganisa umsebenzisi, ingqalasizinda, inkundla namanye amakhono ndawonye, noma ngabe akuphi, Kumafu wethu noma ngale kwalokho. Ngesikhathi esifanayo, i-VPC ikuvumela ukuthi ugweme ukudalula lawa makhono ku-inthanethi ngokungadingekile; ahlala ngaphakathi kwenethiwekhi yakho engayodwa.
Yeka ukuthi inethiwekhi ebonakalayo ibukeka kanjani ngaphandle
Nge-VPC sisho, okokuqala nje, inethiwekhi yokumbondelana kanye nezinsizakalo zenethiwekhi, njenge-VPNaaS, NATaas, LBaas, njll. Futhi konke lokhu kusebenza phezu kwengqalasizinda yenethiwekhi ebekezelela amaphutha, osekuxoxwe ngayo. lapha ku-Habre.
Ake sibhekisise inethiwekhi ebonakalayo kanye nesakhiwo sayo.
Ake sibheke izindawo ezimbili ezitholakalayo. Sihlinzeka ngenethiwekhi ebonakalayo - lokho esikubiza nge-VPC. Eqinisweni, ichaza indawo ehlukile yamakheli akho "ampunga". Ngaphakathi kwenethiwekhi ngayinye ebonakalayo, unokulawula okugcwele esikhaleni samakheli ongawabela izinsiza zekhompyutha.
Inethiwekhi ingeyomhlaba wonke. Ngesikhathi esifanayo, ihlaziywa endaweni ngayinye etholakalayo ngendlela yebhizinisi ebizwa ngokuthi i-Subnet. Nge-Subnet ngayinye unikeza i-CIDR kasayizi 16 noma ngaphansi. Indawo etholakalayo ngayinye ingaba nebhizinisi elinjalo elingaphezu kwelilodwa, futhi kuhlala kunomzila osobala phakathi kwawo. Lokhu kusho ukuthi zonke izinsiza zakho ngaphakathi kwe-VPC efanayo "zingakwazi ukukhuluma" zodwa, ngisho noma zisezindaweni ezihlukene zokutholakala. "Xhumana" ngaphandle kokufinyelela ku-inthanethi, ngeziteshi zethu zangaphakathi, "ucabanga" ukuthi zingaphakathi kwenethiwekhi efanayo yangasese.
Umdwebo ongenhla ubonisa isimo esijwayelekile: ama-VPC amabili ahlangana ndawana thize kumakheli awo. Kokubili kungaba okwakho. Isibonelo, enye ngeyokuthuthukiswa, enye ngeyokuhlola. Kungase kube nabasebenzisi abahlukene - kulokhu akunandaba. Futhi i-VPC ngayinye inomshini owodwa obonakalayo.
Asenze isikimu sibe sibi kakhulu. Ungenza umshini owodwa uxhumeke kuma-Subnet ambalwa ngesikhathi esisodwa. Futhi hhayi nje kanjalo, kodwa kumanethiwekhi ahlukahlukene abonakalayo.
Ngesikhathi esifanayo, uma udinga ukuveza imishini ku-inthanethi, lokhu kungenziwa nge-API noma nge-UI. Ukuze wenze lokhu, udinga ukulungisa ukuhunyushwa kwe-NAT kwekheli lakho langaphakathi "elimpunga", libe "elimhlophe" - ikheli lomphakathi. Awukwazi ukukhetha ikheli "elimhlophe"; linikezwa ngokungahleliwe ukusuka endaweni yethu yamakheli. Ngokushesha nje lapho uyeka ukusebenzisa i-IP yangaphandle, ibuyela echibini. Ukhokhela kuphela isikhathi osebenzisa ngaso ikheli “elimhlophe”.
Kungenzeka futhi ukunikeza umshini ukufinyelela ku-inthanethi usebenzisa isibonelo se-NAT. Ungahambisa ithrafikhi endaweni yakho ngokusebenzisa ithebula lomzila elimile. Sinikeze icala elinjalo ngoba abasebenzisi kwesinye isikhathi bayalidinga, futhi siyazi ngalo. Ngokufanelekile, kuhla lwemibhalo yethu yezithombe kunesithombe esilungiselelwe ngokukhethekile se-NAT.
