This tutorial describes how to use Express Connect to connect two VPCs under different accounts.

Note If this is the first time you are using Express Connect to interconnect two VPCs, we recommend that you use CEN. For more information, see Tutorial overview.

Example

In cross-account VPC interconnection, you need to create an initiator and an acceptor separately, establish a peering connection, and then configure routes. This tutorial uses the following two VPCs as an example. VPC1 under account A acts as the initiator and VPC2 under account B acts as the acceptor.



Prerequisites

  • You have obtained the Alibaba Cloud account ID of the peer VPC and the VRouter ID of the VPC.
  • The Classless Inter-Domain Routing (CIDR) blocks of the VPCs or VSwitches that you want to interconnect do not conflict.

Step 1: Create an initiator

Perform the following steps to create an initiator:
  1. Log on to the Express Connect console using the credentials of account A.
  2. In the left-side navigation pane, click VPC Peering Connections > VPC-to-VPC.
  3. Click Create Peering Connection.
  4. Configure the peering connection.

    Use the following configurations:

    • Account: Select Different from Peer's.

    • Connection Type: Select VPC-to-VPC.

    • Routers to Create: Select Create Initiator.

      Only the initiator can initiate the connection to the acceptor.

    • Local Region: Select the region of the VPC. In this example, select China (Qingdao).

    • Local VPC ID: Select the VPC for which the initiator instance is created. In this example, select VPC1.

    • Peer Region: Select the region where the VPC to be connected is located. In this example, select China (Beijing).

    • Specification: Select a bandwidth for the interconnection. In this example, select 2 Mb.

  5. Click Buy Now and complete the payment.
  6. Go back to the VPC Peering Connections page to check the created initiator instance.

Step 2: Create an acceptor

Perform the following steps to create an acceptor:
  1. Log on to the Express Connect console using the credentials of account B.
  2. In the left-side navigation pane, click VPC Peering Connections > VPC-to-VPC.
  3. Click Create Peering Connection.
  4. Configure the peering connection.

    Use the following configurations:

    • Account: Select Different from Peer's.

    • Connection Type: Select VPC-to-VPC.

    • Routers to Create: Select Acceptor Only.

    • Local Region: Select the region of the VPC. In this example, select China (Beijing).

    • Local VPC ID: Select the VPC for which the acceptor instance is created. In this example, select VPC2.

    • Peer Region: Select the region where the VPC to be connected is located. In this example, select China (Qingdao).

    • Specification: The acceptor bandwidth depends on the initiator bandwidth. In this example, select Default.

  5. Click Buy Now and complete the payment.
  6. On the VPC Peering Connections page, check the created acceptor instance and note down its ID. In this example, the acceptor instance ID is ri-2zeix2q86uoyisagyz0pn.

Step 3: Add the initiator

After creating an initiator and an acceptor, you must add the initiator for the acceptor.

Perform the following steps to add the initiator for the acceptor:
  1. Log on to the Express Connect console using the credentials of account B.
  2. In the left-side navigation pane, click VPC Peering Connections > VPC-to-VPC.
  3. Select the region of the acceptor.

    In this example, select China (Beijing).

  4. Find the created acceptor instance and click Add Initiator.

  5. On the Add Instance page, select Another Account and enter the initiator router interface. In this example, enter ri-m5e33r3n78zyi5573kf85. Click OK.

Step 4: Add the acceptor and establish a peering connection

After you add the initiator and the acceptor, the initiator can actively initiate and establish a peering connection between the two VPCs.

In this example, the connection initiator is VPC1 under account A. Perform the following steps to establish a peering connection:
  1. Log on to the Express Connect console using the credentials of account A.
  2. In the left-side navigation pane, click VPC Peering Connections > VPC-to-VPC.
  3. Select the region of the initiator instance.

    In this example, select China (Qingdao).

  4. Click Add Acceptor.

  5. On the Add Instance page, select Another Account and enter the acceptor router interface. In this example, enter ri-2zeix2q86uoyisagyz0pn. Click OK.
  6. Click > Initiate Connection.

    When the connection is established, the initiator and the acceptor enter the activated state.

Step 5: Configure routes

After establishing a peering connection, you need to add a route for each of the two VPCs.

Perform the following steps to configure the routes:

  1. Log on to the Express Connect console using the credentials of account A.
  2. On the VPC Peering Connections page, find the created peering connection.
  3. Find the initiator instance and click Route Settings.

  4. Click Add Route Entry, enter the CIDR block of the VPC or VSwitch to be connected, and click Confirm.

    In this example, enter the CIDR block of the peer VPC: 172.16.0.0/16.

  5. Log on to the Express Connect console using the credentials of account B.
  6. Find the acceptor instance and click Route Settings.

  7. Click Add Route Entry, enter the CIDR block of the VPC or VSwitch to be connected, and click Confirm.

    In this example, enter the CIDR block of the peer VPC: 192.168.0.0/16.

Step 6: Configure security groups

After establishing a peering connection between two VPCs, you need to configure security groups to enable the intercommunication of ECS instances in these two VPCs.

This tutorial uses the ECS instances and security groups in the following table as an example.
Configuration Account A Account B
Account ID AccountID_A AccountID_B
ECS instance ID InstanceID_A InstanceID_B
Security group ID SecurityGroupID_A SecurityGroupID_B
You can view the account ID in the Account Center.

Perform the following steps to configure the security group rule:
  1. Log on to the ECS console.
  2. In the left-side navigation pane, click Networks and Security > Security Groups.
  3. Select the region of the instance.
  4. Find the target security group and then click Add Rules.
  5. On the Security Group Rules page, click Add Security Group Rule.
  6. Configure the security group rule, select the protocol type, and enter the port range. Then select the authorization type according to the following information.
    Scenario Authorization type Description
    Cross-region VPC interconnection CIDR block The CIDR block of the peer VPC.
    Same-region VPC interconnection Security group The ID of the security group associated with the peer ECS instance.
    Note If the VPCs to be interconnected belong to different accounts, select Allow Other Accounts and in the Account ID field, enter the peer account ID.
    Notice
    • If the VPCs to be interconnected are in different regions, select the CIDR block authorization type and enter the CIDR block of the peer VPC. In this example, select the CIDR block authorization type.
    • If the VPCs to be interconnected are in the same region, select the security group authorization type. In cross-account interconnection, select Allow Other Accounts and in the Account ID field, enter the peer account ID.

Step 7: Test the connection

After establishing the peering connection and adding routes, you can log on to an ECS instance of either VPC and ping the IP address of an ECS instance in the other VPC. If the ping succeeds, the connection between the two VPCs is successful.