All Products
Search
Document Center

Virtual Private Cloud:VPC FAQ

Last Updated:Feb 23, 2024

This topic provides answers to some frequently asked questions about Virtual Private Cloud (VPC).

What is CIDR?

Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and IP routing. Compared with the old system based on classes (Class A, Class B, Class C, ...), CIDR is a more efficient method to allocate IP addresses. For example, the IP addresses from 10.203.96.0 to 10.203.127.255 translate into the following CIDR block:

00001010.11001011.01100000.00000000 to 00001010.11001011.01111111.11111111, or 10.203.96.0/19.

When you create a VPC or a vSwitch, you must specify one or more CIDR blocks for the VPC.

What are the differences between a VPC and a classic network?

Differences between a VPC and a classic network:

  • A classic network is built on the public infrastructure of Alibaba Cloud. Services in a classic network are deployed and managed by Alibaba Cloud. A classic network is suitable for users that require simplified networking.

  • A VPC is an isolated virtual network that is built by users on Alibaba Cloud. VPCs are logically isolated from each other. You can customize the topology of a VPC and specify IP addresses in a VPC. VPCs are suitable for users who have high network security requirements and network management capabilities.

Do VPCs support VPN?

Yes, VPCs support VPN. For more information, see What is VPN Gateway?.

How do I specify a CIDR block for a VPC?

You can specify 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, or their subnets as the private CIDR block of the VPC. You can also specify a custom CIDR block. The subnet mask must be 8 to 28 bits in length.

For more information, see Create and manage a VPC.

How do I specify a CIDR block for a vSwitch?

Before you specify a CIDR block for a vSwitch, take note of the following limits:

  • The CIDR block of the vSwitch must fall within the CIDR block of the VPC to which the vSwitch belongs.

  • The subnet mask of the vSwitch must be 16 to 29 bits in length.

  • The CIDR block that you specify cannot be the same as or a subset of the CIDR block of an existing vSwitch.

  • The CIDR block that you specify cannot be the same as the destination CIDR block of a route in the VPC route table.

  • The CIDR block that you specify cannot contain the destination CIDR block of a route in the VPC route table. However, the CIDR block that you specify can be a subset of the destination CIDR block of a route in the VPC route table.

For more information, see Create and manage a vSwitch.

Can an ECS instance in the primary CIDR block of a VPC communicate with an ECS instance in the secondary CIDR block of the same VPC?

If the ECS instances are added to the same security group, and the network access control list (ACL) rules allow the ECS instances to access each other, the ECS instances can communicate with each other.

Can I disable the communication between an ECS instance in the primary CIDR block of a VPC and an ECS instance in the secondary CIDR block of same the VPC?

Yes, you can use one of the following methods to disable the communication between the ECS instances:

Does a CEN instance automatically add a route for the secondary CIDR block after I add a secondary CIDR block to a VPC?

If the VPC is attached to a CEN instance, after you add a secondary CIDR block to the VPC and create a vSwitch that belongs to the secondary CIDR block, the CEN instance automatically adds a route that specifies the CIDR block of the vSwitch as the destination CIDR block to the route table of the CEN instance.

Can an ECS instance in a classic network communicate with an ECS instance in the secondary CIDR block of a VPC if ClassicLink is enabled for the VPC?

No, secondary CIDR blocks do not support ClassicLink.

What is a user CIDR block?

By default, VPCs use 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 to forward private traffic. A user CIDR block refers to a custom CIDR block specified when you create a VPC other than the following CIDR blocks: 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, 169.254.0.0/16, and their subnets. An ECS instance or elastic network interface (ENI) can access the Internet in the following scenarios: The ECS instance is assigned a static public IP address, the ECS instance or ENI is associated with an elastic IP address (EIP), or DNAT IP mapping is configured for the ECS instance or ENI. In the preceding cases, if the ECS instance or ENI accesses CIDR blocks other than the preceding ones, the requests are forwarded to the Internet based on the public IP address.

