Help Center / Tencent Cloud
Article Details

Tencent Cloud KYC Verification Deploy Nacos Microservices on Tencent Cloud VPC

Tencent Cloud2026-05-14 22:20:15CloudPoint

Why Deploy Nacos on a VPC (and Why Your Future Self Will Thank You)

Deploying Nacos microservices on Tencent Cloud VPC sounds like the sort of task that starts with optimism and ends with you staring at a firewall rule like it personally betrayed you. But done right, it’s a genuinely solid path: VPC gives you control, isolation, routing flexibility, and a cleaner way to connect services and databases. Also, the “VPC-first” mindset tends to save you from the classic problems: services that work locally, then mysteriously refuse to talk in the real world; instances that can reach MySQL on paper but not in practice; and the ever-popular “I opened the port, why is it still blocked?” storyline.

This article walks you through a practical, production-leaning deployment of Nacos on Tencent Cloud VPC. We’ll cover architecture choices (single instance vs. cluster), network planning, security groups, persistent storage using MySQL, and the configuration that makes Nacos serve as your service discovery and configuration center. We’ll also include troubleshooting tips for the typical errors that show up when you mix microservices, containers, security groups, and the universe’s sense of humor.

What You’ll Build

You’ll end up with a VPC-based environment where:

  • Nacos runs on one or more Tencent Cloud compute instances inside your VPC.
  • MySQL (also inside your VPC) stores Nacos metadata and configuration history.
  • Your microservices can register themselves with Nacos for service discovery.
  • Your microservices can also pull dynamic configuration from Nacos.
  • Network rules (security groups and routing) allow only the right traffic.

If you’re thinking “This sounds like setting up a control tower,” yes. Nacos is your traffic controller: it knows where services live and how they should behave. When it’s deployed correctly, your system becomes easier to manage. When it’s deployed incorrectly, you learn the fine art of blaming DNS.

Prerequisites and Assumptions

  • You have access to Tencent Cloud console.
  • You can create VPCs, subnets, security groups, and ECS instances (or use a container platform if you prefer).
  • You can run MySQL and configure it as the Nacos storage engine.
  • You can edit basic configuration files (and you won’t mind doing it more than once, because real life).

To keep this guide readable, we’ll focus on a straightforward setup. You can adapt the same ideas to Kubernetes, containers, or auto-scaling groups later.

Decide: Single Nacos or Nacos Cluster?

There are two common paths:

  • Single Nacos instance: Fast to set up, great for small systems and testing. If you’re building a learning project or a low-traffic service mesh, this might be enough.
  • Nacos cluster: Multiple Nacos nodes for high availability. Production deployments usually prefer this, especially if you don’t want your control plane to be a single point of failure.

If you’re unsure, here’s the rule of thumb: if downtime would make you sad in a measurable way, go cluster. If downtime would merely make you sigh loudly, single node can still work while you grow.

High-Level Architecture (The “Make It Talk” Plan)

A clean, VPC-friendly architecture usually looks like this:

  • VPC: your isolated network environment.
  • Subnets: typically one for Nacos and one for application services (optional but often cleaner).
  • ECS instances (or Kubernetes nodes): run Nacos and your microservices.
  • MySQL: either TencentDB or self-managed MySQL, placed in the same VPC (or accessible via VPC routing).
  • Security groups: strict inbound/outbound rules between Nacos, MySQL, and your services.

In microservices land, networking is like salsa: it matters, and if you get it wrong, everyone suffers.

Step 1: Create a VPC and Subnets in Tencent Cloud

Create a VPC with an IPv4 CIDR block (for example, 10.0.0.0/16). Then create one or more subnets. A common setup is:

  • Subnet A: Nacos and database connectivity zone.
  • Subnet B: Application services zone.

Even if you use only one subnet at first, planning for separation helps later. If you ever add more services, you’ll appreciate not having to untangle everything from one flat network like a bowl of spaghetti.

Step 2: Plan Network Ports for Nacos

Nacos uses several ports. The exact set can vary depending on version and settings, but typically you’ll see:

  • Tencent Cloud KYC Verification HTTP port (commonly 8848)
  • HTTPS port (commonly 8849)
  • Optional metrics/management ports depending on configuration

Your applications need to reach Nacos. Decide whether you’ll use HTTP or HTTPS. Many teams start with HTTP for simplicity and move to HTTPS later.

We’ll assume you want Nacos reachable inside the VPC. That means security group rules for internal access, not public internet exposure.

Step 3: Create Security Groups (Don’t “Allow All” Unless You Enjoy Chaos)

Create separate security groups for:

  • Nacos ECS instances
  • MySQL instance (if self-managed or via security group rules)
  • Application ECS/container nodes (where microservices run)

Example rules (conceptual, adjust to your setup):

  • Nacos inbound: allow traffic to Nacos ports (8848, optionally 8849) from the application security group.
  • Nacos outbound: allow egress to MySQL on the MySQL port (commonly 3306).
  • MySQL inbound: allow MySQL port (3306) from the Nacos security group.

