LogoLogo
Our ServiceOther service
English
English
  • 🇬🇧VNG Cloud Help Center
  • Overview
    • About VNG Cloud
    • Product Updates (All)
      • 2024
  • vServer
    • Compute
      • What is vServer?
      • Announcements and updates
        • 2024
        • 2023
      • Getting started
        • UserData
      • Quota Limit
      • Instance
        • Connect to virtual server
          • Connecting a Windows Server by Remote Desktop (RDP)
          • Connecting to a Linux server by SSH Client
        • Flavor
        • Instance Lifecycle
        • Create an instance by using the wizard
        • Resize Instance
        • Restart Instance
        • Compute Encryption Volume
          • Using Compute Encryption Volume
      • Placement Group
      • Image
      • Network
        • Virtual Private Cloud (VPC)
        • DHCP Options Sets
          • DNS Server IP Address
        • Instance IP Address
        • Floating IP
        • External Interface
        • Virtual IP
        • Route Table
        • Peering
        • Test Internet Speed
        • Network ACL
        • Bandwidth
          • Package Bandwidth VNG Dedicated
          • Package Bandwidth Pay As You Go
          • Package Bandwidth Share
          • Package Bandwidth Dedicated
          • Payment Methods
      • Interconnect
        • Starts with Interconnect
        • Interconnect Features
        • Location connect and Bandwidth
        • Multicloud-Connection
        • Connections
          • Create a Dedicated Connection
          • View connection information
          • Update Connection
          • Delete Connection
        • UseCase
          • Multicloud Interconnect
          • Hybrid Interconnect
          • VPN Interconnect
          • Using a combination of Interconnect connection methods
      • Volume
        • Extend volume with Linux OS
        • Extend Volume with Windows OS
        • Volume Types
        • Check the IOPS performance
        • Convert Volume Type
      • Snapshot
        • Activate Snapshot
        • Create Snapshots
        • View Snapshot Information
        • Roll back VM by using a snapshot
        • Roll back a disk by using a snapshot
        • Delete Snapshot
        • How to calculate a Snapshot Service Charges
        • Disable Snapshot Service
        • UseCase Snapshot
          • Disaster Recovery
          • Develop and testing
          • Backup and restore the system periodically
          • Migrate data and applications between environments
          • Resist attacks from Hackers or malware infections
        • Share Snapshots
      • Security
        • SSH Key (Key pairs)
        • Security Groups
      • vBackup
        • Create backups for VM with policy
        • Create backups immediately (Back now)
        • Automatic Backup
        • Changing the backup policy
        • Restore Backup
        • Delete Backup
        • Backup Policies
          • Create, edit, delete backup policies
          • Schedule Structure of the Policy
      • Load Balancer
        • Deployment mode
        • Feature Comparison
        • Application Load Balancer
          • How it works (ALB)
          • Getting Started
          • Manage Load balancer
          • Listener
            • Add a HTTP listener
            • Add a HTTPS listener
            • Update & Delete a Listener
            • Listener Policies
            • Client Certificate Authentication
            • Config IP whitelist to load balancer
            • Config timeout
          • Certificate
            • Upload a certificate
          • Pool
            • Add & Update a Pool
            • Pool Members
              • Attach pool members
            • Config health check setting
            • Enable sticky session
            • Enable TLS encryption
            • Pool's algorithm
        • Network Load Balancer
          • How it works (NLB)
          • Getting Started (NLB)
          • Manage Load Balancer (NLB)
          • Listener (NLB)
            • Add a TCP Listener
            • Add a UDP Listener
            • Update & Delete Listener (NLB)
            • Config IP whitelist to load balancer
            • Config timeout
          • Pool
            • Add & Update a Pool
            • Pool Members
              • Attach pool members
            • Config health check setting (NLB)
            • Pool's algorithm
          • Common use cases
            • Config protocol Proxy with member Nginx
        • Monitor your load balancers
          • Metrics
          • Logs
        • Security
      • APIs & IaC
      • Terraform
        • Install Terraform
        • Manage vServer with Terraform
        • Manage vLB with Terraform
        • Reference Document
        • Argument Intergration with Terraform
      • Identity and Access Management (IAM) for vServer
        • Actions, resources, and required conditions for vServer Access Decentralization
        • Use Cases IAM
      • Pricing
    • vMarketplace
      • Third-party integration
      • Application Software Installation
        • Create & Install App
      • Network Software Installation
        • Juniper vSRX on HCM03
          • Create Juniper vSRX
          • Routing IP Range within VPC
        • Pfsense on HCM03
          • Create Pfsense App
          • Routing IP Range within VPC
          • VPN Client to Server
          • VPN Site to Site
            • Pfsense - AWS Cloud
          • Troublehooting - Disconnect network
          • Notice & Limitation
          • MTU & “DF flag” best practice on VNG Cloud
  • vStorage
    • Object storage
      • Object storage (HCM03, HAN01)
        • What is vStorage?
          • What is Region?
          • What is Farm?
          • Unit of Measurement
        • Announcements and Updates
        • Getting Started with vStorage
          • Step 1: Create a project
          • Step 2: Create a container
          • Step 3: Upload an object
          • Step 4: Download an object
          • Step 5: Copy Object to a Directory
          • Step 6: Delete the object and container
        • Features of vStorage
          • Working with projects
            • Projects overview
            • Project naming rules
            • Create a project
            • Viewing project properties
            • Resize a project
            • Renew a project
            • Auto-renew a project
            • Delete a project
            • Restore a project
            • IP Range ACLs for a project
          • Working with containers
            • Containers overview
            • Containers naming rule
            • Create a container
            • Viewing container properties
            • Search containers
            • Versioning container
            • Make container public
            • Make container private
            • ACLs for a container
            • CORS for a container
            • Container lifecycle
            • Delete a container
            • IP Range ACLs for a container
          • Working with directories and objects
            • Objects overview
            • Objects naming rule
            • Upload objects
            • Viewing directory and object properties
            • Search directories and objects
            • Share objects
            • Move objects
            • Copy objects
            • Rename an object
            • Set tags for objects
            • Set metadatas for objects