You must set the destination of a request to the user CIDR block of the VPC to which the ECS instance or ENI belongs in the following scenario: You want the request whose destination is not one of the preceding default CIDR blocks to be forwarded based on the route table of a private network. The private network can be a VPC or a hybrid cloud built with VPN, Express Connect, or CEN. Then, requests that point to the user CIDR block are forwarded based on the route table instead of the public IP address.

For example, ECS 1 is assigned a static public IP address. When ECS 1 accesses the Alibaba Cloud International site (106.11.XX.XX), requests are forwarded based on the public IP address. If you want a request to be forwarded to ECS 2 based on a route table before the request is forwarded to the Internet based on the public IP address of ECS 2, you can specify 106.11.XX.XX/24 as the user CIDR block of the VPC to which ECS 1 belongs.

How do I configure a user CIDR block?

To configure a user CIDR block when you create a VPC, perform the following steps:

  • Call the CreateVpc operation to configure a user CIDR block for a VPC when you create the VPC. For more information, see CreateVpc.

  • Configure the user CIDR block for an existing VPC in the console. Make sure that the VPC uses a custom CIDR block as the IPv4 CIDR block. For more information about how to create a VPC with a custom IPv4 CIDR block, see Create a VPC and a vSwitch.

    After you configure a user CIDR block for the VPC, the user CIDR block is displayed on the details page of the VPC.用户网段

Can a VPC contain multiple vRouters?

No, each VPC can contain only one vRouter. Each vRouter can be associated with multiple route tables.

How many routes can I create in a route table?

By default, you can create up to 200 routes in a route table.

You can go to the Quota Management page to request a quota increase. For more information, see Manage service quotas.

How many vSwitches can I create in a VPC?

By default, you can create up to 150 vSwitches in a VPC.

You can go to the Quota Management page to request a quota increase. For more information, see Manage service quotas.

How many private IP addresses can be used by cloud services in each VPC?

Each VPC supports at most 300,000 private IP addresses. You cannot increase the quota.

If an ECS instance is assigned only one private IP address, the ECS instance uses one IP address. If multiple ENIs are attached to an ECS instance or an ENI that is associated with multiple IP addresses is attached to the ECS instance, the ECS instance can use multiple IP addresses. The number of IP addresses used by the ECS instance equals the sum of IP addresses that are associated with the ENIs.

Can ECS instances that belong to different vSwitches in the same VPC communicate with each other?

In the same VPC, ECS instances can communicate with each other if security group rules and network ACL rules allow them, regardless of whether the ECS instances belong to the same vSwitch.

Can different VPCs communicate with each other through private connections?

Yes. VPCs are logically isolated from each other. You can use Express Connect, VPN Gateway, or CEN to connect different VPCs. For more information, see Connect VPCs.

Do VPCs support Express Connect circuits?

You can connect a VPC to a data center through an Express Connect circuit. For more information, see Create and manage a dedicated connection over an Express Connect circuit.

Can a VPC access Internet services?

Yes, a VPC can access Internet services. You can use one of the following methods to enable the access:

  • Assign public IP addresses to the cloud resources in the VPC.

  • Associate EIPs with the cloud resources in the VPC.

  • Configure an Internet NAT gateway.

For more information, see Select a product to gain access to the Internet.

Can I access cloud resources in a VPC over the Internet?

Yes, you can access cloud resources in a VPC over the Internet by using one of the following methods:

  • Assign public IP addresses to the cloud resources in the VPC.

  • Associate EIPs with the cloud resources in the VPC.

  • Configure an Internet NAT gateway.

  • Configure Internet-facing Server Load Balancer (SLB) instances.

For more information, see Select a product to gain access to the Internet.

Can a VPC communicate with the classic network?

Yes, you can connect a VPC to the classic network by using one of the following methods:

  • Assign public IP addresses to ECS instances in the VPC. This allows the ECS instances to communicate with the cloud resources in the classic network over the Internet. For more information, see Select a product to gain access to the Internet.

  • Use the ClassicLink feature to establish low-latency and high-speed connections between ECS instances in a VPC and ECS instances in the classic network. For more information, see Overview of ClassicLink.