Tencent Cloud KYC Verification If you can limit traffic to just the necessary sources, do it. It’s the difference between “locked door” and “we left the keys under the mat, but only temporarily.”

Step 4: Provision Compute for Nacos

Create ECS instances (or nodes) within the VPC. For a single node setup, one instance might suffice. For a cluster, you’ll create multiple instances, often in the same region and VPC for low latency.

Resource sizing depends on traffic and number of services/config entries. A rough starting point:

  • CPU: 2 vCPU or more
  • Tencent Cloud KYC Verification Memory: 4 GB or more
  • Disk: enough for Nacos logs and any local caches (though MySQL stores most persistent data)

Also consider enabling time sync (NTP). Nacos and your deployment tooling won’t love huge clock drift.

Step 5: Install Java and Prepare Nacos

Nacos typically requires Java. Install a supported JDK (for example, JDK 8 or 11 depending on your Nacos version requirements). Then download the Nacos distribution package and extract it.

A common local directory structure might look like:

  • bin/
  • conf/
  • logs/

You’ll edit a configuration file in conf. Most deployments customize:

  • Database type and connection info
  • Nacos server address and ports
  • Cluster settings (if applicable)

Step 6: Use MySQL as Nacos Data Store

By default, Nacos needs persistent storage. MySQL is common and usually reliable for production. You’ll need to:

  • Create a MySQL database for Nacos
  • Create a user with appropriate privileges
  • Configure Nacos to use that MySQL

Database creation example (conceptual):

  • Database: nacos_config
  • User: nacos
  • Privileges: the user can read/write to that database

The exact SQL depends on your MySQL version and Nacos requirements. Many teams also run Nacos-provided SQL scripts (sometimes the distribution includes schema setup instructions). Follow Nacos documentation for the precise script steps for your version.

Step 7: Configure Nacos to Connect to MySQL

Edit Nacos configuration file (often conf/application.properties or conf/application.yml, depending on your package). You’ll configure values like:

  • spring.datasource.platform=mysql
  • spring.datasource.url=jdbc:mysql://:3306/?...
  • spring.datasource.username=
  • spring.datasource.password=

Important networking detail: the MySQL host should be reachable from the Nacos instances. If MySQL is a TencentDB instance, it should be within the VPC or accessible via VPC routing. If it’s outside VPC, you’ll need additional network paths (and we strongly recommend keeping it inside to avoid headache).

Step 8: Configure Nacos Server Address (VPC Edition)

In VPC deployments, the “server address” matters because microservices will use Nacos URLs to register and fetch config. You should set Nacos listen address and advertised address (depending on Nacos settings) so that clients in your VPC can reach it.

Common mistakes include:

  • Using 127.0.0.1 or localhost somewhere it shouldn’t be
  • Advertising a public IP that isn’t actually reachable (because you didn’t open it, and you shouldn’t have to)
  • Setting an address that only resolves on the Nacos server but not on application servers

Best practice: use the Nacos instance’s private IP (or a private DNS name) that is routable within the VPC.

Step 9: Start Nacos and Confirm Health

Start Nacos using the provided scripts. Then verify:

  • Nacos process is running
  • Ports are listening (8848 and optionally 8849)
  • Log output shows successful MySQL connection

Run basic checks from the Nacos server:

  • Check that Nacos is listening on expected ports
  • Inspect logs for errors about database schema, connectivity, or authentication

If Nacos fails to start or loops endlessly, it’s usually one of these villains: wrong database credentials, network blocked to MySQL, missing schema, or a configuration key mismatch. The logs will generally tell you which villain showed up wearing which mask.

Step 10: Configure Microservices to Use Nacos

Now the real fun begins: connect your microservices to Nacos for both service discovery and configuration management.

In each microservice, configure:

  • Nacos server address (the internal IP or DNS name of Nacos)
  • Namespace and group (if you use them)
  • Credentials (if configured)
  • Service name and metadata (for registration)

Depending on your framework (Spring Cloud Alibaba, Dubbo, etc.), the exact property keys differ. But the concept stays the same: you point your service at Nacos, and Nacos becomes the registry/config center.

Example idea (not tied to a specific framework):

  • Nacos address: http://<nacos-private-ip>:8848
  • Data ID patterns and groups: used for configuration fetching

If you can’t figure out the exact keys for your framework, don’t panic. The framework documentation is likely correct, and your code is likely wrong in a way that is totally fixable.

