This topic describes how to allow virtual private clouds (VPCs) with overlapping CIDR blocks to access each other by using VPC NAT gateways.

Background information

Due to early network planning or business consolidation, you may need two VPCs that have overlapping CIDR blocks to communicate with each other. You can create a VPC NAT gateway and configure a NAT IP address for each VPC. The two NAT IP addresses cannot conflict with each other. One VPC uses SNAT to translate source IP addresses to the configured NAT IP address, which allows the VPC to access the other VPC. The other VPC uses the NAT IP address configured in the DNAT entry to provide external services. This way, the two VPCs can access each other.

Scenarios

The following scenario is used as an example. A company has created two VPCs, named VPC1 and VPC2, in the China (Qingdao) region, and the two VPCs have the same CIDR block 192.168.0.0/16. A service vSwitch named VSW1 with the CIDR block 192.168.0.0/24 is created in VPC1. An Elastic Compute Service (ECS) instance named ECS1 is created in VSW1. A service vSwitch named VSW3 with the CIDR block 192.168.0.0/24 is created in VPC2. An ECS instance named ECS2 is created in VSW3. Due to business development requirements, VPC1 needs to access VPC2. Given that VPC1 and VPC2 have the same CIDR block, VPC1 and VPC2 cannot directly access each other by using a Cloud Enterprise Network (CEN) instance. You can create a transit vSwitch named VSW2 with the CIDR block 192.168.100.0/24 in VPC1, and create a transit vSwitch named VSW4 with the CIDR block 192.168.200.0/24 in VPC2. Then, create a VPC NAT gateway in VSW2 and VSW4. This way, VPC1 and VPC2 can access each other by using the SNAT and DNAT features of VPC NAT gateways. VPCs accessing each other

Procedure

Procedure

Prerequisites

  • An Alibaba Cloud account is created. For more information, see create an Alibaba Cloud account .
  • VPCs and vSwitches are created as described in the following table. For more information, see Create an IPv4 VPC.
    VPC name Region vSwitch CIDR block vSwitch name Zone vSwitch CIDR block
    VPC1 China (Qingdao) 192.168.0.0/16
    • Service vSwitch: VSW1
    • Transit vSwitch: VSW2
    Qingdao Zone B
    • VSW1: 192.168.0.0/24
    • VSW2: 192.168.100.0/24
    VPC2 China (Qingdao) 192.168.0.0/16
    • Service vSwitch: VSW3
    • Transit vSwitch: VSW4
    Qingdao Zone B
    • VSW3: 192.168.0.0/24
    • VSW4: 192.168.200.0/24
  • An ECS instance named ECS1 is created in VSW1. An ECS instance named ECS2 is created in VSW3. For more information, see Create an instance by using the wizard.
  • A CEN instance is created. For more information, see Create a CEN instance.

Step 1: Create two VPC NAT gateways

Perform the following steps to create a VPC NAT gateway named VPC NATGW1 in VSW2 and a VPC NAT gateway named VPC NATGW2 in VSW4.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. On the VPC NAT Gateway page, click Create VPC NAT Gateway.
  4. On the VPC NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.
    The following table lists the parameters of NATGW1 and NATGW2.
    Parameter Description Value
    Region Select the region where you want to create the VPC NAT gateway. Select China (Qingdao) for both VPC NAT gateways.
    VPC ID Select the VPC to which the VPC NAT gateway belongs. After you create a VPC NAT gateway, you cannot change the VPC to which it belongs.
    • VPC NATGW1: VPC1.
    • VPC NATGW2: VPC2.
    Zones Select the zone to which the VPC NAT gateway belongs.
    • VPC NATGW1: the zone of VSW2.
    • VPC NATGW2: the zone of VSW4.
    vSwitch ID Select the vSwitch to which the VPC NAT gateway belongs. We recommend that you select an independent vSwitch.
    • VPC NATGW1: VSW2.
    • VPC NATGW2: VSW4.
    Name Enter a name for the VPC NAT gateway.

    The name must be 1 to 128 characters in length.

    • Enter VPC NATGW1.
    • Enter VPC NATGW2.
    Service-linked Role Displays whether a service-linked role is created for VPC NAT Gateway.

    If this is your first time using a NAT gateway, including an Internet NAT gateway and a VPC NAT gateway, you must click Create Service-linked Role to create a service-linked role.

  5. On the Confirm Order page, confirm the information, select the Terms of Service check box, and then click Activate Now.
    When the message Order complete. appears, the purchase is completed.

Step 2: Create custom route tables

Perform the following steps to create a custom route table for VSW1 and another for VSW3.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.
  3. In the top navigation bar, select the region to which the route table belongs.
  4. On the Route Tables page, click Create Route Table.
  5. On the Create Route Table page, set the following parameters and click OK.
    The following table lists the parameters for the custom route tables of VSW1 and VSW3.
    Parameter Description Value
    Resource Group Select the resource group to which the route table belongs. Select All for both route tables.
    VPC Select the VPC to which the route table belongs.
    • Route table of VSW1: Select VPC1.
    • Route table of VSW3: Select VPC2.
    Name Enter a name for the route table.
    • Route table of VSW1: Enter VSW1VTB.
    • Route table of VSW3: Enter VSW3VTB.
    Description Enter a description for the route table.
    • Route table of VSW1: Enter VSW1 custom route table.
    • Route table of VSW3: Enter VSW3 custom route table.
  6. Click the Associated vSwitch tab and click Associate vSwitch.
  7. In the Associate vSwitch dialog box, select the vSwitch that you want to associate and click OK.
    • When you create a route table for VSW1, select VSW1.
    • When you create a route table for VSW3, select VSW3.

