Before you create virtual private clouds (VPCs) and vSwitches, you must plan the number of VPCs and vSwitches, and CIDR blocks of VPCs and vSwitches.

How many VPCs do I use?

  • One VPC

    If your services do not need to be deployed in multiple regions and different systems do not need to be separated, we recommend that you use one VPC.

    One VPC
  • Multiple VPCs

    We recommend that you create multiple VPCs if you have one of the following requirements:
    • Cross-region deployment

      A VPC cannot be deployed across regions. Therefore, if you want to deploy your application systems in different regions, you must create multiple VPCs. You can use Cloud Enterprise Network (CEN), Express Connect, or VPN Gateway to connect VPCs that are deployed in different regions.

      Connect VPCs across regions
    • Service isolation

      If you want to isolate your service systems in the same region by using VPCs, you must create multiple VPCs. For example, you can use multiple VPCs to isolate the test environment from the production environment. You can use CEN, Express Connect, or VPN Gateway to connect VPCs that are deployed in the same region.

      Isolate services

How many vSwitches do I use?

You can determine the number of vSwitches based on the following suggestions:
  • We recommend that you create at least two vSwitches for each VPC and deploy these vSwitches in different zones to implement cross-zone disaster recovery.

    Network latency between different zones in the same region is typically low. However, you must check the actual network latency after you deploy your services. The network latency may be increased due to the complex network architecture. We recommend that you optimize and adapt the system to meet your requirements for high availability and low latency.

  • In addition, the scale and planning of your service system must also be taken into consideration when you determine the number of vSwitches to be created. If you want the frontend system to communicate with the Internet, we recommend that you deploy different frontend systems in different vSwitches and deploy backend systems in other vSwitches. This improves service availability.

How do I specify CIDR blocks?

When you create VPCs and vSwitches, you must specify their private IP address ranges in CIDR notation.
  • Specify VPC CIDR blocks

    You can specify 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, or one of their subnets as the CIDR block of a VPC. You can also specify a custom CIDR block. 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8 are standard private CIDR blocks defined by the Request For Comments (RFC) series. When you specify CIDR blocks for VPCs, take note of the following rules:

    • If you have only one VPC and this VPC does not need to communicate with a data center, you can use one of the preceding CIDR blocks or one of their subsets as the CIDR block of the VPC.
    • If you have multiple VPCs, or you want to build a hybrid cloud with VPCs and data centers, we recommend that you use the subsets of the preceding CIDR blocks for your VPCs. In this case, we recommend that the subnet mask be 16 bits or less in length.
    • You cannot specify 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, 169.254.0.0/16, or one of their subnets as the custom CIDR block.
    • You must check whether a classic network is used before you specify a CIDR block for your VPC. If a classic network is used and you want to connect Elastic Compute Service (ECS) instances in the classic network to a VPC, we do not recommend that you specify 10.0.0.0/8 as the VPC CIDR block. This is because the CIDR block of the classic network is 10.0.0.0/8.
  • Plan vSwitch CIDR blocks

    The CIDR block of a vSwitch must be a subset of the CIDR block of the VPC to which the vSwitch belongs. For example, if a VPC CIDR block is 192.168.0.0/16, the CDIR block of a vSwitch that belongs to the VPC can range from 192.168.0.0/17 to 192.168.0.0/29.

    When you specify CIDR blocks for vSwitches, take note of the following limits:

    • The subnet mask of a vSwitch must be 16 to 29 bits in length, which provides 8 to 65,536 IP addresses.
    • The first IP address and last three IP addresses of each vSwitch CIDR block are reserved. For example, if the CIDR block of a vSwitch is 192.168.1.0/24, the IP addresses 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255 are reserved.
    • The ClassicLink feature allows ECS instances in a classic network to communicate with ECS instances in a VPC whose CIDR block is 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. If the CIDR block of the VPC to communicate with the classic network is 10.0.0.0/8, the CIDR block of the vSwitch that belongs to the VPC must be 10.116.0.0/16. For more information, see Overview.
    • Consider the number of ECS instances that you want to deploy in a vSwitch before you specify a CIDR block for the vSwitch.

How do I specify CIDR blocks if I want to connect a VPC to another VPC or a data center?

If you want to connect a VPC to another VPC or a data center, make sure that the CIDR blocks do not overlap with each other. Take note of the following rules:
  • Try to specify different CIDR blocks for different VPCs. Different VPCs can use subsets of standard CIDR blocks to increase the number of available CIDR blocks.
  • If you cannot specify different CIDR blocks for different VPCs, try to specify different CIDR blocks for vSwitches that belong to different VPCs.
  • If neither of the preceding requirements is met, make sure that the CIDR blocks of vSwitches that need to communicate with each other are different.
The following figure describes a scenario where VPC 1, VPC 2, and VPC 3 are deployed in the China (Hangzhou), China (Beijing), and China (Shenzhen) regions. VPC 1 and VPC 2 communicate with each other through Express Connect. Currently, VPC 3 does not need to communicate with other VPCs. However, VPC 3 may need to communicate with VPC 2 in the future. In addition, you have a data center in Shanghai, and you want to connect VPC 1 in the China (Hangzhou) region to the data center through Express Connect circuits. VPC communication

In this example, VPC 1 and VPC 2 use different CIDR blocks. Currently, VPC 3 does not need to communicate with other VPCs. Therefore, the CIDR block of VPC 3 can be the same as that of VPC 2. However, VPC 3 may need to communicate with VPC 2 in the future. Therefore, the CIDR blocks of vSwitches in VPC 2 are different from the CIDR blocks of vSwitches in VPC 3. When a VPC communicates with another one, their CIDR blocks can be the same. However, the CIDR blocks of the vSwitches that need to communicate with each other must be different.