All Products
Search
Document Center

Cloud Enterprise Network:Allow isolated VPCs to access a shared VPC

Last Updated:Feb 22, 2024

Cloud Enterprise Network (CEN) supports communication, isolation, and redirect policies for virtual private clouds (VPCs) within the same region. This topic describes how to use CEN to allow isolated VPCs to access a shared VPC.

Background information

The following scenario is used as an example in this topic. An enterprise has deployed three VPCs in the US (Silicon Valley) region. VPC 3 serves as the shared VPC. The enterprise wants to enable VPC 1 and VPC 2 to access VPC 3 while VPC 1 and VPC 2 remain isolated.

TR快速入门-统一出口

Networking

To allow VPC 1 and VPC 2 to access VPC 3, perform the following operations to configure the features provided by CEN, such as custom route tables, associated forwarding, and route learning:

  • When you attach VPC 3 to the transit router, enable the Associate with Default Route Table of Transit Router and Propagate System Routes to Default Route Table of Transit Router advanced features.

    After these features are enabled, the default route table of the transit router automatically learns the system routes of VPC 3. VPC 3 can forward network traffic by querying the default route of the transit router.

  • When you attach VPC 1 and VPC 2 to the transit router, enable only the Propagate System Routes to Default Route Table of Transit Router advanced feature. Then, add a route that points to VPC 3 to a custom route table of the transit router, and associate VPC 1 and VPC 2 with the custom route table.

    This way, the default route table of the transit router can learn the system routes of VPC 1 and VPC 2. VPC 1 and VPC 2 can forward traffic to VPC 3 by querying the custom route table. In this case, VPC 1 cannot communicate with VPC 2.

  • Add the route 0.0.0.0/0 to the route tables of VPC 1, VPC 2, and VPC 3, and set the next hop to the route that points to the transit router.

  • In this example, three VPCs are created in the US (Silicon Valley) region and vSwitches are created in specified zones of the region. The following table describes the CIDR blocks of the VPCs.

    Important

    Make sure that the CIDR blocks of the VPCs do not overlap.

    VPC in US (Silicon Valley)

    vSwitch

    vSwitch zone

    CIDR block

    Elastic Compute Service (ECS) IP address

    VPC1

    Primary CIDR block: 192.168.0.0/16.

    vSwitch 1

    Zone A

    192.168.0.0/24

    192.168.1.224

    vSwitch 2

    Zone B

    192.168.1.0/24

    VPC2

    Primary CIDR block: 172.16.0.0/16

    vSwitch 3

    Zone A

    172.16.0.0/24

    172.16.0.222

    vSwitch 4

    Zone B

    172.16.1.0/24

    VPC3

    Primary CIDR block: 10.0.0.0/16

    vSwitch 5

    Zone A

    10.0.0.0/24

    10.0.0.112

    vSwitch 6

    Zone B

    10.0.1.0/24

Prerequisites

Procedure

TR快速入门-出口-步骤

Step 1: Create a CEN instance

To connect network instances, you must create a CEN instance.

  1. Log on to the CEN console.

  2. On the Instances page, click Create CEN Instance.

  3. In the Create CEN Instance dialog box, set the following parameters and click OK:

    • Name: Enter a name for the CEN instance.

    • Description: Enter a description for the CEN instance.

Step 2: Attach the VPCs to the CEN instance

  1. On the Instances page, click the ID of the CEN instance that you want to manage.

  2. On the Basic Settings tab of the CEN instance, click the 添加网络实例 icon on the right side of VPC.

  3. On the Connection with Peer Network Instance page, set the following parameters and click OK:

    • Network Type: By default, VPC is selected.

    • Region: Select the region in which the VPC to be attached is deployed. US (Silicon Valley) is selected in this example.

    • Transit Router: The system automatically creates a transit router in the selected region.

    • Resource Owner ID: Select the Alibaba Cloud account to which the VPC belongs. Current Account is used in this example.

    • Billing Method: The default value Pay-As-You-Go is used in this example.

    • Attachment Name: Enter a name for the connection.

    • Network Instance: Select the ID of the VPC to be attached to the CEN instance. VPC 3 is selected in this example.

    • VSwitch: Select a vSwitch in a zone that is supported by the transit router.

      • If the Enterprise Edition transit router supports only one zone, select a vSwitch in the zone.

      • If the Enterprise Edition transit router supports multiple zones, select at least two vSwitches. The two vSwitches must be in different zones. The two vSwitches support zone-disaster recovery to ensure uninterrupted data transmission between the VPC and the transit router.

        We recommend that you select a vSwitch in each zone to reduce network latency and improve network performance because data can be transmitted over a shorter distance.

    • Advanced Settings: By default, the system automatically selects the following advanced features. In this example, only Associate with Default Route Table of Transit Router and Propagate System Routes to Default Route Table of Transit Router are selected for VPC 3.

      • Associate with Default Route Table of Transit Router

        After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.

      • Propagate System Routes to Default Route Table of Transit Router

        After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.

      • Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC

        After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs.

  4. After you attach VPC 3 to the CEN instance, click Create More Connections.

    Repeat Step 3 to attach VPC 1 and VPC 2 to the CEN instance. When you attach VPC 1 and VPC 2 to the CEN instance, select only Propagate System Routes to Default Route Table of Transit Router.