Kodwa noma ngabe kunesithombe se-NAT esenziwe ngomumo, ukucushwa kungaba yinkimbinkimbi. Siqonde ukuthi kwabanye abasebenzisi lena akuyona inketho elula kakhulu, ngakho ekugcineni senze nokwenzeka ukunika amandla i-NAT ye-Subnet oyifunayo ngokuchofoza okukodwa. Lesi sici sisesekufinyeleleni kokubuka kuqala okuvaliwe, lapho sihlolwa khona ngosizo lwamalungu omphakathi.
Isebenza kanjani inethiwekhi ebonakalayo kusuka ngaphakathi
Ngabe umsebenzisi usebenzisana kanjani nenethiwekhi ebonakalayo? Inethiwekhi ibheka ngaphandle nge-API yayo. Umsebenzisi uza ku-API futhi asebenze nesimo esiqondiwe. Nge-API, umsebenzisi ubona ukuthi yonke into kufanele ihlelwe futhi ihlelwe kanjani, ngenkathi ebona isimo, ukuthi isimo sangempela sihluke kanjani kulokho okufunayo. Lesi isithombe somsebenzisi. Kwenzakalani ngaphakathi?
Sirekhoda isimo esisifunayo ku-Yandex Database bese siya ukumisa izingxenye ezihlukene ze-VPC yethu. Inethiwekhi eyimbondela ku-Yandex.Cloud yakhelwe phezu kwesisekelo sezingxenye ezikhethiwe ze-OpenContrail, esanda kubizwa nge-Tungsten Fabric. Amasevisi enethiwekhi asetshenziswa endaweni eyodwa ye-CloudGate. Kwa-CloudGate, siphinde sasebenzisa inombolo yezingxenye zomthombo ovulekile: i-GoBGP yokuphatha ulwazi lokulawula, kanye ne-VPP yokusebenzisa umzila wesofthiwe osebenza phezulu kwe-DPDK yomzila wedatha.
I-Tungsten Fabric ixhumana ne-CloudGate nge-GoBGP. Itshela ukuthi kwenzekani kunethiwekhi yembondela. I-CloudGate yona ixhumanisa amanethiwekhi ambondelanayo kanye ne-inthanethi.
Manje ake sibheke ukuthi inethiwekhi ebonakalayo ixazulula kanjani izinkinga zokulinganisa nokutholakala. Ake sicabangele icala elilula. Kunendawo eyodwa etholakalayo futhi ama-VPC amabili enziwe kuyo. Sikhiphe isibonelo esisodwa se-Tungsten Fabric, futhi iqukethe amashumi ezinkulungwane zamanethiwekhi. Amanethiwekhi axhumana ne-CloudGate. I-CloudGate, njengoba sesishilo, iqinisekisa ukuxhumana kwabo bodwa kanye ne-inthanethi.
Ake sithi indawo yesibili yokutholakala yengezwa. Kufanele yehluleke ngokuphelele ngaphandle kowokuqala. Ngakho-ke, kufanele sifake isibonelo esihlukile se-Tungsten Fabric endaweni yesibili yokutholakala. Lena kuzoba isistimu ehlukile ephatha imbondela futhi eyazi okuncane ngesistimu yokuqala. Futhi ukubonakala kokuthi inethiwekhi yethu ebonakalayo ingeyomhlaba wonke, empeleni, idala i-VPC API yethu. Lona umsebenzi wakhe.
I-VPC1 imakwe ku-Availability Zone B uma I-Availability Zone B inezinsiza ezinamathela ku-VPC1. Uma zingekho izinsiza ezivela ku-VPC2 endaweni etholakalayo B, asenzi i-VPC2 kule ndawo. Ngokulandelayo, njengoba izinsiza ezivela ku-VPC3 zikhona kuphela endaweni B, i-VPC3 ayikho endaweni A. Yonke into ilula futhi inengqondo.
Ake sijule kancane futhi sibone ukuthi umsingathi othile ku-Y.Cloud usebenza kanjani. Into esemqoka engingathanda ukuyiqaphela ukuthi bonke abasingathi baklanywe ngendlela efanayo. Senza isiqiniseko sokuthi ubuncane obudingekayo kuphela bezinsizakalo busebenza kuhadiwe; konke okunye kusebenza emishinini ebonakalayo. Sakha amasevisi e-oda eliphezulu ngokusekelwe kumasevisi engqalasizinda ayisisekelo, futhi sisebenzisa i-Cloud ukuxazulula izinkinga ezithile zobunjiniyela, isibonelo, njengengxenye ye-Continuous Integration.
