This topic provides answers to some frequently asked questions about Virtual Private Cloud (VPC).

What is CIDR?

Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and IP routing. Compared with the old system based on Class A, Class B, and Class C networks, CIDR is a more efficient method to allocate IP addresses. For example, the IP addresses from 10.203.96.0 to 10.203.127.255 translate into the following CIDR block:

10.203.0110 0000.0000 0000 to 10.203.0111 1111.1111 1111, or 10.203.96.0/19.

When you create a VPC or a vSwitch, you must specify one or more CIDR blocks for the VPC.

What are the differences between a VPC and a classic network?

Differences between a VPC and a classic network:
  • A classic network is built on the public infrastructure of Alibaba Cloud. Services in a classic network are deployed and managed by Alibaba Cloud. A classic network is suitable for users that require simplified networking.
  • A VPC is an isolated virtual network built by users on Alibaba Cloud. VPCs are logically isolated from each other. You can customize the topology of a VPC and specify the IP addresses in a VPC. VPCs are suitable for users who have high network security requirements and network management capabilities.

Do VPCs support VPN?

Yes, VPCs support VPN. For more information, see VPN gateways.

How do I specify a CIDR block for a VPC?

You can specify 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, one of their subnets, or a custom CIDR block as the private CIDR block a VPC. The subnet mask must be 8 to 24 bits in length.

For more information, see Work with VPCs.

How do I specify a CIDR block for a vSwitch?

Before you specify a CIDR block for a vSwitch, take note of the following items:
  • The CIDR block of a vSwitch must fall within the CIDR block of the VPC to which the vSwitch belongs.
  • The subnet mask of the vSwitch must be 16 to 29 bits in length.
  • The CIDR block that you specify cannot be the same as or a subset of the CIDR blocks of the existing vSwitches.
  • The CIDR block that you specify cannot be the same as the destination CIDR blocks of the route entries in the VPC.
  • The CIDR block that you specify cannot contain the destination CIDR blocks of the route entries in the VPC. However, the CIDR block that you specify can be a subset of the destination CIDR blocks of the route entries in the VPC.

For more information, see Work with vSwitches.

Can an Elastic Compute Service (ECS) instance in the primary CIDR block of a VPC communicate with an ECS instance in the secondary CIDR block of the same VPC?

If the ECS instances are added to the same security group, and the network access control list (ACL) rules allow the ECS instances to access each other, the ECS instances can communicate with each other.

Can I disable the communication between an ECS instance in the primary CIDR block of a VPC and an ECS instance in the secondary CIDR block of the same VPC?

To disable the communication, perform one of the following operations:

Does a Cloud Enterprise Network (CEN) instance automatically add a route for a secondary CIDR block after I add the secondary CIDR block to a VPC?

If the VPC is associated with a CEN instance, after you add a secondary CIDR block to the VPC and create a vSwitch that belongs to the secondary CIDR block, the CEN instance automatically adds a route that specifies the CIDR block of the vSwitch as the destination CIDR block to the route table of the CEN instance.

Can an ECS instance in a classic network communicate with an ECS instance in the secondary CIDR block of a VPC if ClassicLink is enabled for the VPC?

No, secondary CIDR blocks do not support ClassicLink.

What is a customer CIDR block?

By default, a VPC uses 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10, and the CIDR block of the VPC for private network communication. An ECS instance or an elastic network interface (ENI) can access the Internet in the following scenarios: The ECS instance is assigned a public IP address, an elastic IP address (EIP) is associated with the ECS instance or ENI, or DNAT IP mapping is configured for the ECS instance or ENI. In these scenarios, when the ECS instance or ENI accesses CIDR blocks other than the preceding ones, the requests are forwarded to the Internet through the public IP address.

You must set the destination of a request to the customer CIDR block of the VPC to which the ECS instance or ENI belongs in the following scenario: You want the request to be forwarded based on the route table of a private network. The private network can be a VPC, a hybrid cloud built with VPN, Express Connect, or CEN. Then, requests that point to the customer CIDR block are forwarded based on the route table instead of the public IP address.