            • Download objects
            • Delete objects
            • Working with directories
          • Working with report
            • View summary reports across all regions
            • View summary reports on a specific region
            • View summary reports on a specific project
          • Working with trial project
          • Working with POC project
          • Working with vBackup project
          • Working with Archive project
        • Identity and Access Management
          • Managing vStorage access account
            • Root User Account
            • IAM User Account
              • Create an IAM User Account
              • Create Policies for IAM User Account
              • Attach Policies with IAM User Account
              • Delete an IAM User Account
            • Service Account
              • Create a Service Account
              • Create Policies for Service Account
              • Attach Policies with Service Account
              • vStorage Credentials
                • Create a S3 key
                • Create a Swift user
                • Attach S3 Keys and Swift Users to the Service Account
                • Delete S3 key, Swift user
              • Delete a Service Account
          • Managing Access to vStorage Resources
            • Access Permissions and Working Through vStorage
            • Access Permissions and Working Through IAM
            • Features, vStorage Resources, and Access Permissions
            • Access Permissions and Working Through Root User Account
            • Access Permissions and Working Through IAM User Account
            • Access Permissions and Working Through Service Account
        • 3rd Party Softwares
          • S3cmd
            • Integrating S3cmd with vStorage
            • Using S3cmd
          • Cyberduck
            • Integrating Cyberduck with vStorage
            • Using Cyberduck
          • Rclone
            • Integrating Rclone with vStorage
            • Using Rclone
          • Swift Client
            • Integrating SwiftClient with vStorage
            • Using SwiftClient
          • S3 SDK
            • Integrating S3 SDK with vStorage
            • Using S3 SDK
          • MinIO Client (MC)
            • Integrating MinIO Client with vStorage
            • Using MinIO Client
          • S3 Browser
            • Integrating S3 Browser with vStorage
            • Using S3 Browser
          • AWS CLI
            • Integrating AWS CLI with vStorage
            • Using AWS CLI
        • Resource Quota
        • Feature Limitations
        • Charging Fee
          • Charging for prepaid users
          • Charging for postpaid user
        • Monitoring vStorage
          • Monitoring vStorage Through Metrics
          • Monitoring vStorage Through Logs
        • Security
          • Access Control
          • Data in Transit Security
          • Data Security stored on vStorage
        • Usecase
          • Migrate data
            • [Rclone] Mount vStorage as Local Drive on Linux
            • [Rclone] Mount vStorage to Window server
            • [Rclone] Sync data from AWS S3 to vStorage
          • Optimize performance
        • API developers
          • vStorage API
            • Integrating vStorage API
            • Using vStorage API
          • vStorage Swift REST API
            • Integrating Swift REST API
            • Using Swift REST API
        • Storage gateway
          • Create and Use Storage Gateway
          • Replacing Fileserver with Gateway Application
      • Object storage (HCM04)
        • Getting Started with Object storage
          • Step 1: Create a project
          • Step 2: Create a bucket
          • Step 3: Upload/ Download objects
          • Step 4: Create a S3 Key
          • Step 5: Integrate 3rd party softwares with vStorage
          • Step 6: Use 3rd party softwares to action on vStorage
        • Features of Object Storage
          • Working with project
          • Working with bucket
            • Working with buckets via vStorage Portal
              • Bucket Versioning
              • Object Lock
              • Bucket Policy
              • Bucket ACLs
              • Bucket CORS
              • Bucket Event Notification
              • Bucket Lifecycle
            • Working with buckets via 3rd party software
          • Working with objects and directories
            • Working with objects and directories via vStorage Portal
            • Working with objects and directories via 3rd party software
          • Working with reports
        • Resource Quota
        • Access Management
          • Working with Root User Account
          • Working with IAM User Account
          • Working with Service Account
          • Working with S3 Keys
          • Limitation
        • API Developers
        • 3rd party softwares
          • S3cmd
            • Integrate S3cmd with vStorage
            • Using S3cmd
          • Cyberduck
            • Integrate Cyberduck with vStorage
            • Using Cyberduck
          • Rclone
            • Integrate Rclone with vStorage
            • Using Rclone
          • S3 SDK
            • Integrate S3 SDK with vStorage
            • Using S3 SDK
          • S3 Browser
            • Integrate S3 Browser with vStorage
            • Using S3 Browser
        • Use case
          • Migrate data
            • [Rclone] Mount vStorage on Window server
            • [Rclone] Mount vStorage as Local Drive on Linux
            • [Rclone] Sync data from AWS S3 to vStorage
        • Charging Fee
    • Filestorage
      • What is FileStorage?
      • Announcements and Updates
      • Getting Started with FileStorage
        • Create a Public NFS File Storage
        • Create a Private NFS File Storage
        • Create a Private SMB File Storage
          • Create a Private SMB File Storage without Active Directory
          • Create a Private SMB File Storage with Active Directory
          • Create a Private SMB File Storage without Active Directory
          • Create a Private SMB File Storage with Active Directory
      • Features of FileStorage
        • Create a File Storage
          • Create a NFS File Storage
          • Create a SMB File Storage without AD
          • Create a SMB File Storage with AD
        • Edit a File Storage
        • Resize a File Storage
        • Delete a File Storage
      • Specifications
      • Access Management
        • File Storage features, resources, and access
      • Resource Quota
      • Charging Fee
    • Backup with Veeam
      • Getting started with Veeam
        • Step 1: Install Veeam Backup & Replication
        • Step 2: Initialize Repository
        • Bước 3: Create Job backup
        • Step 4: Data Recovery on Veeam
      • Features of Veeam
      • Access Management
      • Charging Fee
      • Monitoring Service
      • Security
      • Use case
      • Glossary
  • Backup Center
    • Announcements and Updates
    • Cloud Backup
      • Get Started with Backup Server
      • Backup Location
        • Create and Manage backup locations
      • Backup Server
        • Create Backup Plan (Backup Server)
        • Create Backup Server Point
        • Backup Server Point Management
        • Restore resources
        • Change backup policy
        • Change backup location
      • Backup Policy
      • Pricing
