Before you create virtual private clouds (VPCs) and VSwitches, you need to plan the quantity and Classless Inter-domain Routing (CIDR) blocks of VPCs and VSwitches.
- How many VPCs are required?
- How many VSwitches are required?
- How do I specify CIDR blocks?
- How do I specify CIDR blocks if I want to connect a VPC to other VPCs or on-premises data centers?
How many VPCs are required?
We recommend that you create one VPC if you do not need to deploy systems in multiple regions or separate VPCs.
Multiple VPCsWe recommend that you create multiple VPCs if you need to:
- Deploy application systems across regions.
A VPC cannot be deployed across regions. If you want to deploy your application systems in different regions, you must create multiple VPCs. You can use Cloud Enterprise Network (CEN), Express Connect and VPN Gateway to connect VPCs.
Separate IT systems
To separate IT systems, you must create multiple VPCs. The following figure shows an example of isolating a production environment from a test environment by deploying them in separate VPCs.
- Deploy application systems across regions.
How many VSwitches are required?
We recommend that you create at least two VSwitches for each VPC and deploy these VSwitches in different zones to achieve zone-disaster recovery.
After you deploy your applications in different zones within a region, you must measure the network latency between these applications. This is because the cross-zone network latency may be higher than expected due to complex data processing or cross-zone calls. An ideal approach is to optimize and adjust your systems to strike a balance between availability and latency.
In addition, the sizes and designs of your IT systems must also be taken into consideration when you create VSwitches. If you allow traffic from the Internet to be routed to and from the frontend systems, you can deploy the front-end systems in different VSwitches and the backend systems in other VSwitches to create a robust disaster recovery strategy.
How do I specify CIDR blocks?
- VPC CIDR blocks
You can use 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, or their subsets as the CIDR blocks of your VPCs. To specify CIDR blocks for VPCs, follow these rules:
- If you have only one VPC and this VPC does not need to communicate with any on-premises data center, you can use one of the preceding CIDR blocks or one of their subsets as the CIDR block of the VPC.
- If you have multiple VPCs, or you need to build a hybrid cloud to integrate VPCs and on-premises data centers, we recommend that you use the subsets of the preceding CIDR blocks for your VPCs. In this case, the mask cannot be longer than 16 bits.
- You must check whether a classic network is used before you specify the CIDR block for your VPC. If you plan to connect Elastic Compute Service (ECS) instances in a classic network to your VPC, we recommend that you do not use 10.0.0.0/8 as the CIDR block for your VPC, since 10.0.0.0/8 is the IP range of classic networks.
- VSwitch CIDR blocks
The CIDR block of a VSwitch must be a subset of the CIDR block of the VPC this VSwitch resides in. For example, if the CIDR block of a VPC is 192.168.0.0/16, the CIDR block of a VSwitch in the VPC must be a segment from 192.168.0.0/17 to 192.168.0.0/29.
To specify CIDR blocks for VSwitches, follow these rules:
- The CIDR block size for a VSwitch is between a 16-bit mask and a 29-bit mask. It means that 8 to 65,536 IP addresses can be provided. This range is set because a 16-bit host address space provides addressing for 65,534 ECS instances, which can meet your needs in most cases, while a mask smaller than 29 bits can only allow very few usable host addresses.
- The first and the last three IP addresses in each VSwitch CIDR block are reserved by the system. For example, if the CIDR block of a VSwitch is 192.168.1.0/24, the IP addresses 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255 are reserved.
- The ECS instances in classic networks can communicate with the ECS instances in VPCs by using ClassicLink. However, the CIDR block of each VPC must be 192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0/12. For example, if you want to connect an ECS instance in a VSwitch of a VPC to an ECS instance in a classic network, and the IP address range of the VPC is 10.0.0.0/8, the IP address range of the VSwitch must be 10.111.0.0/16. For more information, see Overview.
- You must check the number of ECS instances in the VSwitch before you specify the CIDR block of a VSwitch.
How do I specify CIDR blocks if I want to connect a VPC to other VPCs or on-premises data centers?
Before you connect your VPC to another VPC or an on-premises data center, you must make sure that the CIDR block of your VPC does not conflict with that of the peer network.
In this example, the CIDR block of VPC2 is different from the CIDR block of VPC1, but is the same with the CIDR block of VPC3. However, considering that VPC2 and VPC3 may need to communicate with each other later in the private network, the VSwitches in these VPCs are assigned with different CIDR blocks. This example demonstrates that VPCs communicating with each other can have identical CIDR blocks, but their VSwitches must have different CIDR blocks.
When you specify CIDR blocks for multiple VPCs that need to communicate with each other, follow these rules:
- The preferred practice is to specify different CIDR blocks for different VPCs. You can use the subsets of the standard CIDR blocks to increase the number of available CIDR blocks.
- If you cannot assign different CIDR blocks for VPCs, try to specify different CIDR blocks for the VSwitches in these VPCs.
- If you cannot assign different CIDR blocks for all VSwitches in these VPCs, make sure that different CIDR blocks are configured for the VSwitches communicating with each other.