All Products
Search
Document Center

Virtual Private Cloud:Create and manage a vSwitch

Last Updated:Mar 11, 2024

After you create a virtual private cloud (VPC), you can create vSwitches to create subnets for the VPC. By default, the subnets in a VPC can communicate with each other.

Background information

You can perform the following operations after you create a vSwitch:

  • You can create the following resources in the vSwitch: Elastic Compute Service (ECS) instances, Classic Load Balancer (CLB) instances, ApsaraDB RDS instances, elastic network interfaces (ENIs), high-availability virtual IP addresses (HAVIPs), and VPN gateways. You cannot directly deploy cloud resources in a VPC. You must deploy cloud resources in a vSwitch that belongs to the VPC. For more information about how to create cloud resources, see the following topics:

  • Add routes: After you create a vSwitch, you can associate custom route tables with the vSwitch, replace custom route tables, or disassociate custom route tables from the vSwitch.

  • Associate a network ACL: You can associate a network ACL with a vSwitch to enable access control for the vSwitch. You can create a custom network ACL and associate it with a vSwitch. This way, you can control the traffic of the ENI on the vSwitch. The network ACL and the vSwitch that you want to associate must belong to the same VPC. Each vSwitch can be associated with only one network ACL.

  • Add a reserved CIDR block: The reserved CIDR block is not used when the VPC assigns private IP addresses to resources in the VPC.

    Note

    A reserved CIDR block is only used by the system to assign a CIDR block to an ENI.

Create a vSwitch

vSwitches within the same VPC can communicate with each other. Cloud resources must be deployed in vSwitches. You can deploy applications in vSwitches that belong to different zones to ensure service availability. vSwitches do not support multicasting or broadcasting.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, click vSwitch.

  3. Select the region of the VPC for which you want to create a vSwitch.

  4. On the vSwitch page, click Create vSwitch.

  5. On the Create vSwitch page, configure the vSwitch and click OK. The following table describes the parameters.

    Parameter

    Description

    Resource Group

    Select the resource group to which the VPC belongs.

    Tag Key

    Select or enter a tag key. You can specify up to 20 tag keys.

    A tag key can be up to 128 characters in length and cannot contain http:// or https://. It cannot start with acs: or aliyun.

    Tag Value

    Select or enter a tag value. You can specify up to 20 tag values.

    A tag value can be up to 128 characters in length and cannot contain http:// or https://. It cannot start with acs: or aliyun.

    VPC

    Select the VPC for which you want to create the vSwitch.

    IPv4 CIDR Block

    The IPv4 CIDR block of the selected VPC is displayed.

    If the VPC has a secondary IPv4 CIDR block, you can specify the primary or secondary IPv4 CIDR block as the CIDR block of the vSwitch based on your business requirements.

    IPv6 CIDR Block

    Select the IPv6 CIDR block of the VPC from the drop-down list.

    If you select Do Not Assign, IPv6 is disabled for the vSwitch.

    Note
    • Only the following regions support IPv6 CIDR blocks: China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Fuzhou - Local Region), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Philippines (Manila), Singapore, Japan (Tokyo), South Korea (Seoul), Indonesia (Jakarta), Malaysia (Kuala Lumpur), Thailand (Bangkok), US (Virginia), US (Silicon Valley), Germany (Frankfurt), and SAU (Riyadh - Partner Region).

    • If IPv6 is disabled for the VPC, click Enable IPv6. After IPv6 is enabled, the system automatically creates an IPv6 gateway free of charge.

    vSwitch

    Name

    Enter a name for the vSwitch.

    Zone

    In the drop-down list, select a zone for the vSwitch. In the same VPC, vSwitches in different zones can communicate with each other.

    The drop-down list shows whether Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, internal-facing Classic Load Balancer (CLB) instances, and internal-facing Application Load Balancer (ALB) instances are supported in each zone. The supported cloud resources vary based on the zone and the creation time of the cloud resources. The instances provided in this topic are for reference only. The actual instances on the buy page shall prevail.

    IPv4 CIDR Block

    Enter an IPv4 CIDR block for the vSwitch. When you specify a CIDR block for the vSwitch, take note of the following limits:

    • The CIDR block of a vSwitch must be a subset of the CIDR block of the VPC to which the vSwitch belongs.

      For example, if the CIDR block of a VPC is 192.168.0.0/16, the CIDR block of a vSwitch in the VPC can range from 192.168.0.0/17 to 192.168.0.0/29.

    • 100.64.0.0/10 is reserved by Alibaba Cloud. Therefore, 100.64.0.0/10 and its subnets cannot be used as the IPv4 CIDR block of the vSwitch.