      • Use case
        • Migrate backup server from vStorage to Vault (backup location)
    • Disaster Recovery Center (DRC)
      • Operating model
      • Server Disaster Recovery (SDR)
        • Getting Started with SDR
        • SDR Management
          • Automatically activate Snapshot
          • Attach a Server
          • Start Replication
          • Periodic Backup and Recovery Point
          • Test Failover
          • Failover
          • Stop & Resume Replication
          • Restart Replication
          • Recovery Point Retention
        • Pricing
        • Access Management
        • Security
        • Monitoring
        • Service Limits
  • vMonitor Platform
    • What is vMonitor Platform?
      • What is vMonitor Platform Metric?
        • Metric Quota Class
      • What is vMonitor Platform Log?
        • Log Project Class
      • What is vMonitor Platform Synthetic?
        • Synthetic Test Quota Class
    • Announcements and Updates
      • Announcement and Instructions on Switching Packages on the vMonitor Platform
    • Getting Start with vMonitor Platform
      • Getting Start with Metrics
      • Getting Start with Logs
      • Getting Start with Synthetic
    • Features of vMonitor Platform
      • Dashboard
        • Widget
          • Line
          • Bar
          • Stack area
          • Pie
          • Number
          • Table
          • Log search
        • Query
          • Metric query
          • Log query
        • Variable, Save Querying and View
      • Notification
        • Working with SMS Notification Quota
        • Working with Email Notification Quota
        • Working with Notification
          • SMS
          • Email
          • Slack
          • Teams
          • Telegram
          • Webhook
      • Alarm
        • Metric Alarm
        • Log Alarm
      • Metrics
        • Working with Metric Quota
        • Working with Metric Agent
          • Installing Metric Agent on Server
            • Linux OS
            • Linux OS has internet connection limitations
            • Window OS
        • Working with Metric Information
        • Working with Product Metric
          • Working with vServer-Metric
          • Working with vLB-Metric
          • Working with vDB-Metric
          • Working with vStorage-Metric
        • Applications support integration
          • Kubernetes
        • Supported Metrics List
          • List Host's metrics
          • List vServer's metric
          • List vLB's metrics
          • List vDB's metrics
          • List vStorage's metrics
      • Logs
        • Working with Log Project Quota
        • Working with Log Agent
          • Prepare to initiate log push connection
          • Create a Certificate
          • Install Log Agent on OS
            • CentOS
            • Debian/ Ubuntu
            • Windows
          • Install Log Agent on Docker
          • Install Log Agent on Kubernetes
        • Working with Log Project
          • Archive
          • Refill
          • Log mapping
          • Field mapping
        • Working with Log search
          • Search logs
          • Export logs
        • Working with Log pipeline
          • Processor Groups
          • Processor
            • Grok Parser
              • Grok Patterns
            • JSON Parser
            • CSV Parser
            • Field Remapper
            • Date Parser
            • GEO IP Parser
            • User-agent Parser
        • Working with Log2metric
        • Working with Product Logs
          • Working with vLB-Log
          • Working with vStorage-Log
          • Working with vCDN-Log
      • Synthetics
        • Working with Synthetic Test Quota
        • Working with Synthetic API Test
          • API Test with HTTP(s)
          • API Test with Ping
          • API Test with TCP
        • Working with Location
          • Public location
          • Private location
    • Identity and Access Management
    • Resource Quota
    • Pricing
    • Security
      • Access Permissions Security
      • Data Security During Transmission
  • VKS
    • What is VKS?
    • How VKS works?
    • Announcements and Updates
      • Release notes
    • Getting Started with VKS
      • Instructions for installing and configuring the kubectl in Kubenetes
      • Create a Public Cluster
        • Create a Public Cluster with Public Node Group
        • Create a Public Cluster with Private Node Group
          • Palo Alto as a NAT Gateway
          • Pfsense as a NAT Gateway
      • Create a Private Cluster
      • Expose a service through vLB Layer4
      • Expose a service through vLB Layer7
        • Automatically manage Certificates in VKS with Nginx Ingress Controller, Cert-Manager, and Let's Encr
      • Preserve Source IP when using NLB and Nginx LoadBalancer Controller
      • Integrate with Container Storage Interface (CSI)
      • Upgrading Control Plane Version
      • Upgrading Node Group Version
      • Use Terraform to create a Cluster and Node Group
      • Working with NVIDIA GPU Node Group
    • Clusters
      • Public Cluster and Private Cluster
      • Upgrading Control Plane Version
      • Whitelist
      • Stop POC
    • Node Groups
      • Auto Healing
      • Auto Scaling
      • Upgrading Node Group Version
      • Lable and Taint
    • Network
      • Working with Application Load Balancer (ALB)
        • Ingress for an Application Load Balancer
        • Configure for an Application Load Balancer
        • ALB Limitation
      • Working with Network load balancing (NLB)
        • Integrate with Network Load Balancer
        • Configure for a Network Load Balancer
        • NLB Limitation
      • CNI
        • Using CNI Calico Overlay
        • Using CNI Cilium Overlay
        • Using CNI Cilium VPC Native Routing
      • Load Balancer
        • Using Network Load Balancer
        • Using Application Load Balancer
      • Auto Scaling
      • Fleet Management
    • Storage
      • Working with Container Storage Interface (CSI)
        • Integrate with Container Storage Interface (CSI)
        • CSI Limitation
    • Security Group
    • Migration
      • Migrate Cluster from VKS to VKS
      • Migration Cluster from vContainer to VKS
      • Migrate Cluster from another platform to VKS
      • Migrate Limitation
    • Working VKS with Terraform
    • Monitoring
      • Metrics
    • Charging Fee
    • Reference
      • Kubernetes versions
      • Node Flavors
      • System Image
  • vDB
    • Relational Database Service (RDS)
      • Create a RDS Instance
      • Connect to RDS Instance
        • Connect to an RDS Instance via SSH Tunnel
      • Managing RDS Instance Information
      • Backing Up RDS Instance
      • Restoring RDS Instance
      • Managing Configuration Group in RDS Instance
      • Extend the usage period RDS Instance
      • Monitoring vDB with vMonitor Platform
      • Import Data into RDS Instance (MySQL/MariaDB) using mysqldump
      • Creating Read Replicas
      • Promote Read Relica to Standalone
      • vDB PostgreSQL - Supported Extensions
      • Configuring Replication with RDS (MySQL/MariaDB)
      • Attention & Limitations
    • MemoryStore Database Service (MDS)
      • Create MDS Instance
      • Connect MDS Instance
      • Manage MDS Instance
      • Manage MDS Config Group
      • Backup MDS Instance
    • Security (Bảo mật)
  • vCDN
