You can manage all workspaces for the current tenant under Global Settings in the console. From there, you can view, add, edit, and delete workspaces.
Background
A workspace is a group of resources that share network connectivity, consistent security policies, and low access latency. You can use workspaces to group and manage resources. For example, you can create development, testing, and production workspaces to suit your delivery needs. Resources in different workspaces are isolated from each other. You can assign separate operator permissions to manage each workspace. To support high availability (HA), a workspace can span multiple zones but not multiple regions.
Each workspace requires you to create basic resources, such as a virtual private cloud (VPC), vSwitches, security groups, and ECS instances. You then deploy clusters on these resources to provide services for your applications.
Prerequisites
Understand the cell-based architecture.
Procedure
Log on to the console. In the navigation pane on the left, click Global Settings in the lower-left corner to go to the workspace list page.
Click Create Workspace. Select Cell-based Workspace as the type and click Create.
NoteLDC Workspace: provides the LDC capability. It can be applied to zone active-active deployment and geo-disaster recovery. You can use LDC workspace groups to isolate user resources. Clusters in different workspace groups are isolated from each other.
Standard Workspace: A standard workspace is an organizational mechanism provided by SOFAStack to group and isolate resources for different purposes and stages. You can assign a workspace for each stage of your operations and maintenance (O&M) process, such as a development workspace in a single data center (a single zone) or a production workspace in two data centers (two zones).
Cell-based Workspace: This workspace builds on the standard workspace by adding cell-based capabilities. It is used for intra-city active-active disaster recovery and remote disaster recovery. It is a collection of standard workspaces. You can use cell-based workspace groups to isolate user resources. Clusters in different workspace groups are isolated from each other.
On the Create Workspace page, enter the following basic information.
Workspace ID: An English identifier for the workspace. It must be 2 to 45 characters long, globally unique, and cannot be changed after creation. Examples: `dev`, `test`, `prod`.
Workspace Name: The display name for the workspace. It must be 1 to 64 characters long. Examples: Development Workspace, Test Workspace, Production Workspace.
Region: The region where the workspace is located. Each workspace must belong to a region.
Network Type: Select VPC.
Import VPC: This is disabled by default. If you enable it, you can reuse an existing VPC and attach it to the workspace.
Click Next. On the Create Cell Architecture page, click Add Zone. You can configure an unlimited number of zones for a workspace. In this example, two zones are configured to support high availability architectures, such as a dual-data-center deployment.
NoteThe system automatically generates a cell-based architecture topology and divides logical units and deployment units based on the zone configuration. For more information, see Create a logical unit.
Click Next. On the Create VPC page, enter the following configuration information:
VPC Name: The name must be 2 to 128 English or Chinese characters long. It must start with a letter or a Chinese character and can contain numbers, underscores (_), or hyphens (-). It cannot start with
http://orhttps://. The system automatically generates a default name in the formatCell-based Workspace ID-vpc.VPC CIDR Block: The CIDR block for the VPC. This cannot be changed after it is selected. The private IP addresses of all resources within the VPC, such as ECS, RDS, and SLB instances, are allocated from this CIDR block. The available CIDR blocks are:
10.0.0.0/9
172.16.0.0/12
192.168.0.0/16
Description: Optional. Enter a description that is 2 to 256 English or Chinese characters long. The description cannot start with
http://orhttps://.vSwitch: Click Add vSwitch. In the Add vSwitch window, enter the following information and click Submit.
Name: The name of the vSwitch. The name must be 2 to 128 characters long, start with a letter or a Chinese character, and can contain numbers, underscores (_), and hyphens (-). The system automatically generates a default name in the format
Cell-based Workspace ID-vsw.Zone: The zone for the vSwitch. vSwitches in different zones within the same VPC can communicate with each other over the internal network. You must create one vSwitch for each zone.
Custom CIDR Block: This option is disabled by default. If you enable it, you must enter a CIDR block. The vSwitch CIDR block can be the same as the CIDR block of its parent VPC or a subnet of it.
Subnet Mask: If Custom CIDR Block is disabled, select a subnet mask and a CIDR block. The default subnet mask is 24 bits, for example, 172.31.0.0/24, which provides up to 65,536 private IP addresses. The mask can range from 16 to 29 bits, providing 4 to 65,532 addresses.
Description: Enter a description for the vSwitch. The description can be 2 to 256 English or Chinese characters long and cannot start with
http://orhttps://.
Click Next. On the Create Security Group page, click Add Security Group. In the Add Security Group window, enter the following information and click OK.
Security Group Name: The name must be 2 to 128 English or Chinese characters long. It must start with a letter or a Chinese character and can contain numbers, colons (:), underscores (_), or hyphens (-). The name cannot start with
http://orhttps://. The system automatically generates a default name in the formatCell-based Workspace ID-sg.Description: The description can be 2 to 256 English or Chinese characters long and cannot start with
http://orhttps://.Rule: Click Add Rule. In the Create Rule window, enter the following information, and click OK.
NIC Type: Select Internal Network. For a security group in a VPC, the network interface controller (NIC) type is restricted to `intranet`.
Rule Direction:
Outbound: Allows an ECS instance to access other ECS instances on the internal network or resources on the public network.
Inbound: Allows other ECS instances on the internal network or resources on the public network to access the ECS instance.
Protocol Type: The transport-layer protocol. The value is case-sensitive. The available options are:
TCP: Supports the TCP protocol.
UDP: Supports the UDP protocol.
ICMP: ICMP supports only IPv4 addresses.
GRE: Supports the GRE protocol.
ALL: Supports all protocols.
Port Range: The range of transport-layer ports that this rule applies to. The value range is 1 to 65535. Use the format `start port/end port`, such as `1/200`. A value of `-1/-1` indicates that the port range is not restricted. The value ranges are as follows:
For TCP/UDP, the value range is 1 to 65535. Use a forward slash (/) to separate the start and end ports. For example: `1/200`. An incorrect example is `200/1`.
ICMP: -1/-1.
For GRE, use -1/-1.
If Protocol Type is set to ALL, use -1/-1.
Access Permissions: You can select Allow access or Deny access.
Priority: A higher number indicates a higher priority. The value can range from 1 to 100.
Source IP Address: Enter a single IP address or a CIDR block, such as `12.xx.xx.1` or `13.xx.xx.1/25`. If you enter `0.0.0.0/0`, access from all IP addresses is allowed or denied, depending on the selected action. Exercise caution when you configure this setting. Only IPv4 addresses are supported. The default value is `0.0.0.0/0`.
Destination IP Address: Enter a single IP address or a CIDR block, such as `12.xx.xx.1` or `13.xx.xx.1/25`. If you enter `0.0.0.0/0`, access to all IP addresses is allowed or denied, depending on the selected action. Exercise caution when you configure this setting. Only IPv4 addresses are supported.
Rule Description: Enter a description for the security group rule. The description must be 1 to 512 characters long.
Click Submit.