All Products
Search
Document Center

Cloud Enterprise Network:Disable communication among VPCs

Last Updated:Feb 22, 2024

This topic describes how to use routing policies to disable communication among virtual private clouds (VPCs) that are attached to the same Cloud Enterprise Network (CEN) instance.

Prerequisites

Note

This feature is supported only by Basic Edition transit routers.

Background information

By default, VPCs attached to a CEN instance can communicate with other VPCs, virtual border routers (VBRs), and Cloud Connect Network (CCN) instances that are also attached to the CEN instance. In some scenarios, you may need to disable communication between VPCs, between a VPC and a VBR, or between a VPC and a CCN instance.限制VPC间互通

As shown in the preceding figure, VPC1, VPC2, and VPC3 are attached to the CEN instance. By default, VPC1, VPC2, and VPC3 can communicate with each other. If you do not want VPC1 and VPC2 to communicate with each other, you can use a routing policy to disable communication between them. After you add the routing policy, VPC1 and VPC2 can still communicate with VPC3.

Step 1: Add a routing policy that sets VPC2 to reject requests from VPC1

Perform the following steps to configure a routing policy that sets VPC2 to reject requests from VPC1:

  1. Log on to the CEN console.

  2. On the Instances page, click the ID of the CEN instance that you want to manage.

  3. On the instance details page, find the region where you want to add a routing policy and click the ID of the transit router in the region.

  4. On the details page of the transit router, click the Route Table tab and click Routing Policies.

  5. On the Routing Policies tab, click Add Routing Policy. Set the following parameters and click OK:

    • Routing Policy Priority: Enter a priority value for the routing policy. A smaller value indicates a higher priority. In this example, 20 is entered.

    • Region: Select the region to which you want to apply the routing policy. In this example, China (Hangzhou) is entered.

    • Policy Direction: Select the direction in which you want to apply the routing policy. In this example, Egress Regional Gateway is selected.

    • Match Conditions: Configure match conditions for the routing policy. In this example, the source instance ID is set to the ID of VPC2 and the destination instance ID is set to the ID of VPC1.

    • Action Policy: Select the action that you want to perform on routes that meet the match conditions. In this example, Reject is selected.

    After you add the routing policy, you can go to the Network Routes tab to check whether VPC2 rejects routes from VPC1.限制VPC间互通-策略1

Step 2: Add a routing policy that sets VPC1 to reject requests from VPC2

Perform the following steps to add a routing policy that sets VPC1 to reject requests from VPC2:

  1. In the left-side navigation pane, click Instances.

  2. On the Instances page, click the ID of the CEN instance that you want to manage.

  3. On the instance details page, find the region where you want to add a routing policy and click the ID of the transit router in the region.

  4. On the details page of the transit router, click the Route Table tab and click Routing Policies.

  5. On the Routing Policies tab, click Add Routing Policy. Set the following parameters and click OK:

    • Routing Policy Priority: Enter a priority value for the routing policy. A smaller value indicates a higher priority. In this example, 50 is entered.

    • Region: Select the region to which you want to apply the routing policy. In this example, China (Hangzhou) is entered.

    • Policy Direction: Select the direction in which you want to apply the routing policy. In this example, Egress Regional Gateway is selected.

    • Match Conditions: Configure match conditions for the routing policy. In this example, the source instance ID is set to the ID of VPC1 and the destination instance ID is set to the ID of VPC2.

    • Action Policy: Select the action that you want to perform on routes that meet the match conditions. In this example, Reject is selected.

    After you add the routing policy, you can go to the Network Routes tab to check whether VPC1 rejects routes from VPC2.限制VPC间互通-策略2

Step 3: Test network connectivity

Perform the following steps to test the network connectivity between VPC1 and VPC2:

  1. Log on to ECS1 in VPC1.

  2. Run the ping command to ping the IP address of ECS2 in VPC2.

    The result shows that ECS1 cannot access ECS2.ECS1 to ECS2

  3. Log on to ECS2 in VPC2.

  4. Run the ping command to ping the IP address of ECS1 in VPC1.

    The result shows that ECS2 cannot access ECS1.ECS2 to ECS1

Perform the following steps to test the network connectivity between VPC1 and VPC3:

  1. Log on to ECS1 in VPC1.

  2. Run the ping command to ping the IP address of ECS3 instance in VPC3.

    The result shows that ECS1 can access ECS3.ECS2 to ECS3

  3. Log on to ECS3 in VPC3.

  4. Run the ping command to ping the IP address of ECS1 in VPC1.

    The result shows that ECS3 can access ECS1.ECS3实例可以正常访问ECS1实例

Perform the following steps to test the network connectivity between VPC2 and VPC3:

  1. Log on to ECS2 in VPC2.

  2. Run the ping command to ping the IP address of ECS3 instance in VPC3.

    The result shows that ECS2 can access ECS3.ECS2 to ECS3

  3. Log on to ECS3 in VPC3.

  4. Run the ping command to ping the IP address of ECS2 in VPC2.

    The result shows that ECS3 can access ECS2.ECS3实例可以正常访问ECS2实例