This topic describes how to use Cloud Enterprise Network (CEN) to mount a file system across accounts and regions.

Prerequisites

Background information

By default, a NAS file system can be mounted on an Elastic Compute Service (ECS) instance only if the instance and the file system are owned by the same Alibaba Cloud account. However, you may have multiple Alibaba Cloud accounts and you need to allow mutual access between a file system and an ECS instance that are owned by different accounts. In this case, you must establish a connection between the virtual private clouds (VPCs) that host the file system and the ECS instance.

You can use CEN to connect the VPCs that are owned by different accounts. Then, you can mount a file system across accounts.

This topic describes how to attach VPC 1, VPC 2, and VPC 3 that reside in different regions to a CEN instance. In this example, VPC 1 and VPC 3 are owned by Account A and VPC 2 is owned by Account B. The following table lists the CIDR blocks that are allocated to the VPCs. You must make sure that the CIDR blocks do not overlap and that the security group rules allow mutual access of the VPCs.

Item VPC1 VPC2 VPC3
Network instance CIDR block
  • VPC CIDR block: 192.168.0.0/16
  • vSwitch CIDR block: 192.168.0.0/24
  • VPC CIDR block: 10.0.0.0/16
  • vSwitch CIDR block: 10.0.0.0/24
  • VPC CIDR block: 172.16.0.0/16
  • vSwitch CIDR block: 172.16.0.0/24
Network instance region China (Guangzhou) China (Guangzhou) China (Ulanqab)
Network instance owner account Account A Account B Account A
ECS instance IP address 192.168.0.239 10.0.0.121 172.16.0.201
Topology

Step 1: Create a CEN instance

In this example, VPC2 within Account B is connected to the CEN instance within Account A to enable network communication among VPC1, VPC2, and VPC3. You must first use Account A to create a CEN instance.

  1. Log on to the CEN console with Account A.
  2. On the Instances page, click Create CEN Instance.
  3. In the Create CEN Instance panel, set the following parameters and click OK.
    • Name: Enter a name for the CEN instance.

      The name must be 2 to 128 characters in length and can contain digits, hyphens (-), and underscores (_). It must start with a letter.

    • Description: Enter a description for the CEN instance.

      The description must be 2 to 256 characters in length, and cannot start with http:// or https://. You can leave this parameter empty.

Step 2: Grant permissions to the accounts

Before you can connect VPC2 that belongs to Account B to the transit router that belongs to Account A, you must grant the required permissions to Account A. Otherwise, the transit router that belongs to Account A cannot connect to VPC2.

  1. Log on to the VPC console with Account B.
  2. In the top navigation bar, select the region where VPC2 is deployed. In this example, China (Guangzhou) is selected.
  3. On the VPCs page, find and click the ID of VPC2.
  4. Click the Authorize Cross Account Attach CEN tab. On the tab, click Authorize Cross Account Attach CEN.
  5. In the Attach to CEN dialog box, set the following parameters and click OK.
    Parameter Description
    Peer Account UID Enter the ID of the Alibaba Cloud account that owns the transit router.

    In this example, the ID of Account A is used.

    Peer Account CEN ID Enter the ID of the CEN instance to which the transit router belongs.

    In this example, the ID of the CEN instance created in Step 1 is used.

    Payer Select the account that pays the fees.
    • CEN Instance Owner: The owner of the transit router pays the connection fee and data transfer fee. This is the default value.
    • VPC Owner: The owner of the VPC pays the connection fee and data transfer fee.

    In this example, the default value is used.

    Note If you use Basic Edition transit routers to connect VPCs, connections and data transfer are free of charge.

Step 3: Connect the VPCs to the transit router

After Account A is granted the required permissions, you must connect VPC1, VPC2, and VPC3 to the transit router that belongs to Account A. This enables network communication between the VPCs.

  1. Log on to the CEN console with Account A.
  2. On the Instances page, click the ID of the CEN instance created in Step 1.
  3. On the Basic Settings tab, click Add in the VPC section.
    Connect to the VPC
  4. On the Connection with Peer Network Instance page, set the following parameters and click OK.
    • Network Type: Select the type of network instance that you want to attach.
    • Region: Select the region where the network instance is deployed.
    • Transit Router: The system automatically creates a transit router in the selected region.
    • Resource Owner ID: Select the Alibaba Cloud account to which the network instance belongs.
    • Networks: Select the ID of the network instance.
    The system connects VPC1, VPC2, and VPC3 to the transit router that belongs to Account A based on the preceding settings. The following table shows the settings of each VPC.
    Parameter VPC1 VPC2 VPC3
    Instance Type VPC VPC VPC
    Region China (Guangzhou) China (Guangzhou) China (Ulanqab)
    Resource Owner ID Your Account Different Account

    If you select Different Account, you must enter the UID of Account B.

