This topic provides answers to the commonly asked questions about Virtual Private Cloud (VPC).

What is CIDR?

Classless Inter-Domain Routing is a method for allocating IP addresses and for IP routing. Compared with the previous classful network addressing architecture, CIDR is more efficient in allocating IP addresses. For example, the IP addresses that range from 125.203.96.0 to 125.203.127.255 can be written in the CIDR format:

125.203.0110 0000.0000 0000 to 125.203.0111 1111.1111 1111, or 125.203.96.0/19.

When you create a VPC or VSwitch, you must specify its IP address range in the CIDR format.

What is the difference between a VPC and a classic network?

The differences between a VPC and a classic network are:
  • Services that use the classic network are deployed in the public network infrastructure of Alibaba Cloud, and planned and managed by Alibaba Cloud. Classic networks are suitable for users who require networks that are easy to use.
  • VPCs are private networks deployed on Alibaba Cloud. VPCs are logically isolated from each other. You can specify a custom topology and IP addresses for a VPC. VPCs are suitable for users who have high network security requirements and network management capabilities.

Does VPC support VPN?

Yes. For more information, see What is VPN Gateway?.

How do I specify the CIDR block for a VPC?

You can specify 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, and their subnets as the private CIDR block of the VPC. The subnet mask must be 8 to 24 bits in length.

For more information, see Create a VPC.

How do I specify the CIDR block for a VSwitch?

When you specify the CIDR block for a VSwitch, note that:
  • The CIDR block of the VSwitch must fall within the range of the CIDR block of the VPC to which the VSwitch belongs.
  • The subnet mask of the VSwitch must be 16 to 29 bits in length.
  • The CIDR block of the VSwitch cannot be the same as or a subset of the CIDR block of an existing VSwitch.
  • The CIDR block of the VSwitch cannot be the same as the destination CIDR block of any route entry in the VPC.
  • The CIDR block of the VSwitch cannot contain the destination CIDR block of any route entry in the VPC, but can be a subnet of a destination CIDR block.

For more information, see Create a VSwitch.

In the same VPC, can an ECS instance deployed in the primary CIDR block communicate with an ECS instance deployed in the secondary CIDR block?

Communication can be established if both ECS instances are added to the same security group. For more information about how to add an ECS instance to a security group, see Add an ECS instances to a security group.

In the same VPC, can I disable the communication between an ECS instance deployed in the primary CIDR block and an ECS instance deployed in the secondary CIDR block?

You can disable the communication by using one of the following methods:

After I add a secondary CIDR block to a VPC, does the Cloud Enterprise Network (CEN) instance automatically add a route?

If the VPC is associated with a CEN instance, after you add a secondary CIDR block to the VPC, the CEN instance automatically adds a route that specifies the secondary CIDR block as the destination CIDR block to the route table of the CEN instance.

If a VPC has the ClassicLink feature enabled, can an ECS instance deployed in a classic network communicate with an ECS instance deployed in the secondary CIDR block?

No, because the secondary CIDR block does not support the ClassicLink feature.

What is a customer CIDR block?

By default, a VPC uses 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10, and the CIDR block of the VPC for private network communication. An ECS instance or elastic network interface (ENI) can access the Internet in the following scenarios: The ECS instance is assigned a public IP address, the ECS instance or ENI is assigned an elastic IP address (EIP), or DNAT rules are applied to the ECS instance or ENI. In the preceding cases, when the ECS instance or ENI accesses CIDR blocks other than the preceding ones, the requests are forwarded to the Internet through the public IP address.

If you want the requests to be forwarded based on the route table of a private network (for example, a VPC or a hybrid cloud built with VPN, Express Connect, or CEN), you must set the destination as the customer CIDR block of the VPC to which the ECS instance or ENI belongs. After you set a customer CIDR block for the VPC, the requests that target the customer CIDR block are forwarded based on the route table instead of the public IP address.

For example, ECS 1 is assigned a public IP address. Therefore, when ECS 1 accesses the Alibaba Cloud International site (106.11.62.xx), requests are forwarded through the public IP address. If you want the requests to be forwarded to ECS 2, and then forwarded to the Internet through the IP address of ECS 2. You can set 106.11.62.0/24 as the customer CIDR block of the VPC to which ECS 1 belongs.

How do I configure a customer CIDR block?

You can configure the customer CIDR block when you create a VPC or for an existing VPC. However, the operations are different:

  • Configure the customer CIDR block when you create a VPC

    You can only call the CreateVpc operation to configure the customer CIDR block. For more information, see CreateVpc.

  • Configure the customer CIDR block for an existing VPC

    To configure the customer CIDR block for an existing VPC,submit a ticket.

After you configure the CIDR block, you can view it on the details page of the VPC.The customer CIDR block

Can a VPC have multiple VRouters?

No. Each VPC can have only one VRouter. However, each router can have multiple route tables.

How many custom route entries can I create in a route table?

By default, you can create up to 48 custom route entries in a route table.

You can go to the Quota Management page and request a quota increase. For more information, see Quota management.

How many VSwitches can I create in a VPC?

By default, you can create at most 24 VSwitches in a VPC.

You can go to the Quota Management page and request a quota increase. For more information, see Quota management.

How many private IP addresses can be used for cloud services in each VPC?

Each VPC can use at most 60,000 private IP addresses for cloud services. The quota cannot be increased.

For example, if an ECS instance is assigned only one private IP address, the ECS instance uses one IP address. If an ECS instance is associated with multiple NICs or the NICs are assigned multiple IP addresses, the number of IP addresses used by the ECS instance is the sum of the IP addresses assigned to the NICs that are associated with the ECS instance.

In the same VPC, can ECS instances that belong to different VSwitches communicate with each other?

Yes. In the same VPC, regardless of whether the ECS instances belong to the same VSwitch, the ECS instances can communicate with each other if allowed by security group rules and network ACLs.

Can different VPCs communicate with each other over the private network?

Yes. Different VPCs are logically isolated from each other. However, different VPCs can communicate with each other through Express Connect, VPN Gateway, and CEN. For more information, see Connect VPCs.

Do VPCs support leased lines?

You can connect a VPC to an on-premises data center through leased lines. For more information, see Create a dedicated physical connection.

Can VPCs access Internet services?

Yes. You can allow VPCs to access Internet services by using one of the following methods:

  • Assign public IP addresses to the cloud resources in the VPC
  • Associate EIPs with the cloud resources in the VPC
  • Configure NAT gateways

For more information, see Select a product to gain access to the Internet.

Can the Internet access the cloud resources in a VPC?

Yes. You can allow the Internet to access the cloud resources in the VPC by using one of the following methods:

  • Assign public IP addresses to the cloud resources in the VPC
  • Associate EIPs with the cloud resources in the VPC
  • Configure NAT gateways
  • Configure Server Load Balancer (SLB) instances

For more information, see Select a product to gain access to the Internet.

Can a VPC communicate with a classic network?

Yes. You can establish the communication by using one of the following methods:
  • Assign a public IP address to an ECS instance in the VPC. This allows the ECS instance to communicate with the cloud resources in the classic network over the Internet. For more information, see Select a product to gain access to the Internet.
  • Use the ClassicLink feature to establish low-latency and high-speed connections between ECS instances in a VPC and a classic network. For more information, see Overview.