All Products
Search
Document Center

Cloud Enterprise Network:FAQ about CEN

Last Updated:Apr 22, 2024

This topic provides answers to some frequently asked questions about Cloud Enterprise Network (CEN).

Table of contents

Category

References

Basics

Billing

FAQ about billing

Network instance attachment

Route learning

Route conflicts

Network connectivity

Cross-account operations

Does CEN support network communication between VPCs that are in the same region but different Alibaba Cloud accounts?

Yes, CEN supports network communication between VPCs that are in the same region but different Alibaba Cloud accounts.

For more information about how to establish network communication without using bandwidth plans or inter-region connections, see the following topics:

Does CEN support network communication between VPCs that are in the same Alibaba Cloud account but different regions?

Yes, CEN supports network communication between VPCs that are in the same Alibaba Cloud account but different regions.

For more information about how to establish network communication without granting permissions to VPCs in the peer Alibaba Cloud account, see the following topics:

Can I create only one transit router in each region?

A CEN instance builds one network. For each CEN instance, you can create only one transit router in each region. To establish network communication among networks, you must attach the networks to the same CEN instance.

You can create multiple CEN instances. CEN instances are isolated from each other by default. You can create a transit router in each region for each CEN instance.

For example, you can create a transit router for each of CEN Instance 1 and CEN Instance 2 in the China (Hangzhou) region.

What are the differences between CEN and virtual border routers (VBRs)?

Both CEN and VBRs of Express Connect can be used to establish connections between VPCs and data centers. However, CEN and VBRs differ in network connection, route management, and billing.

Item

CEN

VBR

Network connection

Point-to-multipoint connection.

After the VBR and VPC are connected to the transit router, the VPC can communicate with the data center. The data center can also communicate with other VPCs, VBRs, Cloud Connect Network (CCN) instances, and IPsec-VPN connections that are also connected to the transit router.

Point-to-point connection.

The connection is peer-to-peer. After the VBR is connected to the acceptor VPC, the data center can communicate only with the acceptor VPC.

Route management

  • Automatic learning.

    Transit routers support automatic route learning and advertising. After you connect a VBR and a VPC to a transit router, the routes are automatically advertised and learned. You do not need to manually configure routes.

  • Manual configuration.

    If you do not use the advanced features of transit routers, you can configure the route learning, associated forwarding, routing policy, and prefix list features to customize the networking topology.

Manual configuration.

You need to add routes that point to the VBR and VPC. Routing policies are not supported.

Billing

  • If the VBR and VPC are in the same region, you are charged a connection fee and a data transfer fee for your Enterprise Edition transit router.

  • If the VBR and VPC are in different regions, you are charged a connection fee, a data transfer fee, and an inter-region bandwidth or data transfer fee for your Enterprise Edition transit router.

For more information, see Billing rules.

  • No fees are charged if the VBR and VPC are in the same region.

  • Fees are charged if the VBR and VPC are in different regions.

For more information, see Peering connections.

What are the differences between CEN and virtual private cloud (VPC) peering connections?

Both CEN and VPC peering connections can establish communication between VPCs. However, CEN and VPC peering connections differ in network scales, networking topology, network scalability, route management, and billing.

Item

CEN

VPC peering connection

Use scenarios

VPC-to-VPC communication within the same region and Alibaba Cloud account

VPC-to-VPC communication within the same region but between different Alibaba Cloud accounts

VPC-to-VPC communication within the same Alibaba Cloud account but across regions

VPC-to-VPC communication across regions and Alibaba Cloud accounts

VPC-to-VPC communication within the same region and Alibaba Cloud account

VPC-to-VPC communication within the same region but between different Alibaba Cloud accounts

VPC-to-VPC communication within the same Alibaba Cloud account but across regions

VPC-to-VPC communication across regions and Alibaba Cloud accounts

Network scales

Each transit router supports up to 1,000 VPCs.

Each VPC supports 10 peering connections by default.

Network connections

Point-to-multipoint connection.

After a VPC is connected to a transit router, the VPC can communicate with other VPCs, CCN instances, VBRs, and IPsec-VPN connections that are also connected to the transit router.

Point-to-point connection.

After a VPC is connected to a peer VPC, the VPC can communicate only with the peer VPC. If you want to establish communication among multiple VPCs, you need to create a peering connection between each two of the VPCs.

Network scalability

Strong

CEN supports a large number of VPCs after simple configurations. To scale out your network, you can add more VPCs to transit routers and create inter-region connections as needed.

