Cloud Enterprise Network (CEN) supports communication, isolation, and redirect policies within regions. This topic describes how to use CEN to allow isolated virtual private clouds (VPCs) to access a shared VPC.

Background information

The following scenario is used as an example in this topic. An enterprise has deployed three VPCs in the US (Silicon Valley) region. VPC 3 serves as the shared VPC. The enterprise wants to enable VPC 1 and VPC 2 to access VPC 3 while VPC 1 cannot communicate with VPC 2.

Architecture

Prerequisites

Before you start, make sure that the following requirements are met:

Procedure

Procedure

Step 1: Plan networks

To allow VPC 1 and VPC 2 to access VPC 3, perform the following operations based on the features provided by CEN, such as custom route tables, associated forwarding, and route learning.
  • Add a default route entry whose destination CIDR block is 0.0.0.0/0 and next hop is the transit router to the route tables of VPC 1, VPC 2, and VPC 3.
  • Associate VPC 3 with the default route table of the transit router and enable the features that automatically associate the VPC with the default route table of the transit router and automatically advertise system routes to the default route table of the transit router.

    Then, the default route table of the transit router can automatically learn the system routes of VPC 3, and VPC 3 can forward traffic by querying the default route table.

  • Associate VPC 1 and VPC 2 with the custom route table of the transit router, and enable the feature that automatically advertises system routes to the default route table of the transit router. Then, add a custom route entry that points to VPC 3 to the custom route tables of VPC 1 and VPC 2.

    This way, the default route table of the transit router can learn the system routes of VPC 1 and VPC 2. VPC 1 and VPC 2 can forward traffic to VPC 3 by querying the custom route tables. In this case, VPC 1 cannot communicate with VPC 2.

  • In this example, three VPCs are created in the US (Silicon Valley) region and vSwitches are created in specified zones. The following table describes the network plans of the VPCs.
    Note Make sure that the CIDR blocks of the VPCs do not overlap when you plan networks.
    VPC in the US (Silicon Valley) region vSwitch Zone CIDR block Elastic Compute Service (ECS) IP address
    VPC1

    Primary CIDR block: 192.168.0.0/16

    vSwitch 1 Zone A 192.168.0.0/24 192.168.1.224
    vSwitch 2 Zone B 192.168.1.0/24
    VPC2

    Primary CIDR block: 172.16.0.0/16

    vSwitch 3 Zone A 172.16.0.0/24 172.16.0.222
    vSwitch 4 Zone B 172.16.1.0/24
    VPC3

    Primary CIDR block: 10.0.0.0/16

    vSwitch 5 Zone A 10.0.0.0/24 10.0.0.112
    vSwitch 6 Zone B 10.0.1.0/24

Step 2: Create a CEN instance

Before you can connect network instances, you must create a CEN instance. CEN allows you to manage network instances in the same system. You can use a CEN instance to establish and manage a network.

  1. Log on to the CEN console.
  2. On the Instances page, click Create CEN Instance.
  3. In the Create CEN Instance dialog box, set the following parameters and click OK.
    • Name: Enter a name for the CEN instance.

      The name must be 2 to 128 characters in length and can contain digits, hyphens (-), and underscores (_). It must start with a letter or Chinese character.

    • Description: Enter a description for the CEN instance.

      The description must be 2 to 256 characters in length and cannot start with http:// or https://. You can leave this parameter empty.

Step 3: Attach VPCs to the CEN instance

  1. On the Instances page, find the CEN instance and click its ID.
  2. In the CEN details page, click Attach a network instance below VPC.
  3. On the Connection with Peer Network Instance page, set the following parameters and click OK.
    • Network Type: Select VPC.
    • Region: Select the region to which the VPC belongs. US (Silicon Valley) is selected in this example.
    • Transit Router: The system automatically creates a transit router in the current region.
    • Select the primary and secondary zones for the transit router: Select a primary and secondary zone for the transit router.
      Note When you perform this operation, the system automatically creates the service-linked role AliyunServiceRoleForCEN. The service-linked role allows the transit router to create elastic network interfaces (ENIs) in the vSwitches of the VPC. ENIs are used to direct network traffic from the VPC to the transit router. For more information, see AliyunServiceRoleForCEN.
    • Resource Owner ID: Select the Alibaba Cloud account to which the VPC belongs. Your Account is used in this example.
    • Billing Method: The default value Pay-As-You-Go is used in this example.
    • Connection Name: Enter a name for the connection.

      The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    • Networks: Select the ID of the VPC. VPC 3 is selected in this example.
    • vSwitch: Select a vSwitch from the primary and secondary zone.
    • Advanced Settings: By default, the system automatically enables the following advanced features. In this example, only Associate with Default Route Table of Transit Router and Propagate System Routes to Default Route Table of Transit Router are selected for VPC 3.
      • Associate with Default Route Table of Transit Router

        After this feature is enabled, the system automatically associates the VPC with the default route table of the transit router. Network traffic is forwarded based on the routes in the default route table.

      • Propagate System Routes to Default Route Table of Transit Router

        After this feature is enabled, the routes of the VPC are propagated to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the same CEN instance.

      • Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC

        After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the transit router.

