All Products
Search
Document Center

Cloud Enterprise Network:Use routing policies to allow specified VPCs to communicate with each other

Last Updated:Feb 22, 2024

This topic describes how to configure routing policies to allow specified virtual private clouds (VPCs) that are attached to the same Cloud Enterprise Network (CEN) instance to communicate with each other. This improves the network security. We recommend that you use this method to manage routes of CEN instances.

Prerequisites

Note

This feature is supported only by Basic Edition transit routers.

Background information

By default, VPCs that are attached to a CEN instance can communicate with other network instances that are attached to the same CEN instance. These network instances are VPCs, virtual border routers (VBRs), and Cloud Connect Network (CCN) instances. If a large number of VPCs, VBRs, and CCN instances are attached to a CEN instance, the connections are difficult to manage. In this case, we recommend that you configure low-priority routing policies to forbid all the attached network instances from communicating with each other. Then, configure high-priority routing policies to allow only specified network instances to communicate with each other.

指定VPC间互通

As shown in the preceding figure, VPC1 and VPC2 are deployed in the China (Hong Kong) region, and VPC3 is deployed in the Germany (Frankfurt) region. The VPCs are attached to the same CEN instance. By default, VPC1, VPC2, and VPC3 can communicate with each other. The scale of your network may increase. To facilitate network management, you can add a routing policy that forbids the transit routers in the China (Hong Kong) and Germany (Frankfurt) regions from communicating with VPC1, VPC2, and VPC3. Then, you can add a routing policy with a higher priority that allows VPC1 to communicate with VPC3.

Subnetting

The following table describes the CIDR blocks of VPC1, VPC2, and VPC3.

Network instance

CIDR block

ECS instance IP address

VPC1

VPC1: 10.0.0.0/8

vSwitch1: 10.0.1.0/24

vSwitch2: 10.0.2.0/24

ECS1: 10.0.1.95

ECS2: 10.0.2.120

VPC2

VPC2: 172.16.0.0/12

vSwitch: 172.16.1.0/24

ECS: 172.16.1.80

VPC3

VPC3: 192.168.0.0/16

vSwitch: 192.168.1.0/24

ECS: 192.168.1.151

Step 1: Add a routing policy that forbids CEN transit routers from communicating with the network instances attached to the CEN instance

Perform the following steps to add a routing policy that forbids the transit routers in the China (Hong Kong) and Germany (Frankfurt) regions from communicating with VPC1, VPC2, and VPC3.

  1. Log on to the CEN console.

  2. On the Instances page, click the ID of the CEN instance that you want to manage.

  3. On the instance details page, click the ID of the transit router in the region in which you want to create a routing policy.

  4. On the details page of the transit router, click the Route Table tab and click Routing Policies.

  5. On the Routing Policies tab, click Add Routing Policy. Add a routing policy for the transit router in the Germany (Frankfurt) region based on the following information and click OK:

    • Routing Policy Priority: Enter a priority value for the routing policy. A smaller value indicates a higher priority. In this example, 100 is entered.

    • Description: Enter a description for the routing policy. This parameter is optional. In this example, VPCs in the Germany (Frankfurt) region reject routes from the transit router is entered.

    • Region: Select the region to which you want to apply the routing policy. In this example, Germany (Frankfurt) is selected.

    • Policy Direction: Select the direction in which you want to apply the routing policy. In this example, Egress Regional Gateway is selected.

    • Match Conditions: Configure match conditions for the routing policy. In this example, Destination Instance Type is set to VPC.

    • Action Policy: Select the action that you want to perform on routes that meet the match conditions. In this example, Reject is selected.

  6. On the Add Routing Policy page, set the following parameters and click OK:

    • Routing Policy Priority: Enter a priority value for the routing policy. A smaller value indicates a higher priority. In this example, 100 is entered.

    • Description: Enter a description for the routing policy. This parameter is optional. In this example, VPCs in the China (Hong Kong) region reject routes from the transit routers is entered.

    • Region: Select the region to which you want to apply the routing policy. In this example, China (Hong Kong) is selected.

    • Policy Direction: Select the direction in which you want to apply the routing policy. In this example, Egress Regional Gateway is selected.

    • Match Conditions: Configure match conditions for the routing policy. In this example, Destination Instance Type is set to VPC.

    • Action Policy: Select the action that you want to perform on routes that meet the match conditions. In this example, Reject is selected.