Step 3: Add route entries to the custom route tables

Perform the following steps to add route entries to VSW1VTB and VSW3VTB.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.
  3. In the top navigation bar, select the region to which the route table belongs.
  4. On the Route Tables page, find the custom route table that you want to manage and click its ID.
  5. Choose Route Entry List > Custom, and click Add Route Entry.
  6. In the Add Route Entry panel, set the following parameters and click OK.
    The following table lists the parameters for the route entries added to VSW1VTB and VSW3VTB.
    Parameter Description Value
    Name Enter a name for the route entry.
    • VSW1VTB: VPCNATGW1ENTRY.
    • VSW3VTB: VPCNATGW2ENTRY.
    Destination CIDR Block Enter the CIDR block to which you want to forward traffic. Set this parameter to the CIDR block of the peer vSwitch.
    • VSW1VTB: 192.168.200.0/24.
    • VSW3VTB: 192.168.100.0/24.
    Next Hop Type Select the next hop type. Select NAT Gateway.
    NAT Gateway Select a NAT gateway.
    • VSW1VTB: Select VPC NATGW1.
    • VSW3VTB: Select VPC NATGW2.

Step 4: Attach the VPCs to a CEN instance

Perform the following operations in the old version of the CEN console.

  1. Log on to the CEN console.
  2. In the upper-right corner of the CEN Instance page, click Previous Version.
  3. On the Instances page, find the CEN instance that you created and click its ID.
  4. Click the Networks tab and click Attach Network.
    Attach VPC1 and VPC2 to the CEN instance. For more information, see Attach a network instance.
  5. Click the Route Maps tab and click Add Route Map.
  6. In the Add Route Map panel, set the following parameters and click OK.
    Repeat Step 5 and Step 6 to configure four routing policies.
    Parameter Description Value
    Routing Policy Priority Set a priority for the routing policy. A lower value indicates a higher priority.
    • Routing Policy 1: 1.
    • Routing Policy 2: 2.
    • Routing Policy 3: 3.
    • Routing Policy 4: 4.
    Description Enter a description for the routing policy.
    • Routing Policy 1: systemVTB1.
    • Routing Policy 2: systemVTB2.
    • Routing Policy 3: VSW1VTB.
    • Routing Policy 4: VSW3VTB.
    Region Select the region where the routing policy applies. Select China (Qingdao) for all four routing policies.
    Direction Select the direction in which the routing policy applies. Select Export from Regional Gateway for all four routing policies.
    Match Conditions Select a match condition for the routing policy.
    • Routing Policy 1: Select Destination Route Table and enter the ID of the system route table of VPC1.
    • Routing Policy 2: Select Destination Route Table and enter the ID of the system route table of VPC2.
    • Routing Policy 3: Select Destination Route Table and enter the ID of the custom route table of VSW1.
    • Routing Policy 4: Select Destination Route Table and enter the ID of the custom route table of VSW3.
    Routing Policy Action Select an action for the routing policy.
    • Routing Policy 1: Select Permit.
    • Routing Policy 2: Select Permit.
    • Routing Policy 3: Select Deny.
    • Routing Policy 4: Select Deny.
    After the routing polices are configured, the system route tables of VPC1 and VPC2 automatically learn dynamic routes that point to the peer VPC.
  7. Return to the VPC console.
  8. In the left-side navigation pane, click Route Tables.
  9. On the Route Tables page, find the system route table of VPC1 and click its ID.
  10. On the Route Entry List > System tab, find conflicting route entries and click Withdraw in the Route Status in CEN column.
    Repeat Step 9 and Step 10 to withdraw conflicting route entries from the system route table of VPC2.

Step 5: Configure an SNAT entry on VPC NATGW1

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is deployed.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click SNAT Management in the Actions column.
  5. On the SNAT Management tab, click Create SNAT Entry.
  6. On the Create SNAT Entry page, set the following parameters and click OK.
    Parameter Description
    SNAT Entry Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. Specify VPC is selected in this example, which specifies that all ECS instances in the VPC to which the VPC NAT gateway belongs use the SNAT entry to access external networks.
    Select NAT IP Address Select the NAT IP address that is used to access external networks. The default NAT IP address is selected in this example.
    Entry Name Enter a name for the SNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

Step 6: Configure a DNAT entry on VPC NATGW2

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is deployed.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click DNAT Management in the Actions column.
  5. On the DNAT Management tab, click Create DNAT Entry.
  6. On the Create DNAT Entry page, set the following parameters and click OK.
    Parameter Description
    Select NAT IP Address Select the NAT IP address that is used to receive requests from external networks. The default NAT IP address is selected in this example.
    Select Private IP Address Specify the private IP address of the ECS instance that uses the DNAT entry to communicate with external networks. Select Select by ECS or ENI and then select the private IP address of ECS2.
    Port Settings Select a DNAT mapping method: Port mapping is used in this example. Select Specific Port. Enter 22 for Frontend Port and Backend Port, and select TCP for Protocol Type.
    Entry Name Enter a name for the DNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

Step 7: Test the connectivity

  1. Log on to ECS1 in VSW1. For more information, see Connection methods.
  2. Run the ping command to ping the default NAT IP address of VPC NATGW2 to test whether ECS1 can access ECS2.
    The test result shows that ECS1 can access ECS2. ECS1 accessing ECS2
  3. Run the ssh root@NAT IP address command, where the NAT IP address is the default NAT IP address of VPC NATGW2. Then, enter the password of ECS2 to test whether ECS1 can remotely connect to ECS2.
    If the message Welcome to Alibaba Cloud Elastic Compute Service! appears, you are connected to ECS2.

    The test result shows that ECS1 can access ECS2 by using the DNAT feature of VPC NATGW2.

    ECS1 accessing ECS2