    • Overview
      • What is CDN?
      • Overview Architecture
        • Network Architecture
        • Load Coordination Mechanism
        • Data Distribution Mechanism
          • PULL
          • PUSH
    • Getting Started with vCDN
      • Live Streaming
      • Video On Demand Streaming
      • Object Download
      • Web Accelerator
      • Transcoding and advanced features
        • Operating Model
        • Install Sigma Media Server
        • Use cases
          • Create Live Transcode Channel
          • Live Transcode combines recordings for later VOD playback
          • Create Simultaneous Restream Channels to Multiple Platforms (RTMP)
          • Transcode video files (MP4)
        • Sigma API developers
      • Using OBS Studio to Push Live Stream
    • Feature details
      • Security Link
      • CNAME
      • Cache Time
      • Development Mode
      • Origin
        • HTTP Origin
        • Object Storage S3
        • Host Origin
      • Optimize File Size
      • Cryptography
      • Caching
      • Automatically Redirect from HTTP to HTTPS
      • CDN Purge Cache
      • Page Rule
    • Access Management
    • Pricing
    • API Developers
    • Monitoring
    • Report
    • Security
      • Certificate Management
  • vCloudstack
    • Get Started with vCloudStack
      • Overview of features
      • Initialize VM on vCloudStack
      • Network Configuration
      • Load Balancer in vCloudStack
        • Create Application LB in vCloudStack
          • Listener for Application LB
          • Pool in vCloudstack
          • Certificate in vCloudstack
        • Create Network LB in vCloudStack
          • Listener for Network LB
          • Pool (NLB) in vCloudStack
        • Advanced Features
      • Volumes in vCloudStack
      • Backup in vCloudStack
      • Snapshots in vCloudStack
    • Get start with Admin Site
      • User Management
      • Access Management
      • Track resource usage information
      • Physical Infrastructure Monitoring
  • vContainer Registry
    • Getting Started
    • Repository
      • Create a repository
      • Edit quota limit
      • Manage image
      • Repository History
    • Repository user
      • Create repository user
      • Edit user information
      • Edit user permission
      • Refresh secret key
      • Change user status
  • vColocation
    • Accessing the vColo Customer Portal
    • Dashboard
    • Space list
      • View rack layout
      • View rack detail
      • Filter list
    • Ticket request
      • Open a ticket
      • Ticket list
  • DataSync
    • What is DataSync?
    • Announcements and Updates
    • Getting Start with DataSync
    • Features of DataSync
      • Create a Transfer Job
      • Run a Transfer Job
        • Run one time
        • Run schedule
      • Monitor Transfer Job Results
      • Stop a Transfer Job
      • Edit a Transfer Job
      • Xóa Transfer Job
      • Retry a Transfer Job
    • Identity and Access Management
      • Managing DataSync access account
        • Root User Account
        • IAM User Account
          • Create an IAM User Account
          • Create Policies for IAM User Account
          • Attach Policies with IAM User Account
          • Delete an IAM User Account
      • Managing Access to DataSync Resources
        • Features, DataSync Resources, and Access Permissions
        • Access Permissions and Working Through IAM
        • Access Permissions and Working Through Root User Account
    • Resoure Quota
    • Charging Fee
    • Monitoring
      • Monitoring DataSync Through Metrics
      • Monitoring DataSync Through Logs
    • Security
      • Data in Transit Security
      • Access Control
      • Data Security stored on vStorage
    • Usecase
      • Transfer data from Amazon S3 to vStorage
      • Transfer data from vStorage to vStorage cross account
      • Transfer data from vStorage to vStorage same account
  • vNetwork
    • Endpoint
      • Create Endpoint
      • Rename Endpoint
      • Delete Endpoint
      • View List of Endpoints
    • Public NAT Instance
      • Create NAT
      • Rename NAT
      • Delete NAT
      • Add/ Remove NAT Port
    • Cross Connect
      • Create Cross Connect
      • Create a VPC Connection
      • Delete Cross Connect
      • Resize Bandwidth
      • Bandwidth Packages
      • VPC Connection Conditions
      • UseCase
    • VPN (Virtual Private Network) Site To Site
      • Create VPN Site-to-Site
        • VPN Connect Condition
        • Add/Update/Delete more Site And Tunnel
        • Support IPSEC Configuration
      • Change VPN Bandwidth
      • VPN Packages
      • Delete VPN
      • Demo Site-to-Site VPN
      • FAQ
  • Key Management System
    • Customer Managed Key
    • VNG Cloud Managed Key
  • Service Health
  • Veka.ai
  • Identity and Access Management (IAM)
    • Getting Start with IAM
    • Common Usecases
      • Access control by job function
      • Access control to specific resources
      • Managing Resources with Terraform and Service Account
      • Use Deny permission to deny access
      • Authorization for access between root user accounts with Service Account Impersonate feature
    • IAM for VNG Cloud's Services
      • IAM for vServer
      • IAM for vStorage
      • IAM for vMonitor
      • IAM for DataSync
    • Types of IAM Identifiers
      • User Accounts
        • How to login to VNG Cloud
      • User Groups
      • Service accounts
      • vStorage Credential
      • Identity Providers
    • IAM Access Management
      • Access Management via Policy
      • VNG Managed Policy
    • Audit Logs Management
    • Limitation
    • Security for IAM
  • Billing & Payment
    • vConsole – Management channel for billing and resources
      • What is vConsole
      • Getting Started
    • What's Billing & Payment
    • Experience with Billing & Payment
      • Prepaid & Postpaid Users
      • Resource lifecycle management
        • Create resource
        • Resize resource configuration
        • Renew resource
        • Auto-renew resources - policy & terms
        • Recover resource
        • Delete resource
        • Resource POC
          • Converting resource from POC to Prepaid
      • Payment
        • Online payment
        • Payment of POC resources
        • Credit hold
        • Automatic invoice payment
        • Apply coupon at payment step
      • Invoice management
  • vCalculator - Service estimated tool
  • Partner Portal user guide
    • Partner Portal Overview
    • Partner Registration
    • Registration of Partner Discount
    • Registration of Partner's Customer
    • Set Up Discounts for Customers
    • Top up Credit for Customer
    • View Report on Partner Portal
    • DEAL Registration
    • View List of DEAL
    • View Detail Deal Information
    • Update Deal Stage
    • View Partner Discount by Deal
    • View Customer Discount by Deal
  • Getting start with VNG Cloud account
    • Register
    • Update Profile
    • Two-Factor Authentication (2FA)
    • Change Password Guide
    • Remove Account Guide
    • Change Phone Number Guide
  • FAQ
    • vServer
    • vStorage
    • vNetwork
    • vCDN
    • vDB
    • NTP server
    • DDoS
Powered by GitBook
On this page
  • Overview
  • Model
  • Necessary conditions
  • Create a Cluster using CNI Cilium VPC Native Routing
  • Deploy a Workload
  1. VKS
  2. Network
  3. CNI

