This topic answers some of the most frequently asked questions regarding Classless Inter-Domain Routing (CIDR) blocks.

What is CIDR?

CIDR is a new method for allocating IP addresses. Compared with the traditional allocation which divides IP addresses into classes A, B, and C, CIDR allocates IP addresses more efficiently. For example, the IP addresses ranging from 125.203.96.0 to 125.203.127.255 can be converted into the following CIDR format:

125.203.0110 0000.0000 0000 to 125.203.0111 1111.1111 1111, or 125.203.96.0/19.

When you create a Virtual Private Cloud (VPC) instance or a VSwitch, you must specify its IP address range in the form of a CIDR block.

What is a user CIDR block?

By default, a VPC uses 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10, and the VPC CIDR block for private network communication. If the Elastic Compute Service (ECS) instances or their Elastic Network Interfaces (ENIs) already have access to the public network (the ECS instances are assigned public IP addresses, the ECS instances or their ENIs are associated with public IP addresses, or the ECS instances or their ENIs are configured with DNAT entries), and these resources need to visit the IP addresses outside the preceding CIDR blocks, the requests will be forwarded to the Internet through the public IP addresses.

If you want the requests to be forwarded over a private network (for example, a VPC or a hybrid cloud network built with VPN, Express Connect, or CEN) according to a route table, you must set the destination CIDR blocks of the requests as the user CIDR block of the VPC to which the corresponding ECS instance or ENI belongs. With this configuration, the requests initiated from that VPC will be forwarded according to the route table, not through public IP addresses.

For example, an ECS instance named ECS 1 is assigned a public IP address. When the ECS instance accesses the Alibaba Cloud official website (106.11.62.xx), requests are forwarded through the public IP address by default. If you want to forward the request to another ECS instance (named ECS 2) through a route table and then redirect the request to the public network using the public IP address of ECS 2, you can configure 106.11.62.0/24 as the user CIDR block for the VPC to which ECS 1 belongs.

How do I configure a user CIDR block?

The procedure differs depending on whether you need to configure the user CIDR block for a new VPC during its creation or for an existing VPC. The procedure is as follows:

  • Configure a user CIDR block when creating a VPC

    You can call the CreateVpc action to configure a user CIDR block when creating a VPC. For more information, see CreateVpc.

  • Configure a user CIDR block for an existing VPC

    You can open a ticket to configure a user CIDR block for an existing VPC.

After the configuration is completed, the user CIDR block is displayed on the details page of the console.User CIDR block

How do I specify the CIDR block of a VPC?

You can select a CIDR block from 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, and their subnets as the CIDR block of a VPC. The CIDR block mask must be 8 to 24 bits in length.

For more information, see Create a VPC.

How do I specify the CIDR block of a VSwitch?

The limits of a CIDR block of a VSwitch are as follows:
  • The CIDR block of a VSwitch must be a subset of the CIDR block of the VPC to which the VSwitch belongs.
  • The netmask of a VSwitch must be 16 to 29 bits in length.
  • The CIDR block of a VSwitch cannot be identical to or range within the CIDR block of any existing VSwitch.
  • The CIDR block of a VSwitch cannot be identical to the destination CIDR block of any route entry in the VPC.
  • The CIDR block of the VSwitch cannot contain the destination CIDR block of any route entry in the VPC, but can be a subnet of a destination CIDR block.

For more information, see Create a VSwitch.