For example, ECS 1 is assigned a public IP address. When ECS 1 accesses the Alibaba Cloud International site (106.11.XX.XX), requests are automatically forwarded through the public IP address. If you want a request to be forwarded to ECS 2 before the request is forwarded to the Internet, perform the following operation: Specify 106.11.XX.XX/24 as the customer CIDR block of the VPC to which ECS 1 belongs.This way, the public IP address of ECS 2 is used to access the Internet.

How do I configure a customer CIDR block?

You can configure a customer CIDR block when you create a VPC or for an existing VPC. You can perform the following operations based on one of these two scenarios:

  • Call the CreateVpc operation to configure a customer CIDR block for a new VPC. For more information, see CreateVpc.
  • Configure the customer CIDR block of an existing VPC by using the console. Make sure that the VPC uses a custom CIDR block as the IPv4 CIDR block.
    After you configure a customer CIDR block for the VPC, the customer CIDR block is displayed on the details page of the VPC. The customer CIDR block

Can a VPC have multiple vRouters?

No, each VPC can have only one vRouter. However, each vRouter can be associated with multiple route tables.

How many route entries can I create in a route table?

By default, you can create at most 200 route entries in a route table.

You can go to the Quota Management page to request a quota increase. For more information, see Manage resource quotas.

How many vSwitches can I create in a VPC?

By default, you can create at most 150 vSwitches in a VPC.

You can go to the Quota Management page to request a quota increase. For more information, see Manage resource quotas.

How many private IP addresses can be used by cloud services in each VPC?

In each VPC, cloud services can use a maximum of 60,000 private IP addresses. You cannot increase the quota.

For example, if an ECS instance is assigned only one private IP address, the ECS instance uses one IP address. If multiple ENIs are attached to an ECS instance or an ENI that is associated with multiple IP addresses is attached to the ECS instance, the ECS instance can use multiple IP addresses. The number of IP addresses used by the ECS instance equals the sum of IP addresses that are associated with the ENIs.

Can ECS instances that belong to the same VPC but different vSwitches communicate with each other?

In the same VPC, ECS instances can communicate with each other if security group rules and network ACL rules allow them to do so, regardless of whether the ECS instances belong to the same vSwitch.

Can different VPCs communicate with each other through private connections?

Yes, you can use Express Connect, VPN Gateway, or CEN to connect VPCs. VPCs are logically isolated from each other. For more information, see Connect VPCs.

Do VPCs support Express Connect circuits?

Yes, you can connect a VPC to a data center through Express Connect circuits. For more information, see Create a dedicated connection over an Express Connect circuit.

Can VPCs access Internet services?

Yes, you can allow a VPC to access Internet services by using one of the following methods:

  • Assign public IP addresses to the cloud resources in the VPC
  • Associate EIPs with the cloud resources in the VPC
  • Configure an Internet NAT gateway

For more information, see Select a product to gain access to the Internet.

Can I access cloud resources in a VPC over the Internet?

Yes, you can access cloud resources in a VPC over the Internet by using one of the following methods:

  • Assign public IP addresses to the cloud resources in the VPC
  • Associate EIPs with the cloud resources in the VPC
  • Configure an Internet NAT gateway
  • Configure Internet-facing Server Load Balancer (SLB) instances

For more information, see Select a product to gain access to the Internet.

Can a VPC communicate with a classic network?

Yes, you can establish the communication by using one of the following methods:
  • Assign a public IP address to an ECS instance in the VPC. This allows the ECS instance to communicate with the cloud resources in the classic network over the Internet. For more information, see Select a product to gain access to the Internet.
  • Use the ClassicLink feature to establish low-latency and high-speed connections between ECS instances in a VPC and ECS instances in a classic network. For more information, see Overview.