Using CNI Cilium VPC Native Routing

PreviousUsing CNI Cilium OverlayNextLoad Balancer

Last updated 6 months ago

LogoLogo

Address

  • VNG Corporation

Contact us

  • support@vngcloud.vn
  • 1900 1549

About us

  • About VNG Cloud
  • Get started our cloud

Overview

CNI (Container Network Interface) Cilium VPC Native Routing is a mechanism that helps Kubernetes manage networks without using overlay networks. Instead of using virtual network layers, CNI Cilium VPC Native Routing leverages the direct routing capabilities of cloud service providers' VPCs (Virtual Private Clouds) to optimize data transfer between nodes and pods in the Kubernetes cluster.


Model

On VKS, CNI (Container Network Interface) Cilium VPC Native Routing operates according to the following model:

In there:

  • Each Node has a private IP address range for pods (Pod CIDR). Pods in each node use addresses from this CIDR and communicate over the virtual network.

  • Cilium and eBPF perform network management for all pods on each node, including handling traffic going from pod to pod, or from node to node. When necessary, eBPF performs masquerading to hide the internal IP address of the pod when communicating with the external network.

  • Cilium ensures that pods can communicate with each other both within the same node and between different nodes.


Necessary conditions

To be able to initialize a Cluster and Deploy a Workload , you need:

  • There is at least 1 VPC and 1 Subnet in ACTIVE state . If you do not have any VPC, Subnet, please initialize VPC, Subnet according to the instructions below:

    • Step 1: Access the vServer homepage at the link https://hcm-3.console.vngcloud.vn/vserver

    • Step 2: Select the VPCs menu in the left menu of the screen.

    • Step 3: Here, if you don't have any VPC yet, please select Create VPC by entering the VPC name and defining the desired CIDR/16 range.

    • Step 4: After having at least 1 VPC, to create a subnet, you need to select View Detail to expand the control panel at the bottom, including the Subnet section.

    • Step 5: In the Subnet section, select Add Subnet. Now, you need to enter:

      • Subnet name: the subnet's mnemonic name

      • Primary CIDR : :This is the primary IP address range of the subnet. All internal IP addresses of virtual machines (VMs) in this subnet will be taken from this address range. For example, if you set Primary CIDR to 10.1.0.0/24, the IP addresses of the VMs will be in the range of 10.1.0.1 to 10.1.0.254.

      • Secondary CIDR : This is a secondary IP address range, used to provide additional IP addresses or to separate different services within the same subnet. Each Node has a private IP address range for its pods (Pod CIDR). The pods in each node use addresses from this CIDR and communicate over the virtual network.