    After you add the routing policy, you can go to the Network Routes tab to check whether routes from the China (Hong Kong) and Germany (Frankfurt) regions are rejected by VPC1, VPC2, and VPC3. The following figure shows that VPC1 rejects routes from the transit routers in the China (Hong Kong) and Germany (Frankfurt) regions.查看VPC1路由

Step 2: Add a routing policy that allows VPC1 to accept routes from VPC3

Perform the following steps to allow VPC1 to accept routes from VPC3:

  1. In the left-side navigation pane, click Instances.

  2. On the Instances page, click the ID of the CEN instance that you want to manage.

  3. On the instance details page, click the ID of the transit router in the region in which you want to create a routing policy.

  4. On the details page of the transit router, click the Route Table tab and click Routing Policies.

  5. On the Routing Policies tab, click Add Routing Policy. Set the following parameters and click OK:

    • Routing Policy Priority: Enter a priority value for the routing policy. A smaller value indicates a higher priority. In this example, 50 is entered.

    • Description: Enter a description for the routing policy. This parameter is optional. In this example, Allow VPC1 to accept routes from VPC3 is entered.

    • Region: Select the region to which you want to apply the routing policy. In this example, China (Hong Kong) is selected.

    • Policy Direction: Select the direction in which you want to apply the routing policy. In this example, Egress Regional Gateway is selected.

    • Match Conditions: Configure match conditions for the routing policy. In this example, the following match conditions are specified:

      • Source Region: Germany (Frankfurt) is selected.

      • Source Instance ID List: The ID of VPC3 is selected.

      • Destination Instance ID List: The ID of VPC1 is selected.

    • Action Policy: Select the action that you want to perform on routes meet the match conditions. In this example, Allow is selected.

    After you add the routing policy, you can go to the Network Routes tab to check whether VPC1 rejects routes from VPC3.VPC1接受VPC3路由

Step 3: Add a routing policy that allows VPC3 to accept routes from VPC1

Perform the following operations to allow VPC3 to accept routes from VPC1:

  1. In the left-side navigation pane, click Instances.

  2. On the Instances page, click the ID of the CEN instance that you want to manage.

  3. On the instance details page, click the ID of the transit router in the region in which you want to create a routing policy.

  4. On the details page of the transit router, click the Route Table tab and click Routing Policies.

  5. On the Routing Policies tab, click Add Routing Policies. Set the following parameters and click OK:

    • Routing Policy Priority: Enter a priority value for the routing policy. A smaller value indicates a higher priority. In this example, 50 is entered.

    • Description: Enter a description for the routing policy. This parameter is optional. In this example, Allow VPC3 to accept routes from VPC1 is entered.

    • Region: Select the region to which you want to apply the routing policy. In this example, Germany (Frankfurt) is selected.

    • Policy Direction: Select the direction in which you want to apply the routing policy. In this example, Egress Regional Gateway is selected.

    • Match Conditions: Configure match conditions for the routing policy.

      • Source Region: China (Hong Kong) is selected.

      • Source Instance ID List: The ID of VPC1 is selected.

      • Destination Instance ID List: The ID of VPC3 is selected.

    • Action Policy: Select the action that you want to perform on routes that meet the match conditions. In this example, Allow is selected.

    After you add the routing policy, you can go to the Network Routes tab to check whether VPC3 rejects routes from VPC1.VPC3接受VPC1路由

Step 4: Test the network connectivity

Perform the following steps to test the connectivity between the VPCs:

  1. Log on to ECS1 in VPC1.

  2. Run the ping command to ping the IP address of the ECS instance in VPC3 to test the connectivity.

    The result shows that VPC1 can access the ECS instance in VPC3. This indicates that VPC1 and VPC3 can communicate with each other.pingVPC3

  3. Log on to the ECS instance in VPC2.

  4. Run the ping command to ping the IP address of ECS1 in VPC1 to test the connectivity.

    The result shows that the ECS instance in VPC2 failed to access VPC1. This indicates that VPC1 and VPC2 cannot communicate with each other.VPC2访问VPC1

  5. Log on to the ECS instance in VPC3.

  6. Run the ping command to ping the IP address of the ECS instance in VPC2 to test the connectivity.

    The result shows that the ECS instance in VPC3 failed to access VPC2. This indicates that VPC2 and VPC3 cannot communicate with each other.pingVPC3-2