Uma sibheka umsingathi othile, singabona ukuthi kunezinto ezintathu ezisebenza ku-OS yokusingatha:
- I-Compute ingxenye enesibopho sokusabalalisa izinsiza zekhompyutha kumsingathi.
- I-VRouter iyingxenye ye-Tungsten Fabric, ehlela ukumbondela, okungukuthi, ishubhula amaphakethe ngokusebenzisa i-underlay.
- I-VDisks izingcezu ze-virtualization yesitoreji.
Ngaphezu kwalokho, imishini ebonakalayo isebenzisa izinsizakalo: Izinsizakalo zengqalasizinda yamafu, izinsizakalo zeplathifomu namandla amakhasimende. Amandla wamakhasimende namasevisi enkundla ahlala aya embondelelweni nge-VRouter.
Izinsizakalo zengqalasizinda zingaxhumeka kuyimbondela, kodwa ikakhulukazi zifuna ukusebenza kokungaphansi. Banamathele kokungaphansi kusetshenziswa i-SR-IOV. Eqinisweni, sisika ikhadi sibe amakhadi enethiwekhi abonakalayo (imisebenzi ebonakalayo) futhi siwaphushele emishinini ebonakalayo yengqalasizinda ukuze singalahlekelwa ukusebenza. Isibonelo, i-CloudGate efanayo yethulwa njengenye yale mishini ebonakalayo yengqalasizinda.
Manje njengoba sesichaze imisebenzi yomhlaba wonke yenethiwekhi ebonakalayo kanye nokwakheka kwezingxenye eziyisisekelo zefu, ake sibheke ukuthi izingxenye ezihlukene zenethiwekhi ebonakalayo zixhumana kanjani.
Sihlukanisa izendlalelo ezintathu ohlelweni lwethu:
- I-Config Plane - isetha isimo esiqondiwe sesistimu. Lokhu yilokho umsebenzisi akulungiselelayo nge-API.
- I-Control Plane - inikeza ama-semantics ashiwo umsebenzisi, okusho ukuthi, iletha isimo se-Data Plane kulokho okuchazwe umsebenzisi ku-Config Plane.
- I-Data Plane - icubungula ngokuqondile amaphakethe abasebenzisi.
Njengoba ngishilo ngenhla, konke kuqala ngomsebenzisi noma isevisi yesikhulumi sangaphakathi esiza ku-API futhi sichaza isimo esithile esiqondiwe.
Lesi simo sibhalwa ngokushesha ku-Database ye-Yandex, sibuyisela i-ID yokusebenza okungavumelaniyo nge-API, futhi sethula imishini yethu yangaphakathi ukukhiqiza isimo esifunwa ngumsebenzisi. Imisebenzi yokumisa iya kusilawuli se-SDN futhi itshele i-Tungsten Fabric ukuthi yini okufanele yenziwe kwimbondela. Isibonelo, bagcina izimbobo, amanethiwekhi abonakalayo, nokunye okunjalo.
I-Config Plane ku-Tungsten Fabric ilayisha isimo esidingekayo ku-Control Plane. Ngayo, i-Config Plane ixhumana nabasingathi, ibatshela ukuthi yini ngempela ezobe isebenza kubo esikhathini esizayo esiseduze.
Manje ake sibone ukuthi isistimu ibukeka kanjani kubasingathi. Umshini obonakalayo une-adaptha yenethiwekhi ethile exhunywe ku-VRouter. I-VRouter iyimojula ye-Tungsten Fabric core ebheka amaphakethe. Uma sekuvele kukhona ukugeleza kwephakethe elithile, imojula iyalicubungula. Uma kungekho ukugeleza, imojula yenza lokho okubizwa ngokuthi i-punting, okungukuthi, ithumela iphakethe kunqubo ye-usermod. Inqubo idlulisa iphakethe bese iziphendulela yona ngokwayo, njenge-DHCP ne-DNS, noma itshela i-VRouter ukuthi yenzeni ngayo. I-VRouter ingakwazi ukucubungula iphakethe.