    		Your Account
    Networks VPC1 VPC2 VPC3
    After the preceding steps are completed, VPC1, VPC2, and VPC3 automatically learn routes from each other. VPC1 and VPC2 can communicate with each other. Inter-region connections are established between VPC1 and VPC3, and between VPC2 and VPC3. By default, CEN provides 1 Kbit/s bandwidth for testing (IPv4 addresses). The bandwidth is used only for testing. It does not support inter-region connections.

Step 4: Purchase a bandwidth plan

To establish connections between VPC1 and VPC3, and between VPC2 and VPC3, you must purchase a bandwidth plan that supports inter-region connections.

  1. Log on to the CEN console with Account A.
  2. On the Instances page, click the ID of the CEN instance created in Step 1.
  3. On the details page of the CEN instance, choose Basic Settings > Bandwidth Plans, and click Purchase Bandwidth Plan(Subscription).
  4. Set the following parameters, click Buy Now, and then complete the payment.
    Parameter Description
    CEN ID Select the CEN instance for which you want to purchase a bandwidth plan.

    After you complete the payment, the bandwidth plan is automatically associated with the CEN instance.

    In this example, the CEN instance created in Step 1 is used.

    Area A Select one of the areas where you want to enable inter-region communication.

    In this example, Mainland China is selected.

    Note
    • After you purchase a bandwidth plan, you cannot change the areas that you selected for the bandwidth plan.
    • For more information about the regions and areas that support bandwidth plans, see Work with a bandwidth plan.
    Area B Select the other area where you want to enable inter-region communication.

    In this example, Mainland China is selected.

    Billing Method The billing method of the bandwidth plan. Default value: Pay by Bandwidth.

    For more information, see Billing rules.

    Bandwidth Select a bandwidth value based on your business requirements. Unit: Mbit/s.
    Bandwidth_package_name Enter a name for the bandwidth plan.
    Order time Select a subscription duration for the bandwidth plan.

    You can select Auto-renewal to enable auto-renewal for the bandwidth plan.

    Resource Group Select the resource group to which the bandwidth plan belongs.

Step 5: Create inter-region connections

  1. Log on to the CEN console with Account A.
  2. On the Instances page, click the ID of the CEN instance created in Step 1.
  3. Navigate to the Basic Settings > Bandwidth Plans tab, and click Set Region Connection.
  4. On the Connection with Peer Network Instance page, set the following parameters and click OK.
    Parameter Description
    Instance Type Select Inter-region Connection.
    Region Select one of the regions to be connected.

    In this example, China (Guangzhou) is selected.

    Transit Router The system automatically displays the ID of the transit router in the selected region.
    Peer Region Select the other region to be connected.

    In this example, China (Ulanqab) is selected.

    Transit Router The system automatically displays the ID of the transit router in the selected region.
    Bandwidth Plan Select a bandwidth plan that is associated with the CEN instance.
    Bandwidth Specify a bandwidth value for inter-region connections. Unit: Mbit/s.

Step 6: Test network connectivity

After you complete the preceding steps, VPC1, VPC2, ad VPC3 can communicate with each other. This section shows how to test the network connectivity between the VPCs.

Note In this example, VPC1, VPC2, and VPC3 run the Alibaba Cloud Linux operating system. For more information about how to use the ping command on other operating systems, see the manual of the operating system that you use.
  1. Test the network connectivity between VPC1 and VPC2.
    1. Log on to the ECS instance that is deployed in VPC 1. For more information, see Connection methods.
    2. On the ECS instance, run the ping command to test whether you can access the ECS instance in VPC2. 
      ping <The IP address of the ECS instance in VPC2>

      The following echo reply packet indicates that VPC1 and VPC2 are connected.

      VPC1 ping VPC2
  2. Test the network connectivity between VPC1 and VPC3.
    1. Log on to the ECS instance in VPC 3.
    2. On the ECS instance, run the ping command to test whether you can access the ECS instance in VPC1. 
      #A ping packet can be 2,000 bytes in length. You can send ping packets to test the connectivity between VPC1 and VPC3. This ensures that inter-region connections can be created between VPC1 and VPC3. 
ping <The IP address of the ECS instance in VPC1> -s 2000
      The following echo reply packet indicates that VPC1 and VPC3 are connected. VPC3 ping VPC1
  3. Test the network connectivity between VPC2 and VPC3.
    1. Log on to the ECS instance in VPC 3.
    2. On the ECS instance, run the ping command to test whether you can access the ECS instance in VPC2. 
      #A ping packet can be 2,000 bytes in length. You can send ping packets to test the connectivity between VPC2 and VPC3. This ensures that inter-region connections can be created between VPC2 and VPC3. 
ping <The IP address of the ECS instance in VPC2> -s 2000
      The following echo reply packet indicates that VPC2 and VPC3 are connected. VPC3 ping VPC2

Step 7: Mount the file system

After you complete the preceding configurations, mount the file system on an ECS instance across accounts and regions.