    • The first IP address and the last three IP addresses of a vSwitch CIDR block are reserved.

      For example, if a vSwitch CIDR block is 192.168.1.0/24, the IP addresses 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255 are reserved.

    • If a vSwitch is required to communicate with vSwitches in other VPCs or with data centers, make sure that the CIDR block of the vSwitch does not overlap with the destination CIDR blocks.

    Note

    After the vSwitch is created, you cannot modify its CIDR block.

    IPv6 CIDR Block

    Enable IPv6 and configure an IPv6 CIDR block for the vSwitch.

    Note
    • If your VPC is assigned an IPv6 CIDR block, you must configure the IPv6 CIDR block of the vSwitch.

    • If your VPC is not assigned an IPv6 CIDR block, you do not need to configure the IPv6 CIDR block of the vSwitch.

    • By default, the subnet mask of the IPv6 CIDR block for the vSwitch is /64. You can enter a decimal number from 0 to 255 to define the last 8 bits of the IPv6 CIDR block.

      For example, if the IPv6 CIDR block of the VPC is 2408:XXXX:XXXX:6e00::/56, you can enter 255 (ff in hexadecimal format) for the IPv6 CIDR block of the vSwitch. In this case, the IPv6 CIDR block of the vSwitch is 2408:XXXX:XXXX:6eff::/64.

    • The first IPv6 address and last nine IPv6 addresses are reserved by the system.

      For example, if the IPv6 CIDR block of a vSwitch is 2408:XXXX:XXXX:6eff::/64, the first IPv6 address 2408:XXXX:XXXX:6eff:: and the last nine IPv6 addresses are reserved by the system: 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fff7, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fff8, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fff9, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fffa, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fffb, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fffc, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fffd, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fffe, and 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:ffff.

  6. Optional:To create multiple vSwitches, click Add in the lower part of the vSwitch section and specify the information.

    You can create at most 10 vSwitches in a VPC.

  7. Click OK.

Modify the basic information about a vSwitch

After you create a vSwitch, you can modify its name and description.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, click vSwitch.

  3. Select the region of the vSwitch that you want to manage.

  4. On the vSwitch page, find the vSwitch that you want to manage and click its ID.

  5. In the vSwitch Basic Information section, click Edit next to Name. In the dialog box that appears, enter a new name and click OK.

  6. Click Edit next to Description. In the dialog box that appears, enter a new description and click OK.

Create cloud resources

  1. Log on to the VPC console.

  2. In the left-side navigation pane, click vSwitch.

  3. In the top navigation bar, select the region of the VPC to which the vSwitch belongs.

  4. On the vSwitch page, click the ID of the vSwitch.

  5. On the details page, click the Resource tab. You can create basic cloud resources and network cloud resources as needed.

  6. On the page that appears, create a cloud resource.

Associate a vSwitch with a custom route table

After you create a custom route table, you can perform the following operations in a vSwitch. For more information about how to create a custom route table, see Create a custom route table.

  • Associate a custom route table: If a vSwitch is associated with the system route table, you can associate the vSwitch with a custom route table to manage routes of the vSwitch. Each vSwitch can be associated with only one custom route table or one system route table. After a vSwitch is associated with a custom route table, the system route table is automatically disassociated from the vSwitch.

  • Replace a custom route table: You can replace the custom route table associated with a vSwitch with another one as needed.

  • Disassociate a custom route table: You can disassociate a custom route table from a vSwitch. After the custom route table is disassociated, the vSwitch is automatically associated with the system route table.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, click vSwitch.

  3. In the top navigation bar, select the region of the VPC to which the vSwitch belongs.

    For more information about the regions that support custom route tables, see Route tables overview.

  4. On the vSwitch page, find the vSwitch that you want to manage and click its ID.

  5. In the vSwitch Basic Information section, click the Route tab. On this tab, you can associate, replace, or disassociate a custom route table.

    • Replace the system route table with a custom route table

      1. In the Associated with Route Table dialog box, click Bind next to the system route table.

      2. In the Associate Route Table dialog box, select a custom route table from the Route Table drop-down list, and then click OK.

    • Replace a custom route table with another one

      1. In the Associated with Route Table section, click Replace Associated Route Table next to the custom route table.

      2. In the Associate Route Table dialog box, select a custom route table from the Replace Custom Route Table drop-down list, and then click OK.

    • Disassociate a vSwitch from a custom route table

      1. In the Associated with Route Table section, click Replace Associated Route Table next to the custom route table.

      2. In the Associate Route Table dialog box, select Disassociate Route Table and click OK.

      3. In the Disassociate Route Table message, click OK.

Add a reserved CIDR Block

Note

Only the following regions support reserved CIDR blocks: China (Qingdao), China (Beijing), China (Hangzhou), China (Shenzhen), China (Shanghai), China (Hohhot), China (Hong Kong), Australia (Sydney), Singapore, US (Silicon Valley), and US (Virginia).

