This topic describes how to create a virtual private cloud (VPC) connection. You can connect a VPC to a transit router that belongs to the same region. After you connect a VPC to a transit router, the transit router automatically learns and distributes routes of the VPC. This way, the VPC can communicate with other network instances that are connected to the same Cloud Enterprise Network (CEN) instance.

Prerequisites

  • To connect a network instance that is created by a different account, you must first acquire the permissions from the account to which the network instance belongs. For more information, see Acquire permissions to attach network instances under other accounts.
  • If you use an Enterprise Edition transit router to create a VPC connection, make sure that at least two vSwitches that belong to different zones are deployed in the VPC.

Background information

Before you create a VPC connection, take note of the following items:
  • Transit routers are provided with two editions based on regions: Basic Edition and Enterprise Edition. For more information about how to view the edition of a transit router, see View the edition of a transit router.
  • Basic Edition transit routers and Enterprise Edition transit routers have different features. Enterprise Edition is developed from Basic Edition and supports all features of Basic Edition. Enterprise Edition transit routers allow you to manage routes and network instance connections in a more flexible manner. For more information, see Transit routers.

Use Enterprise Edition transit routers to create VPC connections

When you use Enterprise Edition transit routers to create VPC connections, you must specify a set of zones. The transit router automatically creates an elastic network interface (ENI) for each of the vSwitches in the zones that you specified. The two ENIs serve as the primary and secondary ENIs to receive network traffic from the VPC to the transit router. When you configure routes in the VPC, set the next hops of the routes to the transit router. The ENIs do not affect the route configuration.

Make sure that the specified zones meet the following requirements:

  • The zones that you specify must belong to the same VPC. At least one vSwitch must be deployed in each zone.
  • Take note of the route tables and network access control lists (ACLs) that are associated with the vSwitches in the zones that you specify when you create ENIs. The route tables and network ACLs affect how network traffic from the transit router to the VPC is handled in the VPC. If the vSwitches to which the ENIs are attached use different route tables or network ACLs, the vSwitches may handle network traffic from the transit router to the VPC in different ways. For more information about network ACLs, see Overview.
  1. Log on to the CEN console.
  2. On the Instances page, click the ID of the CEN instance that you want to manage.
  3. On the CEN details page, you can use one of the following methods to navigate to the Connection with Peer Network Instance page and create a network instance connection:
    • Find the section that displays the types of network instances and click the Attach the network instance icon next to the type of network instance that you want to manage. In this example, the VPC on which you have permissions is selected.
      Note If no transit router is created for the CEN instance, you can use this method to create the first connection to the network instance.
    • On the Transit Router tab, find a transit router and click Create Connection in the Actions column.
  4. On the Connection with Peer Network Instance page, set the following parameters to create the network instance connection.
    Parameter Description
    Network Type Select the network type of instance that you want to connect.

    By default, VPC is selected.

    Region Select the region where the network instance is created.
    Transit Router Displays transit routers that are created in the selected region.

    If no transit router is found in the selected region, the system automatically creates a transit router.

    Select the primary and secondary zones for the transit router Select the primary and secondary zones for the transit router.

    After you specify the zones, the system creates ENIs in the vSwitches that are deployed in the specific zones.

    Note When you create a network instance connection, the system automatically creates the service-linked role AliyunServiceRoleForCEN. This service-linked role allows the transit router to create ENIs in the vSwitches of the VPC that you want to connect. The ENIs are used to receive network traffic from the VPC to the transit router. For more information, see AliyunServiceRoleForCEN.
    Resource Owner ID Select the type of account to which the network instance that you want to connect belongs.

    CEN allows you to connect network instances that belong to the same account or different accounts.

    • If the network instance that you want to connect and the CEN instance belong to the same account, select Your Account.
    • If the network instance that you want to connect and the CEN instance belong to different accounts, select Different Account and enter the UID of the network instance owner.
    Billing Method By default, Pay-As-You-Go is selected.
    Attachment Name Enter a name for the connection.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    Networks Select the ID of the VPC that you want to connect.
    VSwitch Specify the vSwitches in the primary zone and secondary zone separately.
    Advanced Settings When you create a VPC connection, the system automatically enables the following features in the advanced settings:
    • Associate with Default Route Table of Transit Router

      After this feature is enabled, the system automatically associates the VPC with the default route table of the transit router. Network traffic is forwarded based on the routes in the default route table.

    • Propagate System Routes to Default Route Table of Transit Router

      After this feature is enabled, the routes of the VPC are propagated to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the same CEN instance.

    • Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC

      After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the transit router.

    To manually disable the features, clear the check boxes in the advanced settings. After the features are disabled, you can manually associate the VPC with custom route tables and configure route learning. For more information, see Create associated forwarding correlation and Create route learning correlation.

  5. At the bottom of the page, confirm the instance fee and bandwidth fee and click OK.

Use Basic Edition transit routers to create VPC connections

  1. Log on to the CEN console.
  2. On the Instances page of the CEN console, click the ID of the CEN instance that you want to manage.
  3. On the CEN details page, you can use one of the following methods to navigate to the Connection with Peer Network Instance page and create a network instance connection:
    • Find the section that displays the types of network instances and click the Add a network instance icon next to the type of network instance that you want to manage. In this example, the Add a network instance icon next to VPC is selected.
      Note If no transit router is created for the CEN instance, you can use this method to create the first connection to the network instance.
    • On the Transit Router tab, find a transit router and click Create Connection in the Actions column.
  4. On the Connection with Peer Network Instance page, set the following parameters to configure the network instance connection.
    Parameter Description
    Network Type Select the network type of instance that you want to connect.

    By default, VPC is selected.

    Region Select the region where the network instance is created.
    Transit Router Displays transit routers that are created in the selected region.

    If no transit router is found in the selected region, the system automatically creates a transit router.

    Resource Owner ID Select the type of account to which the network instance that you want to connect belongs.

    CEN allows you to connect network instances that belong to the same account or different accounts.

    • If the network instance that you want to connect and the CEN instance belong to the same account, select Your Account.
    • If the network instance that you want to connect and the CEN instance belong to different accounts, select Different Account and enter the UID of the network instance owner.
    Network Instance Select the ID of the network instance that you want to connect.
  5. Click OK.

What to do next

After you create the network instance connection, you can view information about the connection by using one of the following methods:
  • Go to the CEN details page and click the ID of the transit router that is deployed in the same region as the network instance. On the Intra-region Connections tab, you can view network instances that are connected to the transit router in the region that you specified. For more information, see View network instance connections.
  • Go to the CEN details page and click the Resource Topology tab. On the Resource Topology tab, you can view network instances that are connected to the current CEN instance. For more information, see View resource topology.