You can use Cloud Enterprise Network (CEN) to establish private network connections among virtual private clouds (VPCs) across regions, and between VPCs and data centers. This way, network instances deployed in the same region or different regions can communicate with each other. This topic describes how to use CEN to connect network instances that are deployed in the same region.

Background information

The following scenario is used as an example in this topic. An enterprise has deployed two VPCs in the China (Hangzhou) region. The data center of the enterprise is connected to Alibaba Cloud through an Express Connect circuit and a virtual border router (VBR). The enterprise wants to enable VPC 1, VPC 2, and the data center to communicate with each other. Quick start for transit routers - architecture

Prerequisites

Before you start, make sure that the following requirements are met:

Procedure

Quick start for transit routers - procedure

Step 1: Plan networks

To connect the network instances that are deployed in the same region, you can connect VPC 1, VPC 2, and the VBR to the transit router in the China (Hangzhou) region. The transit router uses the default route table to route network traffic to the network instances in the China (Hangzhou) region at Layer 3. This way, the network instances are able to communicate with each other.

In this example, the enterprise has created two VPCs in the China (Hangzhou) region and connected the data center to Alibaba Cloud through an Express Connect circuit and a VBR. The following table describes the network planning of the enterprise.
Note Before you plan the subnets, make sure that the CIDR blocks of the VPCs do not overlap with the CIDR blocks of the data center. Otherwise, the overlapped CIDR blocks cannot access each other and other IP addresses may be unable to access the overlapped CIDR blocks.
China (Hangzhou) vSwitch Zone Subnetting Server address
VPC1

CIDR block: 192.168.0.0/16

vSwitch 1 Zone A 192.168.20.0/24 192.168.20.161
vSwitch 2 Zone B 192.168.21.0/24
VPC2

CIDR block: 10.0.0.0/16

vSwitch 3 Zone A 10.0.1.0/24 10.0.1.155
vSwitch 4 Zone B 10.0.2.0/24
VBR

CIDR block: 172.16.0.0/16

vSwitch 5 N/A 172.16.1.0/24 172.16.1.188

Step 2: Create a CEN instance

Before you can connect network instances, you must create a CEN instance. CEN allows you to manage network instances in the same system. You can use a CEN instance to establish and manage a network.

  1. Log on to the CEN console.
  2. On the Instances page, click Create CEN Instance.
  3. In the Create CEN Instance dialog box, set the following parameters and click OK.
    • Name: Enter a name for the CEN instance.

      The name must be 2 to 128 characters in length and can contain digits, hyphens (-), and underscores (_). It must start with a letter or Chinese character.

    • Description: Enter a description for the CEN instance.

      The description must be 2 to 256 characters in length and cannot start with http:// or https://. You can leave this parameter empty.

Step 3: Create VPC connections

  1. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
  2. On the details page of the CEN instance, click the Add icon next to VPC.
  3. On the Connection with Peer Network Instance page, set the parameters and click OK.
    • Network Type: VPC is selected by default.
    • Region: Select the region where the network instances are deployed. In this example, China (Hangzhou) is selected.
    • Transit Router: The system automatically creates a transit router in the selected region.
    • Select the primary and secondary zones for the transit router: Select the primary and secondary zones for the transit router.
      Note When you create a network instance connection, the system automatically creates the service-linked role named AliyunServiceRoleForCEN. The service-linked role allows the transit router to create elastic network interfaces (ENIs) in the vSwitches of the VPCs that you want to connect. The ENIs are used to receive network traffic from the VPCs to the transit router. For more information, see AliyunServiceRoleForCEN.
    • Resource Owner ID: Select the account to which the network instance belongs. Your Account is selected in this example.
    • Billing Method: Pay-As-You-Go is selected in this example.
    • Connection Name: Enter a name for the connection.