Before you add a reserved CIDR block for a vSwitch, take note of the following limits:

  • When the VPC where the vSwitch resides allocates private IP addresses to resources in the VPC, the reserved CIDR block is not used.

    Note

    A reserved CIDR block is only used by the system to assign a CIDR block to an ENI.

  • The reserved CIDR block cannot contain the IP address of the subnet gateway of the VPC.

  • When you add a reserved IPv6 CIDR block, make sure that the following requirements are met:

    • IPv6 CIDR blocks are enabled for the vSwitch. For more information, see Create a vSwitch.

    • The first IP address and last nine IP addresses of a vSwitch CIDR block are reserved. The 10 IP addresses will not be allocated.

  • When you add a reserved IPv4 CIDR block, the first IP address and last three IP addresses are reserved. The four IP addresses are not allocated.

    For example, if the CIDR block of a vSwitch is 192.168.1.0/24, the system reserves the following IP addresses: 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255. The reserved CIDR block cannot contain these four IP addresses.

  • You can create at most 10 reserved IPv4 CIDR blocks and 10 reserved IPv6 CIDR blocks for each vSwitch in a VPC.

  • When the system automatically allocates a CIDR block to an ENI, it is allocated from the reserved CIDR block. If the reserved CIDR block is exhausted, the system returns an error.

  • When a CIDR block is allocated from a reserved IPv4 CIDR block to an ENI, the default network prefix is 28. If the CIDR block is allocated from a reserved IPv6 CIDR block, the default network prefix is 80.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, click vSwitch.

  3. In the top navigation bar, select the region of the VPC to which the vSwitch belongs.

  4. On the vSwitch page, find the vSwitch that you want to manage and click its ID.

  5. In the vSwitch Basic Information section, click the Reserved CIDR Block tab to add a reserved IPv4 or IPv6 CIDR block.

    • Add a reserved IPv4 CIDR block

      1. On the IPv4 tab, click Add Reserved CIDR Block.

      2. In the Add Reserved CIDR Block dialog box, set the following parameters and click OK.

        Parameter

        Description

        Name

        Enter a name.

        Method

        Select a method to add the reserved CIDR block. You can use one of the following methods:

        • Specify CIDR Block

        • Specify Mask Length

        Note
        • The reserved IPv4 CIDR block must be a proper subset of the IPv4 CIDR block of the vSwitch.

        • The subnet mask length of the reserved CIDR block must be greater than the IPv4 subnet mask length of the vSwitch and cannot be greater than 28.

        CIDR Block

        Enter a reserved IPv4 CIDR block.

        Note
        • If you set Method to Specify CIDR Block, this parameter is required.

        • When you add a reserved CIDR block, make sure that the reserved CIDR block cannot contain the system-reserved IP addresses of the VPC.

        Mask Length

        Enter the mask length of the reserved CIDR block.

        Note
        • If you set Method to Specify Mask Length, this parameter is required.

        • When you add a reserved CIDR block, make sure that the reserved CIDR block does not contain the system-reserved IP addresses of the VPC.

    • Add a reserved IPv6 CIDR block

      1. Click the IPv6 tab and click Add Reserved CIDR Block.

      2. In the Add Reserved CIDR Block dialog box, set the following parameters and click OK.

        Parameter

        Description

        Name

        Enter a name.

        Method

        Select a method to add the reserved CIDR block. You can use one of the following methods:

        • Specify CIDR Block

        • Specify Mask Length

        Note
        • The reserved IPv6 CIDR block must be a proper subset of the IPv6 CIDR block of the vSwitch.

        • The subnet mask length of the reserved CIDR block must be greater than the IPv6 subnet mask length of the vSwitch and cannot be greater than 80.

        CIDR Block

        Enter the reserved IPv6 CIDR block.

        Note
        • If you set Method to Specify CIDR Block, this parameter is required.

        • When you add a reserved CIDR block, make sure that the reserved CIDR block cannot contain the system-reserved IP addresses of the VPC.

        Mask Length

        Enter the mask length of the reserved CIDR block.

        Note
        • If you set Method to Specify Mask Length, this parameter is required.

        • When you add a reserved CIDR block, make sure that the reserved CIDR block does not contain the system-reserved IP addresses of the VPC.