  5. After you attach VPC 1, VPC 2, and VPC 3 to the CEN instance, click Return to the List to return to the details page of the CEN instance.

Step 3: Associate VPC 1 and VPC 2 with a custom route table of the transit router.

  1. On the details page of the CEN instance, click the ID of the transit router that you want to manage.

  2. On the details page of the transit router, click the Route Table tab.

  3. In the left-side section, click Create Route Table.

  4. In the Create Route Table dialog box, set the following parameters and click OK.

    • Transit Router: The transit router in the current region is automatically selected.

    • Route Table Name: Enter a name for the route table.

    • Route Table Description: Enter a description for the route table.

    • Multi-region ECMP Routing: The default value is used in this example.

  5. Click View Route Table Details to return to the Route Table tab.

  6. On the Route Table tab, click the route table created in the previous step and click the Route Table Association tab. On this tab, click Create Association.

  7. In the Add Association dialog box, select the network instance connection that you want to associate with the route table and click OK.

    In this topic, VPC 1 and VPC 2 are associated with the custom route table. Then, VPC 1 and VPC 2 can forward traffic by querying the custom route table.

  8. On the details page of the custom route table, click the Route Entry tab, and then click Add Route Entry.

  9. In the Add Route Entry dialog box, set the following parameters and click OK.

    • Route Table: The system selects the current custom route table by default.

    • Transit Router: By default, the system selects the transit router of the current region.

    • Name: Enter a name for the route entry.

    • Destination CIDR: Enter a destination CIDR block for the route entry. 10.0.0.0/16 is used in this example.

    • Blackhole Route: If you select Yes, traffic that is destined for this route is dropped. In this example, No is selected.

    • Next Hop: Select a next hop for the route entry. VPC 3 is selected in this example.

    • Description: Enter a description for the route entry.

Step 4: Add a default route to the VPCs

Add a route whose destination CIDR block is 0.0.0.0/0 and next hop is the transit router to VPC 1, VPC 2, and VPC 3

  1. Log on to the VPC console.

  2. In the left-side navigation pane, click Route Tables.

  3. In the top navigation bar, select the region to which the route table belongs.

  4. On the Route Tables page, click the ID of the route table that you want to manage.

    The route table of VPC 3 is selected in this example.

  5. On the route table details page, click Custom Route on the Route Entry List tab, and click Add Route Entry.

  6. In the Add Route Entry panel, set the following parameters and click OK.

    • Name: Enter a name for the route entry.

    • Destination CIDR Block: Enter the destination CIDR block of the route entry. 0.0.0.0/0 is used in this example.

    • Next Hop Type: Select a next hop type. Transit Router is selected in this example.

    • Transit Router: Select the connection to the VPC. VPC 3 is selected in this example.

    For more information, see Subnet routing.

  7. Repeat Step 4 to Step 6 to add a route whose destination CIDR block is 0.0.0.0/0 and next hop is the transit router to VPC 1 and VPC 2.

    Then, you can view route tables of VPC 1, VPC 2, VPC 3, and the transit router on the details page of the transit router in the CEN console.

    1. On the details page of the transit router, click Network Routes to view the routes of VPC 1, VPC 2, and VPC 3.

      1. On the details page of the transit router, click Network Routes.

      2. Select the ID of VPC 1, VPC 2, or VPC 3 from the Network Instance drop-down list.

        Figure 1: Routes of VPC 1TR快速入门-出口-VPC1路由

        Figure 2: Routes of VPC 2TR快速入门-出口-VPC2路由

        Figure 3: Routes of VPC 3VPC3的路由

    2. On the Route Table tab, view the routes that the default route table of the transit router has learned from VPC 1, VPC 2, and VPC 3.

      1. On the details page of the transit router, click the Route Table tab.

      2. On the Route Table tab, view the routes in the route table.

        Figure 4: The default route tableTR快速入门-出口-默认路由表

        Figure 5: The custom route tablep250818

Step 5: Text network connectivity

After you complete the preceding steps, you can perform the following operations to test the connectivity among VPC1, VPC 2, and VPC 3.

Note

Before you start, make sure that the security group rules of VPC 1, VPC 2, and VPC 3 allow the ECS instances in the VPCs to communicate with each other. For more information, see View security group rules.

  1. Log on to an ECS instance in VPC 1. For more information, see Connection method overview.

  2. Run the ping command to ping the IP address of an ECS instance deployed in VPC 3. This tests the network connectivity between VPC 1 and VPC 3.

    The result shows that VPC 1 can communicate with VPC 3.共享VPC-VPC1-VPC3

  3. Log on to an ECS instance in VPC 2 and run the ping command to ping the IP address of an ECS instance in VPC 3. This tests the network connectivity between VPC 2 and VPC 3.

    The result shows that VPC 2 can communicate with VPC 3.共享VPC-VPC2-VPC3

  4. Log on to an ECS instance in VPC 1 and run the ping command to ping the IP address of an ECS instance in VPC 2. This tests the network connectivity between VPC 1 and VPC 2.

    The result shows that VPC 1 cannot communicate with VPC 2.共享VPC-VPC1-VPC2