Huawei Cloud KYC Verification Tencent Cloud Networking Setup Tips

Huawei Cloud / 2026-04-23 21:53:02

Why Your Tencent Cloud Network Feels Like a Maze (And How to Fix It)

Let’s be honest: setting up Tencent Cloud networking isn’t like assembling IKEA furniture—unless IKEA shipped flat-pack routers with cryptic error codes and zero assembly instructions. You click ‘Create VPC’, type 10.0.0.0/16, hit Enter, and suddenly your web app can’t talk to its database—but the console says ‘Status: Healthy’. Cue frantic Googling at 2:17 a.m., coffee cold, tabs titled ‘tencent cloud security group inbound rule not working why’ and ‘is CIDR 10.0.1.0/24 overlapping with 10.0.0.0/16 yes or no’. Don’t panic. This isn’t magic—it’s engineering with guardrails. And those guardrails? They’re actually helpful… once you know where they’re bolted down.

VPC: Your Digital Real Estate (Pick the Right Plot)

Your VPC isn’t just ‘a network’—it’s your private city block in Tencent Cloud’s metropolis. Choose its IP range wisely. Yes, 10.0.0.0/16 is the default, but if you plan to peer with on-prem via Express Connect—or link to another Tencent Cloud account—you’ll need non-overlapping CIDRs. Think ahead: use 10.10.0.0/16 for production, 10.20.0.0/16 for staging, 10.30.0.0/16 for dev. Bonus tip: avoid 192.168.0.0/16 unless you love NAT hairpinning headaches later.

Also—don’t skip the availability zone (AZ) awareness. Subnets live in specific AZs. If you deploy all subnets in ap-guangzhou-1, and that AZ goes offline? So does your entire stack. Distribute: ap-guangzhou-1 (public), ap-guangzhou-2 (private app), ap-guangzhou-3 (DB). Yes, it adds minor latency—but beats ‘503 Service Unavailable’ during Guangzhou typhoon season.

Subnetting Without Tears (Or Spreadsheets)

Forget /24 for everything. Here’s what actually works:

  • Public subnets: /26 (64 IPs)—enough for load balancers, NAT gateways, jump boxes. Reserve first 5 IPs (.1–.5) for Tencent Cloud system use (they’re auto-assigned; don’t fight it).
  • Private app subnets: /24 (256 IPs)—scale-friendly for EC2-like CVMs. Tag them env=prod, tier=app.
  • Database subnets: /27 (32 IPs)—tight, isolated, minimal exposure. No internet gateway attached. Ever.

Pro move: name subnets descriptively—not subnet-0a1b2c, but prod-ap-guangzhou-1-public-web. Your future self (and audit team) will send thank-you notes.

Security Groups: The Bouncers of Your Cloud Club

Tencent Cloud security groups are stateful and instance-level—not network ACLs. Think of them as velvet ropes with VIP lists, not drawbridges. Key truths:

  • Rules are whitelist-only. No ‘deny port 22 from China’—just ‘allow port 22 from your office IP’.
  • Huawei Cloud KYC Verification Inbound and outbound rules are separate. Yes, even for return traffic. But since they’re stateful, reply packets auto-allowed. (Yes, it’s weird. Accept it.)
  • You can reference other security groups in rules. Example: allow inbound MySQL (3306) from sg-app-prod, not an IP range. This scales when your app fleet auto-scales.

Real-world trap: attaching the same SG to both frontend and backend CVMs. Frontend needs HTTP/HTTPS open to the world; backend shouldn’t. Split them. Always.

The NAT Gateway Gambit (Skip the EIP Tax)

Need outbound internet access for patching or API calls—but don’t want public IPs on every CVM? Use a NAT Gateway, not an EIP + SNAT rule. Why?

  • NAT Gateways are highly available (auto-deployed across AZs within region).
  • No manual SNAT table management.
  • Supports up to 10 Gbps bandwidth (vs. EIP’s 100 Mbps cap).