      The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    • Networks: Select the ID of the VPC that you want to connect. In this example, VPC 1 is selected.
    • VSwitch: Select a vSwitch from the primary and the secondary zones separately.
    • Advanced Configuration: The system automatically selects the following features in the advanced setting. In this example, default settings are selected for VPC 1.
      • Associate with Default Route Table of Transit Router

        After this feature is enabled, the system automatically associates the VPC with the default route table of the transit router. Network traffic is forwarded based on the routes in the default route table.

      • Propagate System Routes to Default Route Table of Transit Router

        After this feature is enabled, the routes of the VPC are propagated to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the same CEN instance.

      • Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC

        After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the transit router.

  4. After you create the connection to VPC 1, click Create More Connections. Then, repeat Step3 to create the connection to VPC 2.

Step 4: Create a VBR connection

  1. After you create the VPC connections, you can click Create More Connections to create a VBR connection.
  2. On the Connection with Peer Network Instance page, set the parameters and click OK.
    • Network Type: Virtual Border Router (VBR) is selected.
    • Region: Select the region where the network instance is deployed. In this example, China (Hangzhou) is selected.
    • Transit Router: The system automatically creates a transit router in the selected region.
    • Resource Owner ID: Select the account to which the network instance belongs. Your Account is selected in this example.
    • Connection Name: Enter a name for the connection.

      The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    • Networks: Select the ID of the VBR that you want to connect.
    • Advanced Configuration: The system automatically selects the following features in the advanced setting. The default settings are used in this example.
      • Associate with Default Route Table of Transit Router

        After this feature is enabled, the system automatically associates the VBR with the default route table of the transit router. Network traffic is forwarded based on the routes in the default route table.

      • Propagate System Routes to Default Route Table of Transit Router

        After this feature is enabled, the routes of the VBR are propagated to the default route table of the transit router.

      • Propagate Routes to VBR

        After this feature is enabled, the system automatically advertises the routes in the route table that is associated with the VBR to the VBR.

  3. After the VBR connection is created, click Return to the List to return to the details page of the CEN instance.

Step 5: Verify the network connectivity

After the network instances connections are created, you can view the default route table of the transit router and routes to VPC 1, VPC 2, and the VBR, and verify the network connectivity.

  1. View routes.
    1. On the details page of the CEN instance, click the ID of the transit router.
    2. On the details page of the transit router, click Route Table to view the routing information of the route table.
      Quick Start for transit routers - default route table
    3. On the details page of the transit router, click Routing Information to view the routing information of VPC 1, VPC 2 and the VBR.
      Figure 1. Routing information of VPC 1
      Quick Start for transit routers - routing information of VPC 1
      Figure 2. Routing information of VPC 2
      Quick Start for transit routers - routing information of VPC 2
      Figure 3. Routing information of the VBR
      Quick Start for transit routers - routing information of the VBR
  2. Verify the network connectivity.
    You can perform the following steps to verify the connectivity among VPC 1, VPC 2, and the data center.
    Note Before you perform the following steps, you must check the security group rules that are configured for the Elastic Compute Service (ECS) instances in VPC 1 and VPC 2. Make sure that the security group rules allow communication among ECS instances, and between ECS instances and the data center. For more information, see Query security group rules.
    1. Log on to the ECS instance in VPC 1. For more information, see OverviewGuidelines on instance connection.
    2. Run the ping command to ping the IP address of the ECS instance in VPC 2 to verify the connectivity between VPC 1 and VPC 2.
      The result indicates that VPC 1 can communicate with VPC 2. Quick Start for transit routers - VPC 1 and VPC 2
    3. Run the ping command to ping the IP address of the on-premises server to verify the connectivity between VPC 1 and the data center.
      The result indicates that VPC 1 can communicate with the data center. Quick Start for transit routers - VPC 1 and the VBR
    4. Log on to the ECS instance in VPC 2. Run the ping command to ping the IP address of a server in the data center to verify the connectivity between VPC 2 and the data center.
      The result indicates that VPC 2 can communicate with the data center. Quick Start for transit routers - VPC 2 and the VBR