Weak

Each VPC peering connection is a point-to-point connection. Every time you add a peer VPC, you need to create a peering connection and configure routes.

Route management

  • Automatic learning

    Transit routers support automatic route learning and advertising. After you connect a VPC to a transit router, the routes are automatically advertised and learned. You do not need to manually configure routes.

  • Manual configuration

    If you do not use the advanced features of transit routers, you can configure the route learning, associated forwarding, routing policy, and prefix list features to customize the networking topology.

Manual configuration

  • After you create a VPC peering connection, you need to configure routes between the VPCs.

  • Each VPC connection is a point-to-point connection.

    Assume that three VPCs named VPC1, VPC2, and VPC3 are created. A peering connection is created between VPC1 and VPC2, and another peering connection is created between VPC2 and VPC3. In this case, VPC1 cannot communicate with VPC3 through VPC2.

  • VPC peering connections do not support routing policies.

Billing

  • Intra-region VPC-to-VPC connections are charged a connection fee and a data transfer fee by the Enterprise Edition transit router.

  • Inter-region VPC-to-VPC connections are charged a connection fee, a data transfer fee, and an inter-region bandwidth or data transfer fee by the Enterprise Edition transit routers.

For more information, see Billing rules.

  • No fees are charged if the VPCs are in the same region.

  • You are charged an outbound data transfer fee if the VPCs are in different regions. The fee is managed by Cloud Data Transfer (CDT). For more information about CDT, see What is CDT?

For more information about the billing and pricing of CDT, see Billing overview.

Use scenarios

  • Communication among a large number of VPCs.

  • Finer-gained networking.

  • Frequent networking adjustments.

  • Communication among a small number of VPCs.

  • Simple network topology with relatively low requirements for route management.

  • Infrequent networking adjustments.

How do I check the latency of inter-region communication when CEN is used?

Establish an inter-region connection between two regions, and view the monitoring data of the inter-region connection. The monitoring data includes the latency information. For more information, see Manage inter-region connections and Monitor inter-region connections.

How do I use CEN to establish network communication among VPCs that belongs to three different Alibaba Cloud accounts?

For example, VPC1 belongs to Account A, VPC2 belongs to Account B, and VPC3 belongs to Account C. To establish network communication among the VPCs, use Account B and Account C to grant permissions to Account A, and attach VPC2 and VPPC3 to the CEN instance of Account A. For more information, see Use Enterprise Edition transit routers to connect VPCs in different regions and accounts and Use CEN and Basic Edition transit routers to connect VPCs in different regions and Alibaba Cloud accounts.

image

How do I handle the Forbbiden.AttachChildInstanceAcrossBid error message that indicates VPCs in a different bid account cannot be attached to the CEN instance?

When you attach a VPC that belongs to another Alibaba Cloud account to your transit router, the Alibaba Cloud accounts must be of the same type.

For example, both the Alibaba Cloud accounts are created on the Alibaba Cloud China site or the Alibaba Cloud International site.

For more information, see Overview of connecting a VPC to an external network.

What can I do if the system prompts an error when I connect a transit router to a VBR?

The following figure shows the DEVICE_MODEL_FORBIDDEN error message. This error message indicates that the underlying access device does not allow you to connect VBRs to transit routers. You can submit a ticket to request Alibaba Cloud to connect your VBR to your transit router.连接VBR报错

How do I use an unoptimized Enterprise Edition transit router to create a VPC connection?

To use an unoptimized Enterprise Edition transit router to create a VPC connection, you must specify the primary and secondary zones when you connect a VPC to an Enterprise Edition transit router. The VPC must have at least one vSwitch in each zone of the transit router. Each vSwitch must provide at least one IP address. When the VPC is connecting to the Enterprise Edition transit router, an elastic network interface (ENI) is automatically created on each vSwitch of the VPC. Each ENI occupies one IP address of the vSwitch. The ENIs forward network traffic between the VPC and the Enterprise Edition transit router.

Data transfer from the connected VPC is preferentially forwarded by the ENI in the primary zone to the Enterprise Edition transit router. If the ENI in the primary zone fails, the ENI in the secondary zone takes over.

Make sure that the specified zones meet the following requirements:

  • The primary zone and secondary zones must belong to the same VPC. At least one vSwitch must be deployed in each zone.

