Implementing Network Isolation with Elastic Network Interfaces on QCloud

Author: Li Sida – Microsoft MVP, certified instructor, scenario‑based learning advocate, former system architect at Alibaba O2O warehousing, currently a system operations engineer.

In the previous article we showed how to build a standardized domain environment on QCloud and avoid common pitfalls. This article focuses on the details and technical measures needed for network isolation in a QCloud cluster.

Q1: QCloud provides multiple NICs for a VM. How can we ensure they are physically isolated?

A1: Complete physical isolation is not possible. Most public clouds, including QCloud, use NIC teaming for redundancy, and VNet placement is abstracted by SDN. Some clouds may scatter VMs across different hosts to reduce single‑point failures. You can submit a ticket to request specific isolation.

Q2: If physical isolation is impossible, can we still achieve line separation?

A2: Absolute physical separation is impractical, but QCloud tries to disperse VMs across different hosts, making it unlikely that two VMs share the same physical NIC. You can submit a ticket to verify the placement.

Below is the server information required for the demo (external bandwidth is enabled for demonstration purposes but not recommended in production):

编号

服务器名称

生产IP

存储IP

心跳IP

对外VIP

1

Q-DC01

192.168.108.188

无

无

2

Q‑SG01

192.168.108.206

10.11.11.231

无

3

Q‑SQL01

192.168.108.254

10.11.11.  10.10.10.2

4

Q‑SQL02

192.168.108.114

10.11.11.  10.10.10.234

The SG servers act as shared storage for the SQL cluster, providing a quorum disk, production data, and a reserved backup space.

Now, follow these steps to set up the environment:

Create additional NICs as auxiliary NICs and attach them to the corresponding CVMs. (Currently not supported directly from the console; use the API.) Refer to the articles “Creating a Private Network” and “Building a High‑Availability Keepalived Cluster in VPC” for API details.

After creation, use DescribeNetworkInterfaces to list the NICs (NICs created via API do not appear in the console).

Re‑bind the NICs (currently only possible via API): Note: use networkInterfaceId , not the name. The binding succeeds silently in the console.

Create NICs for both SQL nodes (each gets three NICs: production, heartbeat, storage) and verify the mapping. (Storage network – two SQL nodes and one storage node) (Heartbeat network – two SQL nodes)

Ensure connectivity between the heartbeat and storage networks.

Appendix (Issues Encountered)

1. The process of creating and binding elastic NICs heavily tests the operations team’s scripting ability because every step requires API calls.

2. A more optimal solution would be to use separate private networks for isolation, but that would require recreating NICs with different subnet IDs, which is a major change.

3. The ModifyNetworkInterface API can only change the NIC name and description. To change other attributes you must unbind, delete, recreate, and rebind the NIC via API.

For the full article, click the link below:

Create Your SQL Cluster on Tencent Cloud (Part 1)

This series will continue with more posts. Stay tuned!