Step 11: Validate Service Registration

After microservices start, they should:

  • Register themselves with Nacos
  • Appear in Nacos service list
  • Be discoverable by other services

To validate:

  • Check Nacos UI (if accessible internally) or logs
  • Look for your service name under registered services
  • Confirm instances and healthy status

If registration fails, common causes include:

  • Microservice can’t reach Nacos (security group or routing issue)
  • Nacos address configured incorrectly (wrong port, wrong IP)
  • Namespace/group mismatch between client and Nacos config
  • Credentials mismatch (if Nacos is secured)

Step 12: Validate Configuration Fetching

Nacos can store configuration and distribute it to clients. Validate that your microservice:

  • Loads configuration at startup
  • Updates if configuration changes (depending on polling or push mechanism)

Typical validation flow:

  • Create a configuration item in Nacos with the correct Data ID and group.
  • Ensure your microservice expects that Data ID pattern.
  • Restart or trigger refresh and confirm updated values.

If your microservice loads the default config but not your Nacos changes, you’re probably using the wrong Data ID, wrong group, or wrong namespace. Or you accidentally set “config type” to something incompatible (YAML when you provided JSON, etc.). Nacos is helpful, but it can’t read your mind like a magical oracle.

Tencent Cloud KYC Verification Hardening: Enable HTTPS (Optional But Sensible)

If you expose Nacos only within the VPC, HTTPS might still be valuable, especially if there’s any chance of traffic crossing untrusted boundaries or you’re enforcing security policies. You can place a reverse proxy (like Nginx or a load balancer) in front of Nacos and terminate TLS there. This also helps centralize certificate management.

In a VPC environment, you’d typically:

  • Assign a private load balancer (if you use one)
  • Configure listeners for 443 and forward to Nacos (8848)
  • Use security groups so only the load balancer can access Nacos ports

Then microservices still talk to Nacos through the internal endpoint, now over HTTPS.

Hardening: Limit Exposure and Use Private Endpoints

One of the best practices is to avoid public internet exposure of Nacos. You can keep Nacos reachable only inside your VPC by:

  • Restricting security group inbound rules to VPC internal sources
  • Not assigning public IPs to Nacos ECS instances (or disabling public access)
  • Using a private DNS record instead of public IPs

Because the goal is: only your services should use Nacos, not every wandering bot on the planet with free time.

Hardening: Consider Nacos Authentication and RBAC

Depending on your Nacos version and configuration, you may be able to enable authentication for Nacos UI and APIs. If you run Nacos in a locked-down VPC, this might feel optional, but it’s still a useful security layer, especially if any internal users or automation pipelines are involved.

Even inside a VPC, “internal” doesn’t mean “safe.” It means “private”—which is still a place where humans exist, and humans occasionally paste credentials into chat messages.

Scaling Nacos: From One Node to a Cluster

If you move to a cluster, the main idea is to run multiple Nacos nodes with shared MySQL storage. Clients typically connect to one of them (or you configure load balancing), and the system works with coordinated metadata.

Key steps (conceptual):

  • Choose cluster mode settings in Nacos configuration
  • Assign unique instance IDs per node
  • Ensure each node can reach MySQL
  • Allow inbound ports between load balancer (if used) and Nacos nodes
  • Validate that clients can reach at least one node successfully

You may also consider using a load balancer in front of the Nacos cluster so microservices have a stable endpoint. This reduces the temptation to hardcode individual node IPs, which is how you end up with microservices that only work as long as nobody replaces a VM.

Backups: Don’t Trust “It’s Fine”

Nacos mostly persists its important state into MySQL. That means your backup strategy mainly belongs to MySQL. Still, you should also consider:

  • Backing up Nacos configuration and logs (for diagnosis)
  • Using snapshots or automated backups for MySQL
  • Testing restore procedures

Backups that are never tested are like smoke detectors that only beeps during birthdays. You’ll learn about the failure mode at the worst possible time.

Observability: Logs, Metrics, and “Where Did My Config Go?”

To operate well, you’ll want visibility into:

  • Nacos health and startup logs
  • MySQL connectivity errors
  • Request latency and error rates (if available)
  • Service registration events and client heartbeat issues

Many organizations integrate Nacos with logging aggregation and monitoring tools. If you don’t have that yet, start simple:

  • Tail logs when deploying
  • Store logs centrally if possible
  • Document the location of logs and configuration files

Future you will love you. Present you will write down one more thing and suddenly feel like a responsible adult.

