This tutorial guides you to use Express Connect to connect two VPCs under different accounts.

Note If you use Express Connect to connect two VPCs for the first time, we recommend that you use CEN. For more information, see Tutorial overview.

Example

To connect VPCs under different accounts, you must create the initiator and acceptor respectively, establish a peering connection and configure the routes. This tutorial takes the following two VPCs as an example. VPC1 under account A acts as the initiator and VPC2 under account B acts as the acceptor.



Prerequisites

  • You have obtained the Alibaba Cloud account ID of the peer end and the VRouter ID of the VPC to connect.
  • Make sure that the CIDR blocks of the VPCs or VSwitches to be interconnected do not conflict with each other.

Step 1 Create the initiator

To create the initiator, complete these steps:
  1. Use account A to log on to the Express Connect console.
  2. In the left-side navigation pane, clickVPC Peering Connections > VPC-to-VPC.
  3. Click Create Peering Connection.
  4. Configure the peering connection.

    The following are the configurations used in this tutorial.

    • Account: Select Different Account.

    • Connection Type: Select VPC-to-VPC.

    • Router Creation: Select Create Initiator Only.

      Only the initiator can actively initiate the connection.

    • Local Region: Select the region of the VPC. In this tutorial, select China (Qingdao).

    • VPC ID: Select the VPC for which the initiator instance is created. In this tutorial, select VPC1.

    • Peer Region: Select the region where the VPC to connect is located. In this tutorial, select China (Beijing).

    • Bandwidth: Select the bandwidth of the interconnection. In this tutorial, select 2Mb.

  5. Click Buy Now to complete the payment.
  6. Go back to the VPC Peering Connections page to view the created initiator instance.

Step 2 Create the acceptor

To create the acceptor, complete these steps:
  1. Use account B to log on to the Express Connect console.
  2. In the left-side navigation pane, click VPC Peering Connections > VPC-to-VPC.
  3. Click Create Peering Connection.
  4. Configure the peering connection.

    The following are the configurations used in this tutorial.

    • Account: Select Different Account.

    • Connection Type: Select VPC-to-VPC.

    • Router Creation: Select Create Acceptor Only.

    • Local Region: Select the region where the VPC is located. In this tutorial, select China (Beijing).

    • VPC ID: Select the VPC for which the acceptor instance is created. In this tutorial, select VPC2.

    • Peer Region: Select the region where the VPC to connect is located. In this tutorial, select China (Qingdao).

    • Bandwidth: The bandwidth of the acceptor is decided by the initiator. In this tutorial, select Default.

  5. Click Buy Now and complete the payment.
  6. On the VPC Peering Connections page, view the created acceptor instance, and record the ID of the created acceptor instance (the instance ID in this tutorial is ri-2zeix2q86uoyisagyz0pn).

Step 3 Add the initiator

After creating the initiator and the acceptor, you must add the initiator for the acceptor.

To add the initiator for the acceptor, complete these steps:
  1. Use account B to log on to the Express Connect console.
  2. In the left-side navigation pane, click VPC Peering Connections > VPC-to-VPC.
  3. Select the region of the acceptor.

    In this tutorial, select China (Beijing).

  4. Find the created acceptor instance and click Add Initiator.

  5. On the Add Instance page, select No, and enter the initiator router interface (In this tutorial, the interface ID is ri-m5e33r3n78zyi5573kf85). Click OK.

Step 4 Add the acceptor and establish a peering connection

After adding the initiator and acceptor, the initiator can actively initiate the connection to establish a peering connection between the two VPCs.

In this tutorial, the initiator is the VPC under account A. To establish the peering connection, complete these steps:
  1. Use account A to log on to the Express Connect console.
  2. In the left-side navigation pane, click VPC Peering Connections > VPC-to-VPC.
  3. Select the region of the initiator instance.

    In this tutorial, select China (Hangzhou).

  4. Click Add Acceptor.

  5. On the Add Instance page, select No, and enter the acceptor router interface (In this tutorial, the interface ID is ri-2zeix2q86uoyisagyz0pn). Click OK.
  6. Click > Initiate Connection.

    After the connection is successfully established, the status of the initiator and acceptor becomes activated.

Step 5 Configure the routes

After establishing the peering connection, you must add routes for the interconnected VPCs.

To configure the routes, complete these steps:

  1. Use account A to log on to the Express Connect console.
  2. On the VPC Peering Connections page, find the created peering connection.
  3. Find the initiator instance and click Route Settings.

  4. Click Add Route Entry, enter the CIDR block of the VPC or VSwitch to connect, and click Confirm.

    In this tutorial, enter the CIDR block of the peer VPC, that is, 172.16.0.0/16.

  5. Use account B to log on to the Express Connect console.
  6. Find the acceptor instance and click Route Settings.

  7. Click Add Route Entry, enter the CIDR block of the VPC or VSwitch to connect, and click Confirm.

    In this tutorial, enter the CIDR block of the peer VPC, that is 192.168.0.0/16.

Step 6 Configure security groups 

After establishing the peering connection between the two VPCs, you also need to configure security group rules so that ECS instances in the two VPCs can communicate with each other.

This tutorial uses ECS instances and security group configurations in the following table as an example.
Configurations Account A Account B
Account ID AccountID_A AccountID_B
ECS instance ID InstanceID_A InstanceID_B
Security group ID SecurityGroupID_A SecurityGroupID_B
You can view the account ID in the Account Center.

To configure security groups, complete these steps:
  1. Log on to the ECS console.
  2. In the left-side navigation pane, click Networks and Security > Security Groups.
  3. Select the region of the target instance.
  4. Find the target security group and then click Add Rules.
  5. On the Security Group Rules page, click Add Security Group Rule.
  6. Configure the security group rule, select the protocol type and enter the port range. Then select the authorization type according to the following information.
    Scenario Authorization type Configuration
    Cross-region VPC interconnection CIDR block The CIDR block of the peer VPC.
    Same-region VPC interconnection Security group The ID of the security group associated with the peer ECS instance.
    Note If the VPCs to be interconnected belong to different accounts, select to allow other accounts. In the Account ID field, select the peer account ID.
    Notice
    • If the VPCs to be interconnected are in different regions, select the CIDR block authorization type and enter the CIDR block of the peer VPC. In this tutorial, select the CIDR block authorization type.
    • If the VPCs to be interconnected are in the same region, select the security group authorization type. In cross-account interconnection, select Allow Other Accounts. In the Account ID field, select the peer account ID.

Step 7 Test the connection

After establishing the peering connection and adding routes, you can log on to an ECS instance in one VPC, and ping the priviate IP of an ECS instance in the peer VPC. If you can successfully ping the private IP, the two VPCs have been successfully connected.