Ngaphezu kwalokho, ithrafikhi phakathi kwemishini ebonakalayo ngaphakathi kwenethiwekhi efanayo igeleza ngokusobala, ayithunyelwa ku-CloudGate. Ababungazi lapho imishini ebonakalayo esetshenziswa khona baxhumana bodwa. Bahambisa ithrafikhi bese bayidlulisela komunye nomunye nge-underlay.
I-Control Planes ixhumana yodwa kuzo zonke Zone Ezitholakalayo nge-BGP, njengenye irutha. Bakutshela ukuthi yimiphi imishini efakwe kuphi, ukuze imishini ebonakalayo endaweni eyodwa ikwazi ukuxhumana ngqo neminye imishini ebonakalayo.
I-Control Plane iphinde ixhumane ne-CloudGate. Ngokufanayo, ibika ukuthi iyiphi imishini ebonakalayo efakiwe, nokuthi ayini amakheli ayo. Lokhu kukuvumela ukuthi uqondise ithrafikhi yangaphandle kanye nethrafikhi kusuka kubalinganisi ukuya kubo.
Ithrafikhi eshiya i-VPC iza ku-CloudGate, endleleni yedatha, lapho i-VPP enama-plugin ethu ihlafunwa ngokushesha. Bese ithrafikhi idutshulwa noma kwamanye ama-VPC, noma ngaphandle, kuma-router onqenqemeni, alungiswa nge-Control Plane ye-CloudGate ngokwayo.
Izinhlelo zesikhathi esizayo esiseduze
Uma sifingqa konke okushiwo ngenhla ngemisho embalwa, singasho ukuthi i-VPC ku-Yandex.Cloud ixazulula izinkinga ezimbili ezibalulekile:
- Inikeza ukuhlukaniswa phakathi kwamaklayenti ahlukene.
- Ihlanganisa izinsiza, ingqalasizinda, izinsiza zeplathifomu, amanye amafu kanye nendawo ekhona kube inethiwekhi eyodwa.
Futhi ukuze uxazulule lezi zinkinga kahle, udinga ukuqinisekisa ukulinganisa nokubekezelelana kwamaphutha ezingeni lezakhiwo zangaphakathi, yilokho okwenziwa yi-VPC.
Kancane kancane, i-VPC ithola imisebenzi, sisebenzisa izici ezintsha, futhi sizama ukuthuthukisa okuthile mayelana nokusebenziseka kalula kubasebenzisi. Eminye imibono iyavezwa futhi ifakwe ohlwini lwezinto ezibalulekile sibonga amalungu omphakathi wethu.
Manje cishe sinohlu olulandelayo lwezinhlelo zesikhathi esizayo esiseduze:
- I-VPN njengesevisi.
- Izimo ze-DNS eziyimfihlo - izithombe zokusetha ngokushesha imishini ebonakalayo eneseva ye-DNS emiswe ngaphambilini.
- I-DNS njengesevisi.
- Isilinganisi somthwalo wangaphakathi.
- Ukwengeza ikheli le-IP “elimhlophe” ngaphandle kokuphinda udale umshini obonakalayo.
Ibhalansi kanye nekhono lokushintsha ikheli le-IP lomshini ovele udaliwe kufakwe kulolu hlu ngesicelo sabasebenzisi. Uma sikhuluma iqiniso, ngaphandle kwempendulo ecacile besiyothatha le misebenzi ngokuhamba kwesikhathi. Ngakho-ke sesivele sisebenzela inkinga mayelana namakheli.
Ekuqaleni, ikheli le-IP “elimhlophe” lalingengezwa kuphela lapho kwakhiwa umshini. Uma umsebenzisi ekhohlwe ukwenza lokhu, umshini obonakalayo bekufanele udalwe kabusha. Okufanayo kuya ekususeni i-IP yangaphandle uma kunesidingo. Maduze kuzokwazi ukuvula nokuvala i-IP yomphakathi ngaphandle kokwenza kabusha umshini.
Zizwe ukhululekile ukuveza okwakho abanye abasebenzisi. Uyasisiza ukuthi senze i-Cloud ibe ngcono futhi sithole izici ezibalulekile neziwusizo ngokushesha!
Source: www.habr.com