Attention:

  • The IP address ranges of Primary CIDR and Secondary CIDR cannot overlap. This means that the address range of Secondary CIDR must be outside the range of Primary CIDR and vice versa. For example, if Primary CIDR is 10.1.0.0/24, then Secondary CIDR cannot be 10.1.0.0/20 because it is within the range of Primary CIDR. Instead, you can use a different address range like 10.1.16.0/20.

  • There is at least 1 SSH key in ACTIVE state . If you do not have any SSH key, please initialize SSH key following the instructions here .

  • kubectl installed and configured on your device. please refer here if you are not sure how to install and use kuberctl. In addition, you should not use an outdated version of kubectl, we recommend that you use a kubectl version that is no more than one version different from the cluster version.

Attention:

  • When using Cilium's native routing mode, it is crucial to configure Security Groups correctly to allow necessary connections. For example, when running an NGINX pod on a node, you must permit traffic on port 80 to ensure requests from other nodes can connect. This configuration is not required when using the network overlay mode.


Create a Cluster using CNI Cilium VPC Native Routing

To initialize a Cluster, follow the steps below:

Step 1: Access https://vks.console.vngcloud.vn/overview

Step 2: On the Overview screen , select Activate.

Step 3: Wait until we successfully initialize your VKS account. After successfully Activating, select Create a Cluster.

Step 4: At the Cluster initialization screen, we have set up the information for the Cluster and a Default Node Group for you. To use CNI Cilium VPC Native Routing for your Cluster , please select:

  • Network type : Cilium VPC Native Routing and other parameters as follows:

Field
Meaning
Illustrative example

VPC

The IP address range that the Cluster nodes will use to communicate.

In the picture, we choose VPC with IP range 10.111.0.0/16 , corresponding to 65536 IPs

Subnet

A smaller IP address range belonging to the VPC. Each node in the Cluster will be assigned an IP from this Subnet. The Subnet must be within the IP range of the selected VPC.

In the picture, we choose Subnet with Primary IP range of 10.111.0.0/24 , corresponding to 256 IPs

Default Pod IP range

This is the secondary IP address range used for pods. It is called Secondary IP range because it does not match the primary IP range of the node. Pods in the Cluster will be assigned IPs from this range.

In the picture, we choose Secondary IP range as 10.111.160.0/20 - Corresponding to 4096 IPs for pods

Node CIDR mask size

CIDR size for nodes. This parameter indicates how many IP addresses each node will be assigned from the pod IP range. This size should be chosen to ensure that there are enough IP addresses for all pods on each node. You can refer to the table below to understand how to calculate the number of IP addresses that can be used to allocate to nodes and pods in your cluster.

In the picture, we choose Node CIDR mask size as /25 - Each node will have 128 IP addresses , suitable for the number of pods you want to run on a node.

Calculating the number of IPs for pods and nodes:

Suppose, when initializing the cluster, I choose:

  • VPC : 10.111.0.0/16

  • Subnet:

    • Primary IP Range: 10.111.0.0/24

    • Secondary IP Range: 10.111.160.0/20

  • Node CIDR mask size: Selectable values ​​range from /24 to /26 .

Node CIDR mask size

Number of IPs per node

Number of nodes that can be created in the /20 range (4096 IPs)

Number of IPs allocated to pods on each node

Actual number of pods that can be created

/24

256

16

256

128

/25

128

32

128

64

/26

64

64

64

32

Attention:

  • Only one networktype: In a cluster, you can use only one of three networktypes: Calico Overlay, Cilium Overlay, or Cilium VPC Native Routing

  • Multiple subnets for a cluster: VKS supports the use of multiple subnets for a cluster. This allows you to configure each node group in the cluster to be located on different subnets within the same VPC, helping to optimize resource allocation and network management.

  • Cilium VPC Native Routing and Secondary IP Range : When using Cilium VPC Native Routing for a cluster, you can use multiple Secondary IP Ranges. However, each Secondary IP Range can only be used by a single cluster. This helps avoid IP address conflicts and ensures consistency in network management.

  • When there are not enough IP addresses in the Node CIDR range or Secondary IP range to create more nodes, specifically:

    • If you cannot use the new Node because of running out of IP addresses in the Secondary IP range . At this time, new nodes will still be created and joined to the cluster but you cannot use them. The pods that are required to launch on this new node will be stuck in the " ContainerCreating " state because no suitable node can be found to deploy. At this time, you need to create a new node group with a secondary IP range that is not used on any cluster.

Step 5: Select Create Kubernetes cluster. Please wait a few minutes for us to initialize your Cluster, the status of the Cluster is now Creating .

Step 6: When the Cluster status is Active , you can view Cluster information and Node Group information by selecting Cluster Name in the Name column .


Deploy a Workload

Below are instructions for deploying an nginx deployment and testing IP assignment for the pods deployed in your cluster.

Step 1: Access https://vks.console.vngcloud.vn/k8s-cluster

Step 2: The Cluster list is displayed, select the icon Download and select Download Config File to download the kubeconfig file. This file will give you full access to your Cluster.

