This topic describes how to use route maps to disable intercommunication among virtual private clouds (VPCs) that are attached to a Cloud Enterprise Network (CEN) instance.

Prerequisites

A CEN instance is created. VPCs that you want to connect are attached to the CEN instance. For more information, see Create a CEN instance and Attach network instances to a CEN instance.

Background information

By default, a VPC attached to a CEN instance can communicate with another VPC, virtual border router (VBR), and cloud connect network (CCN) instance attached to the same CEN instance. However, you may want to disable the communication in some scenarios. Use route maps to disable intercommunication among VPCs

As shown in the preceding figure, VPC 1, VPC 2, and VPC 3 are attached to the CEN instance. By default, VPC 1, VPC 2, and VPC 3 can communicate with each other. If you do not want VPC 1 and VPC 2 to communicate with each other, you can use route maps to disable the communication between them. After you add the route maps, VPC 1 and VPC 2 can still communicate with VPC3.

Step 1: Configure a route map that sets VPC 2 to block requests from VPC 1

Perform the following operations to configure a route map that sets VPC 2 to block requests from VPC 1:

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the ID of the CEN instance.
  3. On the instance details page, find the region to which you want to add a route map and click the ID of the transit router deployed in the region.
  4. On the details page of the transit router, click the Route Table tab, and then click Route Maps.
  5. On the Route Maps page, click Add Route Map. Set the following parameters and click OK:
    • Route Map Priority: Enter a priority value for the route map. A lower value indicates a higher priority. In this example, 20 is entered.
    • Region: Select the region to which the route map is applied. In this example, China (Hangzhou) is selected.
    • Transmit Direction: Select the direction of the route map. In this example, Export from Regional Gateway is selected.
    • Match Conditions: Set the match conditions of the route map. In this example, the source instance ID is set to the ID of VPC 2 and the destination instance ID is set to the ID of VPC 1.
    • Action Policy: Select the action that you want to perform on a route if the route meets all match conditions. In this example, Deny is selected.
    After you add the route map, navigate to the Routing Information tab, and select a network instance in VPC 1. Then, you can find that the route that forwards traffic from VPC 1 to VPC 2 is denied. Use route maps to disable intercommunication among VPCs-Route Map 1

Step 2: Configure a route map that sets VPC 1 to block requests from VPC 2

Perform the following operations to configure a route map that sets VPC 1 to block requests from VPC 2:

  1. In the left-side navigation pane, click Instances.
  2. On the Instances page, find the CEN instance that you want to manage and click the ID of the CEN instance.
  3. On the instance details page, find the region to which you want to add a route map and click the ID of the transit router deployed in the region.
  4. On the details page of the transit router, click the Route Table tab, and then click Route Maps.
  5. On the Route Maps page, click Add Route Map. Set the following parameters and click OK:
    • Route Map Priority: Enter a priority value for the route map. A lower value indicates a higher priority. In this example, 50 is entered.
    • Region: Select the region to which the route map is applied. In this example, China (Hangzhou) is selected.
    • Transmit Direction: Select the direction of the route map. In this example, Export from Regional Gateway is selected.
    • Match Conditions: Set the match conditions of the route map. In this example, the source instance ID is set to the ID of VPC 1 and the destination instance ID is set to the ID of VPC 2.
    • Action Policy: Select the action that you want to perform on a route if the route meets all match conditions. In this example, Deny is selected.
    After you add the route map, navigate to the Routing Information tab, and select a network instance in VPC 2. Then, you can find that the route that forwards traffic from VPC 2 to VPC 1 is denied. Use route maps to disable intercommunication among VPCs-Route Map 2

Step 3: Test the connectivity

Perform the following operations to test the connectivity between VPC 1 and VPC 2:

  1. Log on to ECS 1 in VPC 1.
  2. Run the ping command to ping the IP address of ECS 2 in VPC 2 to test the connectivity.
    The result indicates that ECS 1 cannot access ECS 2. ECS1 to ECS2
  3. Log on to ECS 2 in VPC 2.
  4. Run the ping command to ping the IP address of ECS 1 in VPC 1 to test the connectivity.
    The result indicates that ECS 2 cannot access ECS 1. ECS2 to ECS1

Perform the following operations to test the connectivity between VPC 1 and VPC 3:

  1. Log on to ECS 1 in VPC 1.
  2. Run the ping command to ping the IP address of ECS 3 instance in VPC 3 to test the connectivity.
    The result indicates that ECS 1 can access ECS 3. ECS2 to ECS3
  3. Log on to ECS 3 in VPC 3.
  4. Run the ping command to ping the IP address of ECS 1 in VPC 1 to test the connectivity.
    The result indicates that ECS 3 can access ECS 1. ECS 3 can access ECS 1

Perform the following operations to test the connectivity between VPC 2 and VPC 3:

  1. Log on to ECS 2 in VPC 2.
  2. Run the ping command to ping the IP address of ECS 3 instance in VPC 3 to test the connectivity.
    The result indicates that ECS 2 can access ECS 3. ECS2 to ECS3
  3. Log on to ECS 3 in VPC 3.
  4. Run the ping command to ping the IP address of ECS 2 in VPC 2 to test the connectivity.
    The result indicates that ECS 3 can access ECS 2. ECS 3 can access ECS 2