This topic provides answers to some frequently asked questions about Virtual Private Cloud (VPC).

What is CIDR?

Classless Inter-Domain Routing (CIDR) is a method for allocating IP address and IP routing. Compared with the old system based on classes (Class A, Class B, Class C, ...), CIDR is a more efficient method to allocate IP addresses. For example, the IP addresses from 10.203.96.0 to 10.203.127.255 translate into the following CIDR block:

10.203.0110 0000.0000 0000 to 10.203.0111 1111.1111 1111, or 10.203.96.0/19.

When you create a VPC or a vSwitch, you must specify one or more CIDR blocks for the VPC.

What are the differences between a VPC and a classic network?

Differences between a VPC and a classic network:
  • A classic network is built on the public infrastructure of Alibaba Cloud. Services in a classic network are deployed and managed by Alibaba Cloud. A classic network is suitable for users that require simplified networking.
  • A VPC is an isolated virtual network built by users on Alibaba Cloud. VPCs are logically isolated from each other. You can customize the topology of a VPC and specify IP addresses in a VPC. VPCs are suitable for users who have high network security requirements and network management capabilities.

Do VPCs support VPN?

Yes. VPCs support VPN. For more information, see VPN gateways.

How do I specify a CIDR block for a VPC?

You can specify 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, or their subnets as the private CIDR block of the VPC. The subnet mask must be 8 to 24 bits in length.

For more information, see Work with VPCs.

How do I specify a CIDR block for a vSwitch?

Before you specify a CIDR block for a vSwitch, take note of the following items:
  • The CIDR block of the vSwitch must fall within the CIDR block of the VPC to which the vSwitch belongs.
  • The subnet mask of the vSwitch must be 16 to 29 bits in length.
  • The CIDR block that you specify cannot be the same as or a subset of the CIDR blocks of the existing vSwitches.
  • The CIDR block that you specify cannot be the same as the destination CIDR blocks of the routes in the VPC.
  • The CIDR block that you specify cannot contain the destination CIDR blocks of the routes in the VPC. However, the CIDR block that you specify can be a subset of the destination CIDR blocks of the routes in the VPC.

For more information, see Create a vSwitch.

Can an Elastic Compute Service (ECS) instance in the primary CIDR block of a VPC communicate with an ECS instance in the secondary CIDR block of the VPC?

If the ECS instances are added to the same security group, the ECS instances can communicate with each other. For more information about how to add an ECS instance to a security group, see Add an ECS instance to a security group.

Can I disable the communication between an ECS instance in the primary CIDR block of a VPC and an ECS instance in the secondary CIDR block of the VPC?

To disable the communication, perform one of the following operations:

Does a Cloud Enterprise Network (CEN) instance automatically add a route for the secondary CIDR block after I add a secondary CIDR block to a VPC?

If the VPC is attached to a CEN instance, the CEN instance automatically adds a route that points to the secondary CIDR block to the CEN route table.

Can an ECS instance in a classic network communicate with an ECS instance in the secondary CIDR block of a VPC if ClassicLink is enabled for the VPC?

No. Secondary CIDR blocks do not support ClassicLink.

What is a customer CIDR block?

By default, a VPC uses 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10, and the CIDR block of the VPC for private network communication. An ECS instance or Elastic Network Interface (ENI) can access the Internet in the following scenarios: The ECS instance is assigned a public IP address, an elastic IP address (EIP) is associated with the ECS instance or ENI, or DNAT rules are configured for the ECS instance or ENI. In these scenarios, when the ECS instance or ENI accesses CIDR blocks other than the preceding CIDR blocks, the requests are forwarded to the Internet through the public IP address.

You must set the destination of a request to the customer CIDR block of the VPC to which the ECS instance or ENI belongs in the following scenario: You want the request to be forwarded based on the route table of a private network. The private network can be a VPC, a hybrid cloud built with VPN, Express Connect, or CEN. Then, requests that point to the customer CIDR block are forwarded based on the route table instead of the public IP address.

For example, ECS 1 is assigned a public IP address. When ECS 1 accesses the Alibaba Cloud International site (106.11.62.xx), requests are forwarded through the public IP address. If you want a request to be forwarded to ECS 2 before the request is forwarded to the Internet, perform the following operation: Specify 106.11.62.0/24 as the customer CIDR block of the VPC to which ECS 1 belongs. Then, the public IP address of ECS 2 is used to access the Internet.

How do I configure a customer CIDR block?

You can configure the customer CIDR block when you create a VPC or for an existing VPC. You can perform the following operations based on one of these two scenarios:

  • Configure the customer CIDR block when you create a VPC

    You can only call the CreateVpc operation to configure the customer CIDR block. For more information, see CreateVpc.

  • Configure the customer CIDR block for an existing VPC

    To configure the customer CIDR block for an existing VPC,submit a ticket.

On the details page of the VPC, you can view the customer CIDR block that you configured. The customer CIDR block

Can a VPC have multiple vRouters?

No. Each VPC can have only one vRouter. However, each vRouter can be associated with multiple route tables.

How many custom routes can I create in a route table?

By default, you can create up to 48 custom routes in a route table.

You can go to the Quota Management page to request a quota increase. For more information, see Manage service quotas.

How many vSwitches can I create in a VPC?

By default, you can create at most 24 vSwitches in a VPC.

You can go to the Quota Management page to request a quota increase. For more information, see Manage service quotas.

How many private IP addresses can be used by cloud services in each VPC?

In each VPC, cloud services can use a maximum of 60,000 private IP addresses. You cannot increase the quota.

If an ECS instance is assigned only one private IP address, the ECS instance uses one IP address. If multiple NICs are attached to an ECS instance or an NIC that is assigned multiple IP addresses is attached to the ECS instance, the ECS instance can use multiple IP addresses. The number of IP addresses used by the ECS instance equals the sum of IP addresses that are assigned to the NICs.

Can ECS instances that belong in the same VPC but different vSwitches communicate with each other?

Yes. ECS instances in the same VPC can communicate with each other, regardless of whether the ECS instances belong to the same or different vSwitches. However, the ECS instances must be granted permissions to communicate with each other by security group rules and network ACLs.

Can different VPCs communicate with each other through private connections?

Yes. VPCs are logically isolated from each other. You can use Express Connect, VPN Gateway, or CEN to connect different VPCs. For more information, see Connect VPCs.

Do VPCs support Express Connect circuits?

Yes. You can connect a VPC to a data center through Express Connect circuits. For more information, see Create a dedicated connection over an Express Connect circuit.

Can VPCs access Internet services?

Yes. You can allow a VPC to access Internet services by using one of the following methods:

  • Assign public IP addresses to the cloud resources in the VPC
  • Associate EIPs with the cloud resources in the VPC
  • Configure a NAT gateway

For more information, see Select a service to access the Internet.

Can I access cloud resources in a VPC over the Internet?

Yes. You can access cloud resources in a VPC over the Internet by using one of the following methods:

  • Assign public IP addresses to the cloud resources in the VPC
  • Associate EIPs with the cloud resources in the VPC
  • Configure a NAT gateway
  • Configure Internet-facing Server Load Balancer (SLB) instances

For more information, see Select a service to access the Internet.

Can a VPC communicate with a classic network?

Yes. You can establish the communication by using one of the following methods:
  • Assign a public IP address to an ECS instance in the VPC. This allows the ECS instance to communicate with the cloud resources in the classic network over the Internet. For more information, see Select a service to access the Internet.
  • Use the ClassicLink feature to establish low-latency and high-speed connections between ECS instances in a VPC and ECS instances in a classic network. For more information, see Overview.