Deployment tip: put NAT Gateway in a public subnet—but route tables for private subnets must point to it *explicitly*. Tencent doesn’t auto-route. Run this CLI snippet post-creation:

tencentcloud vpc AssociateRouteTable --RouteTableId rtb-abc123 --SubnetIds '["subnet-def456"]'

Then edit the route table: add 0.0.0.0/0 → nat-xyz789. Miss this step? Your DB servers will silently fail DNS lookups. Been there, dug through tcpdump at dawn.

VPC Peering: Handshakes, Not Hugs

Huawei Cloud KYC Verification VPC peering lets two VPCs talk directly—no VPN, no transit gateway. But it’s not magic glue. It’s a handshake. With fine print.

  • No transitivity: If VPC-A peers with VPC-B, and VPC-B peers with VPC-C, VPC-A cannot reach VPC-C. Period.
  • CIDR overlap = instant rejection. Even if one is 10.0.0.0/16 and the other is 10.0.1.0/24, Tencent blocks it. (Yes, technically a subset—but Tencent’s parser says ‘nope’.)
  • Route tables are your responsibility. After peering, manually add routes: in VPC-A’s route table, add 10.20.0.0/16 → pcx-12345; in VPC-B’s, add 10.10.0.0/16 → pcx-12345.

Bonus: peering works across accounts—and regions (with some caveats). Just ensure both parties accept the peering request. Pro tip: use Terraform or CloudFormation to automate acceptance. Manual clicks don’t scale—and cause 3 a.m. Slack pings.

Cloud Load Balancer + Security Group Gotchas

CLB (Tencent’s ALB/NLB) sits *outside* your VPC’s security groups. So your CVMs need inbound rules allowing CLB’s health check IPs—not 0.0.0.0/0, not your office IP. Tencent publishes CLB health check source ranges per region. For Guangzhou: 112.95.216.0/22 and 112.95.220.0/22. Whitelist those. Otherwise, CLB marks all targets as unhealthy and serves 502s while your dashboard screams ‘green’.

Also: enable CLB health check with TCP or HTTP, not ‘default’. Default uses ICMP—and many CVMs block ping by default. Pick HTTP on /health endpoint. Then actually build that endpoint. (We’ve seen stacks go live with curl -I http://localhost:8080/health returning 404. True story.)

Debugging Like a Detective (Not a Magician)

When traffic fails, follow this triage:

  1. Check route tables: Is there a valid route to destination? (Use tencentcloud vpc DescribeRouteTables.)
  2. Verify security groups: Are inbound/outbound rules permitting the flow? (Filter by CVM ID in Console > Security Groups > Instances tab.)
  3. Confirm network ACLs: Rarely used—but if enabled, they’re stateless and deny-by-default. Double-check.
  4. Test connectivity: From a CVM in the same subnet, run telnet target-ip port. If it fails locally, it’s not a routing issue—it’s local firewall, service binding, or app config.

Last resort: enable VPC Flow Logs. They log every accepted/dropped packet—source, dest, port, action, status. Enable it on critical subnets. Storage cost? Pennies. Debugging time saved? Priceless.

Final Tip: Automate or Perish

Manual console setups work for labs. Not for production. Use Tencent Cloud’s Terraform provider, or their native Terraform-compatible TCM (Tencent Cloud Manager). Define your VPC, subnets, route tables, security groups, and NAT gateways as code. Then test changes in staging. Then apply. No more ‘who deleted that route?’ meetings. Just git blame and a swift PR revert.

Remember: networking isn’t infrastructure—it’s the plumbing of your cloud. Fix leaks early. Label pipes clearly. And for the love of all that’s subnetted, document your CIDR plan in a shared, versioned README. Your team (and your sleep schedule) will thank you.

TelegramContact Us
CS ID
@cloudcup
Contact
TelegramSupport
CS ID
@yanhuacloud
Contact