Step 3 : Rename this file to config and save it to the ~/.kube/config folder

Step 4: Perform Cluster check via command:

  • Run the following command to check the node

kubectl get nodes
  • If the result is as below, it means your Cluster is successfully initialized with 3 nodes:

NAME                                           STATUS   ROLES    AGE     VERSION
vks-cluster-democilium-nodegroup-558f4-39206   Ready    <none>   5m35s   v1.28.8
vks-cluster-democilium-nodegroup-558f4-63344   Ready    <none>   5m45s   v1.28.8
vks-cluster-democilium-nodegroup-558f4-e6e4d   Ready    <none>   6m24s   v1.28.8
  • Continue by running the following command to check the pods deployed on your kube-system namespace:

k get pods -A
  • If the result is as below, it means that the pods supporting Cilium VPC Native have been running:

NAMESPACE     NAME                                          READY   STATUS    RESTARTS        AGE
kube-system   cilium-envoy-2g22l                            1/1     Running   0               6m41s
kube-system   cilium-envoy-h9mjb                            1/1     Running   0               5m53s
kube-system   cilium-envoy-ngz89                            1/1     Running   0               6m3s
kube-system   cilium-ft98g                                  1/1     Running   1 (5m33s ago)   6m2s
kube-system   cilium-operator-5fc5c56c4c-66l6d              1/1     Running   0               10m
kube-system   cilium-operator-5fc5c56c4c-qfnw2              1/1     Running   0               10m
kube-system   cilium-rfrr7                                  1/1     Running   1 (6m10s ago)   6m41s
kube-system   cilium-xmlq5                                  1/1     Running   1 (5m24s ago)   5m53s
kube-system   coredns-1727334052-85db76748b-fpmfr           1/1     Running   0               6m22s
kube-system   coredns-1727334052-85db76748b-jqv79           1/1     Running   0               6m22s
kube-system   hubble-relay-8578649fdb-bgzzz                 1/1     Running   1 (4m35s ago)   10m
kube-system   hubble-ui-574c5bb99b-g7l6c                    2/2     Running   0               10m
kube-system   konnectivity-agent-hmf2x                      1/1     Running   0               5m24s
kube-system   konnectivity-agent-q69n2                      1/1     Running   0               6m15s
kube-system   konnectivity-agent-wgqbw                      1/1     Running   0               5m14s
kube-system   vngcloud-controller-manager-d4d4f7b84-m65nb   1/1     Running   0               11m
kube-system   vngcloud-csi-controller-565c55dbcc-88pt4      7/7     Running   8 (4m59s ago)   11m
kube-system   vngcloud-csi-controller-565c55dbcc-v22q4      7/7     Running   8 (4m59s ago)   11m
kube-system   vngcloud-csi-node-665r2                       3/3     Running   3 (5m15s ago)   6m41s
kube-system   vngcloud-csi-node-8x542                       3/3     Running   3 (52s ago)     6m3s
kube-system   vngcloud-csi-node-gx7zd                       3/3     Running   2 (83s ago)     5m53s
kube-system   vngcloud-ingress-controller-0                 1/1     Running   1 (5m55s ago)   11m

Step 2: Deploy nginx on the newly created cluster:

  • Initialize the nginx-deployment.yaml file with the following content:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-app
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 20
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
  • Perform this deployment via command:

kubectl apply -f nginx-deployment.yaml

Step 3: Check the deployed nginx pods and the IP address assigned to each pod

  • Perform a check of the pods via the command:

kubectl get pods -o wide
  • You can observe below, the nginx pods are assigned IPs 10.111.16x.x which satisfy the Secondary IP range and Node CIDR mask size conditions that we specified above:

NAME                         READY   STATUS    RESTARTS   AGE   IP               NODE                                           
nginx-app-7c79c4bf97-6v88s   1/1     Running   0          31s   10.111.161.53    vks-cluster-democilium-nodegroup-558f4-39206   
nginx-app-7c79c4bf97-754m7   1/1     Running   0          31s   10.111.161.1     vks-cluster-democilium-nodegroup-558f4-39206   
nginx-app-7c79c4bf97-9tjw7   1/1     Running   0          31s   10.111.160.212   vks-cluster-democilium-nodegroup-558f4-63344   
nginx-app-7c79c4bf97-c6vx7   1/1     Running   0          31s   10.111.160.46    vks-cluster-democilium-nodegroup-558f4-e6e4d   
nginx-app-7c79c4bf97-c7nch   1/1     Running   0          31s   10.111.161.3     vks-cluster-democilium-nodegroup-558f4-39206   
nginx-app-7c79c4bf97-cggfq   1/1     Running   0          31s   10.111.161.74    vks-cluster-democilium-nodegroup-558f4-39206   
nginx-app-7c79c4bf97-cz4xc   1/1     Running   0          31s   10.111.160.115   vks-cluster-democilium-nodegroup-558f4-e6e4d   
nginx-app-7c79c4bf97-d84rb   1/1     Running   0          31s   10.111.160.152   vks-cluster-democilium-nodegroup-558f4-63344   
nginx-app-7c79c4bf97-dbmt7   1/1     Running   0          31s   10.111.160.184   vks-cluster-democilium-nodegroup-558f4-63344   
nginx-app-7c79c4bf97-gtx8b   1/1     Running   0          31s   10.111.161.57    vks-cluster-democilium-nodegroup-558f4-39206   
nginx-app-7c79c4bf97-km7tx   1/1     Running   0          31s   10.111.160.94    vks-cluster-democilium-nodegroup-558f4-e6e4d   
nginx-app-7c79c4bf97-lmk7c   1/1     Running   0          31s   10.111.161.26    vks-cluster-democilium-nodegroup-558f4-39206   
nginx-app-7c79c4bf97-mc24h   1/1     Running   0          31s   10.111.160.98    vks-cluster-democilium-nodegroup-558f4-e6e4d   
nginx-app-7c79c4bf97-n4zvf   1/1     Running   0          31s   10.111.160.204   vks-cluster-democilium-nodegroup-558f4-63344   
nginx-app-7c79c4bf97-n84tc   1/1     Running   0          31s   10.111.161.106   vks-cluster-democilium-nodegroup-558f4-39206   
nginx-app-7c79c4bf97-qtjjx   1/1     Running   0          31s   10.111.160.32    vks-cluster-democilium-nodegroup-558f4-e6e4d   
nginx-app-7c79c4bf97-rp4bt   1/1     Running   0          31s   10.111.160.202   vks-cluster-democilium-nodegroup-558f4-63344   
nginx-app-7c79c4bf97-sk7tf   1/1     Running   0          31s   10.111.160.196   vks-cluster-democilium-nodegroup-558f4-63344   
nginx-app-7c79c4bf97-x8jxm   1/1     Running   0          31s   10.111.160.135   vks-cluster-democilium-nodegroup-558f4-63344   
nginx-app-7c79c4bf97-zlstg   1/1     Running   0          31s   10.111.160.121   vks-cluster-democilium-nodegroup-558f4-e6e4d 
  • You can also perform a detailed description of each pod to check this pod information via the command:

