Use route maps to allow specified VPCs to communicate with each other - Cloud Enterprise Network

This topic describes how to configure route maps to allow specified virtual private clouds (VPCs) that are attached to a Cloud Enterprise Network (CEN) instance to communicate with each other. This improves the network security. We recommend that you use this method to manage routes in CEN instances.

Prerequisites

Before you configure route maps, make sure that the following conditions are met:

A CEN instance is created. For more information, see Create a CEN instance.
Network instances that need to communicate with each other are attached to the same CEN instance. For more information, see Attach networks.
A bandwidth plan is purchased and the bandwidth for cross-region connections is allocated. For more information, see Purchase a bandwidth package and Configure a cross-region connection bandwidth.

Background information

By default, VPCs that are attached to a CEN instance can communicate with other network instances that are attached to the same CEN instance. These network instances are VPCs, virtual border routers (VBRs), and Cloud Connect Network (CCN) instances. If you have a large number of VPCs, VBRs, and CCN instances attached to a CEN instance, it is difficult to manage the connections. In this case, we recommend that you configure low-priority route maps to forbid all the attached network instances to communicate with each other. Then, configure high-priority route maps to allow only specified network instances to communicate with each other. Architecture diagram 1.1

The VPCs in the preceding figure are attached to a CEN instance. VPC 1 and VPC 2 are deployed in the China (Hong Kong) region, and VPC 3 is deployed in the Germany (Frankfurt) region. By default, VPC 1, VPC 2, and VPC 3 can communicate with each other. To facilitate network management and maintenance in case you want to expand the network, you can use route maps to allow specified VPCs to communicate with each other. To perform this task, you can configure low-priority route maps to block routes from the China (Hong Kong) regional gateways and the Germany (Frankfurt) regional gateway. This forbids VPC 1, VPC 2, and VPC 3 to communicate with each other. Then, configure high-priority route maps to allow VPC 1 and VPC 3 to communicate with each other.

CIDR blocks

The following table describes the CIDR blocks of VPC 1, VPC 2, and VPC 3.


Network instance	CIDR block	ECS instance IP address
VPC1	VPC 1: 10.0.0.0/8 VSwitch 1: 10.0.1.0/24 VSwitch 2: 10.0.2.0/24	ECS 1: 10.0.1.95 ECS 2: 10.0.2.120
VPC2	VPC 2: 172.16.0.0/12 VSwitch: 172.16.1.0/24	ECS: 172.16.1.80
VPC3	VPC 3: 192.168.0.0/16 VSwitch: 192.168.1.0/24	ECS: 192.168.1.151

Step 1: Configure route maps to block routes from the regional gateways to all network instances

Perform the following operations to configure route maps to block routes from the regional gateways deployed in the China (Hong Kong) and Germany (Frankfurt) regions to VPC 1, VPC 2, and VPC 3:

Log on to the CEN console.
In the left-side navigation pane, click Instances.
On the Instances page, find the CEN instance that you want to manage and click Manage in the Actions column.
On the CEN page, click the Route Maps tab and then click Add Route Map.
In the Add Route Map panel, set the following parameters and click OK to add a route map for the regional gateway deployed in the Germany (Frankfurt) region:
- Route Map Priority: Enter a priority value for the route map. A lower value indicates a higher priority. In this example, 100 is entered.
- Description: Enter a description for the route map. This parameter is optional. In this example, All VPCs in the Germany (Frankfurt) region deny routes from the regional gateway is entered.
- Region: Select the region to which the route map is applied. In this example, Germany (Frankfurt) is selected.
- Transmit Direction: Select the direction of the route map. In this example, Import to Regional Gateway is selected.
- Match Conditions: Set the match conditions of routes. In this example, VPC is specified as Destination Instance Type.
- Action Policy: Select the action that you want to perform to a route if the route meets all match conditions. In this example, Deny is selected.
On the Add Route Map page, set the following parameters and click OK to add a route map for the regional gateway in the China (Hong Kong) region:
- Route Map Priority: Enter a priority value for the route map. A lower value indicates a higher priority. In this example, 100 is entered.
- Description: Enter a description for the route map. This parameter is optional. In this example, All VPCs in the China (Hong Kong) region deny routes from the regional gateway is entered.
- Region: Select the region to which the route map is applied. In this example, China (Hong Kong) is selected.
- Transmit Direction: Select the direction of the route map. In this example, Import to Regional Gateway is selected.
- Match Conditions: Set the match conditions of routes. In this example, VPC is specified as Destination Instance Type.
- Action Policy: Select the action that you want to perform to a route if the route meets all match conditions. In this example, Deny is selected.
After you add the route maps, navigate to the Routes tab. You can find that VPC 1, VPC 2, and VPC 3 have denied routes from the regional gateways. The following figure shows that VPC 1 has denied routes from the regional gateways.

