All Products
Search
Document Center

Virtual Private Cloud:Plan networks

Last Updated:Feb 06, 2024

Before you create virtual private clouds (VPCs) and vSwitches, you must plan the number of VPCs and vSwitches, and CIDR blocks of VPCs and vSwitches.

How many VPCs do I need?

  • One VPC

    If you do not need to deploy your applications across regions or isolate service systems, we recommend that you create only one VPC.

    One VPC

  • Multiple VPCs

    We recommend that you create multiple VPCs if you have one of the following requirements:

    • Cross-region deployment

      A VPC cannot be deployed across regions. Therefore, if you want to deploy your application systems in different regions, you must create multiple VPCs. You can use VPC peering connections, Cloud Enterprise Network (CEN), and VPN gateways to connect VPCs that are deployed in different regions.

      Connect VPCs across regions

    • Service isolation

      If you want to isolate your service systems in the same region by using VPCs, you must create multiple VPCs. For example, you can use multiple VPCs to isolate the test environment from the production environment. You can also use VPC peering connections, CEN, and VPN gateways to connect VPCs deployed in the same region.

      Multiple services

How many vSwitches do I need?

You can determine the number of vSwitches based on the following suggestions:

  • When you use a VPC, we recommend that you deploy at least two vSwitches in different zones. This way, when one vSwitch is down, the other vSwitch in another zone can take over, which implements cross-zone disaster recovery.

    The network latency between different zones in a region is low. However. you still need to verify the network latency in your actual business system. The network latency may be increased due to the complex network topology. We recommend that you optimize and adapt the system to meet your requirements for high availability and low latency.

  • In addition, the scale and planning of your service system must also be taken into consideration when you determine the number of vSwitches to be created. If you want the frontend system to communicate with the Internet, we recommend that you deploy different frontend systems in different vSwitches and deploy backend systems in other vSwitches. This improves service availability.

How do I specify CIDR blocks?

When you create VPCs and vSwitches, you must specify their private IP address ranges in CIDR notation.

  • Specify VPC CIDR blocks

    You can specify 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, or one of their subnets as the CIDR block of a VPC. You can also specify a custom CIDR block. 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8 are standard private CIDR blocks defined by the Request For Comments (RFC) series. When you specify CIDR blocks for VPCs, take note of the following rules:

    • If you have only one VPC and the VPC does not need to communicate with a data center, you can specify one of the RFC CIDR blocks or their subsets as the VPC CIDR block.

    • If you have multiple VPCs or want to set up a hybrid cloud environment between a VPC and your data center, we recommend that you specify the subsets of the RFC CIDR blocks for your VPCs. In this case, we recommend that you set the subnet mask length to 16 bits or less. Make sure that the CIDR blocks of the VPCs and your data center do not overlap.

    • You cannot specify 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, 169.254.0.0/16, or one of their subnets as the VPC CIDR block.

    • You must check whether a classic network is used before you specify a CIDR block for your VPC. If a classic network is used and you want to connect Elastic Compute Service (ECS) instances in the classic network to a VPC, we do recommend that you do not specify 10.0.0.0/8 as the VPC CIDR block. This is because the CIDR block of the classic network is 10.0.0.0/8.

  • Plan vSwitch CIDR blocks

    The CIDR block of a vSwitch must be a subset of the CIDR block of the VPC to which the vSwitch belongs. For example, if the CIDR block of a VPC is 192.168.0.0/16, the CIDR block of a vSwitch that belongs to the VPC can range from 192.168.0.0/17 to 192.168.0.0/29.

    When you specify CIDR blocks for vSwitches, take note of the following limits:

    • The subnet mask of a vSwitch must be 16 to 29 bits in length, which provides 8 to 65,536 IP addresses.

    • The first IP address and last three IP addresses of each vSwitch CIDR block are reserved. For example, if the CIDR block of a vSwitch is 192.168.1.0/24, the IP addresses 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255 are reserved.

    • The ClassicLink feature allows ECS instances in a classic network to communicate with ECS instances in a VPC whose CIDR block is 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. If the CIDR block of the VPC to communicate with the classic network is 10.0.0.0/8, the CIDR block of the vSwitch that belongs to the VPC must be 10.111.0.0/16. For more information, see Overview.

    • Consider the number of ECS instances that you want to deploy in a vSwitch before you specify a CIDR block for the vSwitch.

How do I specify CIDR blocks if I want to connect a VPC to another VPC or a data center?

If you want to connect a VPC to another VPC or a data center, make sure that the CIDR blocks do not overlap with each other. Take note of the following rules:

  • We recommend that you specify subsets of the RFC CIDR blocks as VPC CIDR blocks to increase the number of VPC subnets. In addition, we recommend that you specify different CIDR blocks for different VPCs.

  • If you cannot specify different CIDR blocks for different VPCs, try to specify different CIDR blocks for vSwitches that belong to different VPCs.

  • If neither of the preceding requirements is met, make sure that the CIDR blocks of vSwitches that need to communicate with each other are different.

The following figure describes a scenario where VPC 1, VPC 2, and VPC 3 are deployed in the China (Hangzhou), China (Beijing), and China (Shenzhen) regions. VPC 1 and VPC 2 communicate with each other through VPC peering connections. Currently, VPC 3 does not need to communicate with other VPCs. However, VPC 3 may need to communicate with VPC 2 in the future. In addition, you have a data center in Shanghai, and you want to connect VPC 1 in the China (Hangzhou) region to the data center through Express Connect circuits. PrivateLink architecture

In this example, VPC 1 and VPC 2 use different CIDR blocks. Currently, VPC 3 does not need to communicate with other VPCs. Therefore, the CIDR block of VPC 3 can be the same as that of VPC 2. However, VPC 3 may need to communicate with VPC 2 in the future. Therefore, the CIDR blocks of vSwitches in VPC 2 are different from the CIDR blocks of vSwitches in VPC 3. When a VPC communicates with another one, their CIDR blocks can be the same. However, the CIDR blocks of the vSwitches that need to communicate with each other must be different.