View an allocated CIDR block and delete a reserved CIDR block

Note

This feature is supported in the following regions: China (Qingdao), China (Beijing), China (Hangzhou), China (Shenzhen), China (Shanghai), China (Hohhot), China (Hong Kong), Australia (Sydney), Singapore, US (Silicon Valley), and US (Virginia).

Before you delete a reserved CIDR block, make sure that no CIDR block is allocated to an ENI from the reserved CIDR block. Otherwise, release the CIDR block allocated to the ENI first. For more information, see Unassign secondary private IP addresses.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, click vSwitch.

  3. In the top navigation bar, select the region of the VPC to which the vSwitch belongs.

  4. On the vSwitch page, find the vSwitch that you want to manage and click its ID.

  5. In the vSwitch Basic Information section, click the Reserved CIDR Block tab. You can view the allocated IP addresses or delete the reserved CIDR block.

    • View allocated IP addresses

      Operation

      Parameter

      View an allocated IPv4 CIDR block

      1. On the IPv4 tab or click the IPv6 tab, find the reserved IPv4 CIDR block, and then click View Used IP in the Actions column.

      2. In the Used CIDR Blocks dialog box, you can view the IPv4 CIDR block allocated to an ENI from the reserved CIDR block.

      View an allocated IPv6 CIDR block

      1. On the IPv4 tab or click the IPv6 tab, find the reserved IPv6 CIDR block, and then click View Used IP in the Actions column.

      2. In the Used CIDR Blocks dialog box, you can view the IPv6 CIDR block allocated to an ENI from the reserved CIDR block.

    • Delete a reserved CIDR block

      Operation

      Parameter

      Delete a reserved IPv4 CIDR block

      1. On the IPv4 tab or click the IPv6 tab, find the reserved IPv4 CIDR block that you want to delete, and then click Delete in the Actions column.

      2. In the Delete Reserved CIDR Block message, click OK.

      Delete a reserved IPv6 CIDR block

      1. On the IPv4 tab or click the IPv6 tab, find the reserved IPv6 CIDR block that you want to delete, and then click Delete in the Actions column.

      2. In the Delete Reserved CIDR Block message, click OK.

Associate a vSwitch with a network ACL

After you create a network ACL, you can perform the following operations on a vSwitch. For more information about how to create a network ACL, see Create and manage a network ACL.

  • Associate with a network ACL: You can associate the vSwitch with a network ACL to control traffic of the ENIs on the vSwitch.

  • Replace the associated network ACL: You can replace the network ACL that is associated with the vSwitch with another network ACL. After the network ACL is replaced, the new network ACL takes effect immediately and controls traffic of the ECS instances in the vSwitch.

  • Disassociate from a network ACL: You can disassociate the vSwitch from a network ACL. Then, the network ACL no longer controls traffic of the ECS instances in the vSwitch.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, click vSwitch.

  3. In the top navigation bar, select the region of the VPC to which the vSwitch belongs.

  4. On the vSwitch page, find the vSwitch that you want to manage and click its ID.

  5. In the vSwitch Basic Information section, you can perform the following operations:

    • Associate with a network ACL

      1. Click Bind next to Network ACL.

      2. In the Bind Network ACL panel, select the network ACL that you want to associate and click OK.

    • Replace the associated network ACL

      1. Click Replace next to Network ACL.

      2. In the Bind Network ACL dialog box, select the network ACL that you want to associate and click OK.

    • Disassociate from a network ACL

      1. Click Unbind next to Network ACL.

      2. In the Unbind Network ACL message, click OK.

Delete a vSwitch

You can delete a vSwitch that you no longer use. After you delete a vSwitch, you cannot deploy cloud resources in it.

Before you delete a vSwitch, make sure that the following requirements are met:

  • The following types of resources are deleted from the vSwitch: ECS, CLB, ApsaraDB RDS, ApsaraDB for MongoDB, PolarDB, Elasticsearch, Time Series Database (TSDB), ApsaraDB for HBase, ApsaraDB for ClickHouse, Tablestore, Container Registry, Elastic High Performance Computing (E-HPC), Data Lake Analytics (DLA), Database Backup (DBS), and Apsara File Storage NAS (NAS).

  • If the vSwitch that you want to delete is associated with SNAT entries, high-availability virtual IP addresses (HAVIPs), custom route tables, or network ACLs, disassociate the vSwitch from them.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, click vSwitch.

  3. Select the region where the vSwitch that you want to delete is deployed.

  4. On the vSwitch page, find the vSwitch that you want to delete and click Delete in the Actions column.

  5. In the Delete vSwitch message, click OK.

Note

If the SMS Verification dialog box appears, perform the following operations.

In the SMS Verification dialog box, click Get Verification Code, enter the verification code, and then click OK.

References