Step 2: Configure a route map that allows VPC 1 to permit routes from VPC 3

Perform the following operations to allow VPC 1 to permit routes from VPC 3:

In the left-side navigation pane, click Instances.
On the Instances page, find the CEN instance that you want to manage and click Manage in the Actions column.
On the CEN page, click the Route Maps tab, and then click Add Route Map.
In the Add Route Map panel, set the following parameters and click OK to create a route map:
- Route Map Priority: Enter a priority value for the route map. A lower value indicates a higher priority. In this example, 50 is entered.
- Description: Enter a description for the route map. This parameter is optional. In this example, Allow VPC 1 to permit routes from VPC 3 is entered.
- Region: Select the region to which the route map is applied. In this example, China (Hong Kong) is selected.
- Transmit Direction: Select the direction of the route map. In this example, Import to Regional Gateway is selected.
- Match Condition: Set the match conditions of routes. In this example, the following match conditions are set:
  - Source Region: Germany (Frankfurt) is selected.
  - Source Instance IDs: The ID of VPC 3 is selected.
  - Target Instance IDs: The ID of VPC 1 is selected.
- Action Policy: Select the action that you want to perform to a route if the route meets all match conditions. In this example, Permit is selected.
After you add the route map, navigate to the Routes tab. You can check whether VPC 1 has permitted routes from VPC 3.

Step 3: Configure a route map that allows VPC 3 to permit routes from VPC 1

Perform the following operations to allow VPC 3 to permit routes from VPC 1:

In the left-side navigation pane, click Instances.
On the Instances page, find the CEN instance that you want to manage and click Manage in the Actions column.
On the CEN page, click the Route Maps tab and then click Add Route Map.
On the Add Route Map page, set the following parameters and click OK to create a route map:
- Route Map Priority: Enter a priority value for the route map. A lower value indicates a higher priority. In this example, 50 is entered.
- Description: Enter a description for the route map. This parameter is optional. In this example, Allow VPC 3 to permit routes from VPC 1 is entered.
- Region: Select the region to which the route map is applied. In this example, Germany (Frankfurt) is selected.
- Transmit Direction: Select the direction of the route map. In this example, Import to Regional Gateway is selected.
- Match Conditions: Set the match conditions of routes.
  - Source Region: China (Hong Kong) is selected.
  - Source Instance IDs: The ID of VPC 1 is selected.
  - Target Instance IDs: The ID of VPC 3 is selected.
- Action Policy: Select the action that you want to perform to a route if the route meets all match conditions. In this example, Permit is selected.
After you add the route map, navigate to the Routes tab. You can check whether VPC 3 has permitted routes from VPC 1.

Step 4: Test the connectivity

Perform the following operations to test the connectivity between the VPCs:

Log on to ECS 1 in VPC 1.
Run the ping command to ping the IP address of the ECS instance in VPC 3 to test the connectivity.
The result shows that VPC 1 can access the ECS instance in VPC 3. This indicates that VPC 1 and VPC 3 can communicate with each other.
Log on to the ECS instance in VPC 2.
Run the ping command to ping the IP address of ECS 1 in VPC 1 to test the connectivity.
The result shows that VPC 2 fails to access VPC 1. This indicates that VPC 1 and VPC 2 cannot communicate with each other.
Log on to the ECS instance in VPC 3.
Run the ping command to ping the IP address of the ECS instance in VPC 2 to test the connectivity.
The result shows that VPC 3 fails to access VPC 2. This indicates that VPC 2 and VPC 3 cannot communicate with each other.