  4. After you attach VPC 3 to the CEN instance, click Create More Connections.
    Repeat Step3 to attach VPC 1 and VPC 2 to the CEN instance. When you attach VPC 1 and VPC 2 to the CEN instance, select only Propagate System Routes to Default Route Table of Transit Router.
  5. After you attach VPC 1, VPC 2, and VPC 3 to the CEN instance, click Return to the List to return to the details page of the CEN instance.

Step 4: Associate VPC 1 and VPC 2 with the custom route table

  1. On the details page of the CEN instance, find the transit router and click its ID.
  2. On the details page of the transit router, click the Route Table tab.
  3. In the left-side area, click Create Route Table.
  4. In the Create Route Table dialog box, set the following parameters and click OK.
    • Transit Router: The system automatically selects the transit router that belongs to the current region.
    • Name: Enter a name for the route table.

      The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    • Description: Enter a description for the route table.

      The description must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

  5. Click View Route Table Details to return to the Route Table tab.
  6. On the Route Table tab, select the custom route table that you created, click the Route Table Association tab, and then click Add Association.
  7. In the Add Association dialog box, select the network instances that you want to associate with the custom route table and click OK.
    In this topic, VPC 1 and VPC 2 are associated with the custom route table. Then, VPC 1 and VPC 2 can forward traffic by querying the custom route table.
  8. On the details page of the custom route table, click the Route Entry tab, and then click Add Route Entry.
  9. In the Add Route Entry dialog box, set the following parameters and click OK.
    • Route Table: The system selects the current custom route table by default.
    • Transit Router: By default, the system selects the transit router of the current region.
    • Name: Enter a name for the route entry.

      The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    • Destination CIDR: Enter a destination CIDR block for the route entry. 10.0.0.0/16 is used in this example.
    • Blackhole Route: If you select Yes, traffic that is forwarded by this route is dropped. No is selected in this example.
    • Next Hop: Select a next hop for the route entry. VPC 3 is selected in this example.
    • Description: Enter a description for the route entry.

      The description must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

Step 5: Add a default route entry to the VPCs

You must add a default route entry whose destination CIDR block is 0.0.0.0/0 and next hop is the transit router to VPC 1, VPC 2, and VPC 3 in the VPC console.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.
  3. In the top navigation bar, select the region to which the route table belongs.
  4. On the Route Tables page, find the route table and click its ID.
    The route table of VPC 3 is selected in this example.
  5. On the details page of the route table, click Custom on the Route Entry List tab, and then click Add Route Entry.
  6. In the Add Route Entry panel, set the following parameters and click OK.
    • Name: Enter a name for the route entry.

      The name must be 2 to 128 characters, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    • Destination CIDR Block: Enter the destination CIDR block of the route entry. 0.0.0.0/0 is used in this example.
    • Next Hop Type: Select the next hop type. Transit Router is selected in this example.
    • Transit Router: Select the transit router. The transit router of VPC 3 is selected in this example.

    For more information, see Add a custom route entry.

  7. Repeat Step4 to Step6 to add a default route entry to VPC 1 and VPC 2. You must specify 0.0.0.0/0 as the destination CIDR block of the default route entry and specify the default route of the transit router as the next hop.
    Then, you can view route tables of VPC 1, VPC 2, VPC 3, and the transit router on the details page of the transit router in the CEN console.
    1. On the details page of the transit router, click Routing Information to view the routes of VPC 1, VPC 2, and VPC 3.
      1. On the details page of the transit router, click Routing Information.
      2. Click the ID of VPC 1, VPC 2, or VPC 3 next to Networks to view routes.
        Figure 1. Routes of VPC 1
        Routes of VPC 1
        Figure 2. Routes of VPC 2
        Routes of VPC 2
        Figure 3. Routes of VPC 3
        Routes of VPC 3
    2. On the Route Table tab, view the routes that the default route table of the transit router has learned from VPC 1, VPC 2, and VPC 3.
      1. On the details page of the transit router, click the Route Table tab.
      2. On the Route Table tab, view the route entries of the route table.
        Figure 4. Default route table
        Default route table
        Figure 5. Custom route tables
        Custom route tables

Step 6: Test the connectivity

After you complete the preceding steps, you can perform the following operations to test the connectivity between VPC1, VPC 2, and VPC 3.
Note Before you start, make sure that the security group rules of VPC 1, VPC 2, and VPC 3 allow the ECS instances to communicate with each other. For more information, see Query security group rules.
  1. Log on to the ECS instance that is deployed in VPC 1. For more information, see OverviewGuidelines on instance connection.
  2. To test the connectivity between VPC 1 and VPC 3, you can run the ping command to ping the IP address of the ECS instance deployed in VPC 3.
    The result shows that VPC 1 can communicate with VPC 3. Test the connectivity between VPC 1 and VPC 3
  3. Log on to the ECS instance that is deployed in VPC 2. To test the connectivity between VPC 2 and VPC 3, you can run the ping command to ping the IP address of the ECS instance deployed in VPC 3.
    The result shows that VPC 2 can communicate with VPC 3. Test the connectivity between VPC 2 and VPC 3
  4. Log on to the ECS instance that is deployed in VPC 1. To test the connectivity between VPC 1 and VPC 2, you can run the ping command to ping the IP address of the ECS instance deployed in VPC 2.
    The result shows that VPC 1 cannot communicate with VPC 2. Test the connectivity between VPC 1 and VPC 2