Before you set up your network, you must decide the numbers of virtual private clouds (VPCs) and vSwitches that you need to create, and plan the CIDR blocks of the VPCs and vSwitches.
- How many VPCs do I need?
- How many vSwitches do I need?
- How do I specify CIDR blocks?
- How do I specify CIDR blocks if I want to connect a VPC to another VPC or a data center?
How many VPCs do I need?
If you do not need to deploy your applications across regions or isolate the applications, we recommend that you create only one VPC.
Multiple VPCsWe recommend that you create multiple VPCs if you have one of the following requirements:
- Cross-region deployment
VPCs cannot be deployed across regions. Therefore, if you want to deploy your applications across regions, you must create multiple VPCs. You can use Express Connect, VPN Gateway, or CEN to connect VPCs that are deployed in different regions.
Business system isolation
If you want to isolate your business systems, you must create multiple VPCs. The following figure shows the scenario where the test environment is isolated from the production environment.
- Cross-region deployment
How many vSwitches do I need?
- We recommend that you create at least two vSwitches for each VPC and deploy the vSwitches in different zones to implement zone-disaster recovery.
Network latency between different zones in the same region is typically low. However, you must check the actual network latency after you deploy your services. The network latency may increase due to complex network architectures. We recommend that you optimize and adapt the system to meet your requirements for high availability and low latency.
- In addition, the scale and planning of your business system must also be taken into consideration when you decide the number of vSwitches to be created. If you want the frontend system to communicate with the Internet, we recommend that you deploy different frontend systems in different vSwitches and deploy backend systems in other vSwitches. This improves service availability.
How do I specify CIDR blocks?
- Specify VPC CIDR blocks
You can use 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or their subsets as the CIDR blocks of your VPCs. When you specify CIDR blocks for VPCs, take note of the following rules:
- If you have only one VPC and the VPC does not need to communicate with a data center, you can use one of the preceding CIDR blocks or one of their subsets as the CIDR block of the VPC.
- If you have multiple VPCs, or you want to build a hybrid cloud with VPCs and data centers, we recommend that you use the subsets of the preceding CIDR blocks for your VPCs. In this case, we recommend that the subnet mask be 16 bits or less in length.
- You must check whether a classic network is used before you specify a CIDR block for your VPC. If a classic network is used and you want to connect Elastic Compute Service (ECS) instances in the classic network to a VPC, we recommend that you do not specify 10.0.0.0/8 as the VPC CIDR block. This is because the CIDR block of the classic network is 10.0.0.0/8.
- Plan vSwitch CIDR blocks
The CIDR block of a vSwitch must be a subset of the CIDR block of the VPC to which the vSwitch belongs. For example, if the CIDR block of a VPC is 192.168.0.0/16, the CDIR block of a vSwitch that belongs to the VPC can range from 192.168.0.0/17 to 192.168.0.0/29.
When you specify CIDR blocks for vSwitches, take note of the following limits:
- The subnet mask of a vSwitch must be 16 to 29 bits in length, which provides 8 to 65,536 IP addresses.
- The first IP address and the last three IP addresses of each vSwitch CIDR block are reserved. For example, if the CIDR block of a vSwitch is 192.168.1.0/24, the IP addresses 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255 are reserved.
- The ClassicLink feature allows ECS instances in a classic network to communicate with ECS instances in a VPC whose CIDR block is 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. If you want a VPC to communicate with a classic network and the CIDR block of the VPC is 10.0.0.0/8, the CIDR block of the vSwitch that belongs to the VPC must be 10.116.0.0/16. For more information, see Overview.
- You must consider the number of ECS instances that you want to deploy in a vSwitch before you specify a CIDR block for the vSwitch.
How do I specify CIDR blocks if I want to connect a VPC to another VPC or a data center?
- Try to specify different CIDR blocks for different VPCs. Different VPCs can use subsets of standard CIDR blocks to increase the number of available CIDR blocks.
- If you cannot specify different CIDR blocks for different VPCs, try to specify different CIDR blocks for vSwitches that belong to different VPCs.
- If neither of the preceding requirements is met, make sure that the CIDR blocks of vSwitches that need to communicate with each other are different.
In this example, VPC 1 and VPC 2 use different CIDR blocks. Currently, VPC 3 does not need to communicate with other VPCs. Therefore, the CIDR block of VPC 3 can be the same as that of VPC 2. However, VPC 3 may need to communicate with VPC 2 in the future. Therefore, the CIDR blocks of vSwitches in VPC 2 are different from those in VPC 3. When a VPC communicates with another VPC, their CIDR blocks can be the same. However, the CIDR blocks of the vSwitches that need to communicate with each other must be different.