Troubleshooting: Common Problems and How to Spot Them

Problem 1: Microservice Can’t Reach Nacos

Symptoms:

  • Client logs show connection timeouts
  • No services appear in Nacos

Likely causes:

  • Security group inbound rules missing for Nacos port
  • Security group outbound rules blocking traffic
  • Wrong Nacos address or port in microservice config
  • Network routing issue between subnets

What to do:

  • From a microservice host, try reaching Nacos port using telnet/nc/curl-like tools
  • Verify Nacos listens on the expected interface (private IP)
  • Check that security group allows the microservice security group as source

Problem 2: Nacos Fails to Start or Repeatedly Reconnects to MySQL

Symptoms:

  • Nacos logs indicate database connection errors
  • Service registry UI might show partial or no data

Likely causes:

  • Incorrect database URL or credentials
  • MySQL user lacks permissions
  • MySQL isn’t reachable due to security group rules
  • Missing schema initialization (if required)

What to do:

  • Verify MySQL connectivity from Nacos instance
  • Confirm database exists and user credentials match
  • Double-check Nacos storage configuration keys
  • Review logs for the exact error message

Problem 3: Services Register, But Health Status Looks Wrong

Symptoms:

  • Instances show as unhealthy or failing heartbeats
  • Tencent Cloud KYC Verification Requests to services fail

Likely causes:

  • Wrong service port or context path in registration metadata
  • Microservice heartbeat interval settings mismatched
  • Application can’t be reached by other services due to security rules

What to do:

  • Tencent Cloud KYC Verification Confirm the application’s listening address and port
  • Ensure application security group allows inbound from service discovery callers
  • Verify client registration properties are correct

Problem 4: Configuration Doesn’t Update (Or Clients Keep Using Old Values)

Symptoms:

  • You update config in Nacos, but microservices don’t change
  • Restart doesn’t even help (which is extra annoying)

Likely causes:

  • Wrong Data ID or group/namespace mapping
  • Config type mismatch (YAML/JSON/properties)
  • Client-side refresh settings not enabled
  • Caching behavior in the client framework

What to do:

  • Confirm Data ID and group match exactly what the client expects
  • Check client logs for config fetch attempts
  • Verify refresh mechanism settings

Operational Checklist (The “Print and Tape to the Monitor” List)

Before you declare victory, check:

  • Nacos instances are running and listening on expected ports
  • Nacos can connect to MySQL and uses the correct schema
  • Tencent Cloud KYC Verification Security groups allow application-to-Nacos and Nacos-to-MySQL traffic
  • Microservices can reach Nacos endpoint and successfully register
  • Microservices can fetch configuration from Nacos
  • You have a basic log/metrics strategy and can locate errors quickly
  • Backup plan exists for MySQL (and ideally you’ve tested restore)

Yes, this list is long. That’s because you’re building a control plane, not a houseplant.

Example Deployment Patterns (Pick the One That Fits Your Team)

Pattern A: ECS + Nacos + TencentDB MySQL

This is the classic combo: Nacos and microservices on ECS, storage on TencentDB. It’s generally simple and reliable. Networking inside VPC usually works smoothly when security groups are correct.

Pattern B: Kubernetes + Nacos + External MySQL

If you run microservices on Kubernetes, you might deploy Nacos as a service in the cluster. Use a persistent or external database, and configure network policies and ingress rules. This pattern is great once you have Kubernetes maturity.

Pattern C: ECS + Nacos Cluster + Private Load Balancer

For higher availability, deploy multiple Nacos nodes and place a private load balancer in front. Microservices use a stable endpoint, and you can replace nodes without rewriting every client config like it’s a game of whack-a-mole.

Frequently Asked Questions (Because Someone Will Ask Anyway)

Do I really need VPC? Can I just use public IPs?

Tencent Cloud KYC Verification You can, but you probably shouldn’t. Public exposure increases security risk and complicates firewall and routing. VPC keeps your traffic local and your life less dramatic.

Is MySQL mandatory?

Nacos needs a persistent storage engine. MySQL is a common choice. Alternative storage options exist depending on Nacos version and configuration, but MySQL is widely supported.

How do I choose HTTP vs HTTPS for Nacos?

Tencent Cloud KYC Verification Start with HTTP if you just want to get things working quickly in a controlled environment, then move to HTTPS if security requirements demand it. If you’re already dealing with strict compliance, start with HTTPS and a proper certificate plan.

Tencent Cloud KYC Verification Closing Thoughts: You’re Not Just Deploying Nacos, You’re Deploying Confidence

Deploying Nacos on Tencent Cloud VPC is a practical way to build a reliable service registry and configuration center for your microservices. Once the network rules are correct and MySQL persistence is properly wired, your environment becomes much easier to manage. You’ll spend less time manually editing configuration files on servers and more time building features.

And when something goes wrong—and it will—you’ll have a structured checklist, clear separation of network responsibilities, and log-based troubleshooting instincts. In other words, you’ll be prepared for the moment when a security group denies traffic like a suspicious bouncer at a club called “Ports Are Not Optional.”

Happy deploying. May your ports be open, your DNS be resolvable, and your Nacos stay healthy longer than your patience during firewall configuration.

TelegramContact Us
CS ID
@cloudcup
Contact
TelegramSupport
CS ID
@yanhuacloud
Contact