kubectl describe pod nginx-app-7c79c4bf97-6v88s

Step 4: There are a few steps you can take to thoroughly test the performance of Cilium. Specifically:

  • First, you need to install Cilium CLI following the instructions here .

  • After installing Cilium CLS, check the status of Cilium in your cluster via the command:

cilium status wait
  • If the result is displayed as below, it means that Cilium is working properly and fully :

    /¯¯\
 /¯¯\__/¯¯\    Cilium:             OK
 \__/¯¯\__/    Operator:           OK
 /¯¯\__/¯¯\    Envoy DaemonSet:    OK
 \__/¯¯\__/    Hubble Relay:       OK
    \__/       ClusterMesh:        disabled

DaemonSet              cilium-envoy       Desired: 3, Ready: 3/3, Available: 3/3
Deployment             hubble-relay       Desired: 1, Ready: 1/1, Available: 1/1
Deployment             hubble-ui          Desired: 1, Ready: 1/1, Available: 1/1
Deployment             cilium-operator    Desired: 2, Ready: 2/2, Available: 2/2
DaemonSet              cilium             Desired: 3, Ready: 3/3, Available: 3/3
Containers:            hubble-ui          Running: 1
                       cilium-operator    Running: 2
                       cilium             Running: 3
                       cilium-envoy       Running: 3
                       hubble-relay       Running: 1
Cluster Pods:          32/32 managed by Cilium
Helm chart version:
Image versions         cilium             vcr.vngcloud.vn/81-vks-public/cilium/cilium:v1.16.1: 3
                       cilium-envoy       vcr.vngcloud.vn/81-vks-public/cilium/cilium-envoy:v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51: 3
                       hubble-relay       vcr.vngcloud.vn/81-vks-public/cilium/hubble-relay:v1.16.1: 1
                       hubble-ui          vcr.vngcloud.vn/81-vks-public/cilium/hubble-ui-backend:v0.13.1: 1
                       hubble-ui          vcr.vngcloud.vn/81-vks-public/cilium/hubble-ui:v0.13.1: 1
                       cilium-operator    vcr.vngcloud.vn/81-vks-public/cilium/operator-generic:v1.16.1: 2

Step 5: You can perform a healthy check to check Cilium in your cluster

  • Run the following command to perform a healthy check

kubectl -n kube-system exec ds/cilium -- cilium-health status --probe
  • Reference results

Probe time:   2024-09-26T07:11:57Z
Nodes:
  vks-cluster-democilium-nodegroup-558f4-e6e4d (localhost):
    Host connectivity to 10.111.0.8:
      ICMP to stack:   OK, RTT=306.523µs
      HTTP to agent:   OK, RTT=206.191µs
    Endpoint connectivity to 10.111.160.91:
      ICMP to stack:   OK, RTT=307.205µs
      HTTP to agent:   OK, RTT=365.113µs
  vks-cluster-democilium-nodegroup-558f4-39206:
    Host connectivity to 10.111.0.14:
      ICMP to stack:   OK, RTT=1.90859ms
      HTTP to agent:   OK, RTT=344.725µs
    Endpoint connectivity to 10.111.161.9:
      ICMP to stack:   OK, RTT=1.889682ms
      HTTP to agent:   OK, RTT=549.887µs
  vks-cluster-democilium-nodegroup-558f4-63344:
    Host connectivity to 10.111.0.9:
      ICMP to stack:   OK, RTT=1.920985ms
      HTTP to agent:   OK, RTT=706.376µs
    Endpoint connectivity to 10.111.160.223:
      ICMP to stack:   OK, RTT=1.919709ms
      HTTP to agent:   OK, RTT=1.090877ms

Additionally, you can also perform additional End-to-End connectivity tests or Network performance tests following the instructions at End-To-End Connectivity Testing or Network Performance Test .

Step 6: Check the connection between Pods

  • Perform a connectivity test between pods, ensuring that the pods can communicate via the VPC IP address without going through overlay networks . For example, below I perform a ping from the pod nginx-app-7c79c4bf97-6v88s with IP address: 10.111.161.53 to a server in the same VPC with IP address: 10.111.0.10:

kubectl exec -it nginx-app-7c79c4bf97-6v88s -- ping 10.111.0.10
  • If the result is as follows, the connection is successful:

PING 10.111.0.10 (10.111.0.10): 56 data bytes
64 bytes from 10.111.0.10: seq=0 ttl=62 time=3.327 ms
64 bytes from 10.111.0.10: seq=1 ttl=62 time=0.541 ms
64 bytes from 10.111.0.10: seq=2 ttl=62 time=0.472 ms
64 bytes from 10.111.0.10: seq=3 ttl=62 time=0.463 ms
--- 10.111.0.10 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.463/1.200/3.327 ms