  • Pay attention to the route tables and network access control lists (ACLs) that are associated with the vSwitches in the zones that you specify when you create ENIs. The route tables and network ACLs affect how network traffic from the Enterprise Edition transit router to the VPC is processed in the VPC. If the vSwitches to which the ENIs are attached use different route tables and network ACLs, the vSwitches may process network traffic from the Enterprise Edition transit router to the VPC in different ways. For more information, see Overview of network ACLs.

  1. Log on to the CEN console.

  2. On the Instances page, click the ID of the CEN instance that you want to manage.

  3. Navigate to the Basic Settings > Transit Router tab and click the ID of the transit router that you want to manage.

  4. On the Connection with Peer Network Instance page, configure the parameters and click OK.

    The following table describes only the parameters that are relevant to this question. For more information about other parameters, see Connect VPCs.

    Parameter

    Description

    Network Type

    Select VPC.

    Region

    Select the region where the VPC that you want to connect to the transit router is deployed.

    Transit Router

    The transit router in the selected region is displayed.

    Select the primary and secondary zones for the transit router

    Select the primary and secondary zones of the transit router.

    After you specify the primary and secondary zones, the system creates ENIs in the vSwitches that are deployed in the specified zones.

    Network Instance

    Select the ID of the VPC that you want to connect to the transit router.

    VSwitch

    Select a vSwitch in each of the primary and secondary zones.

If route synchronization is disabled, can VPCs communicate with each other?

Route synchronization allows Enterprise Edition transit routers to advertise routes to network instances that are attached to the Enterprise Edition transit routers. If route synchronization is disabled for a VPC, the Enterprise Edition transit router to which the VPC is attached does not advertise routes to the VPC, including routes to the peer VPC. Make sure that the route table of the VPC contains a route that points to the peer VPC.

In addition to route synchronization, you can also use the following methods to add routes to the VPC route table. Make sure that the routes allow network traffic from the VPC to the transit router, which then forwards the network traffic to the peer VPC.

  • When you create a VPC connection, select Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC. For more information, see Create a VPC connection.

    The system automatically adds routes whose destination CIDR blocks are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 to all route tables of the VPC. The next hop of the routes is the VPC connection.

    Important

    If a VPC route table already contains a route whose destination CIDR block is 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, the route cannot be advertised. You must manually add the route.

    To check whether the preceding routes exist, click Check Route when you create the VPC connection.

  • Manually add routes that point to the peer VPC to the VPC route table, and set the next hop to the transit router. For more information, see Subnet routing.

After I connect multiple VBRs to the same CEN instance, why do the VBRs fail to learn routes from each other?

Possible causes

After a VBR is connected to a CEN instance, the system automatically adds a routing policy whose direction is Egress Regional Gateway, priority is 5000, and action is Reject to the route table of the transit router that is associated with the VBR connection. By default, this routing policy does not allow the VBR to communicate with other VBRs that are also connected to the transit router. Be aware that a Basic Edition transit router has only one route table. For more information, see Default routing policy.

Solutions

The routing policy created by the system cannot be modified. The priority of a routing policy created by the system is higher than 1000. If you do not want the default routing policy to take effect, you must add a custom routing policy that has a higher priority than the default routing policy. For more information, see Work with routing policies.

After I connect a VBR and a VPC to a CEN instance, why does the VBR fail to learn routes from the VPC?

Troubleshoot the errors based on the edition of the transit router to which the VBR and VPC are connected.

Enterprise Edition transit router

If the VBR and VPC are connected to an Enterprise Edition transit router, perform the following operations to troubleshoot errors:

  1. Use the reachability analyzer and the instance diagnostics feature of transit routers to troubleshoot the error. For more information, see Work with the reachability analyzer and Diagnose a transfer router.

  2. If the VBR and VPC are in different regions, make sure that an inter-region connection is created between the transit routers in the regions. For more information, see Use an Enterprise Edition transit router to create an inter-region connection.

  3. Make sure that the route table of the transit router to which the VBR is connected contains a route that points to the VPC.

  4. Check the routing policies used by the route table of the transit router to which the VBR is connected. Make sure that the routing policy allows the VBR to learn routes from the VPC. For more information, see Routing policy overview.

Basic Edition transit router

If the VBR and VPC are connected to a Basic Edition transit router, perform the following operations to troubleshoot errors:

  1. If the VBR and VPC are in different regions, make sure that an inter-region connection is created between the transit routers in the regions. For more information, see Use a Basic Edition transit router to create an inter-region connection.

  2. Make sure that the route table of the transit router to which the VBR is connected contains a route that points to the VPC.

    By default, Basic Edition transit routers automatically learn routes from VBRs and system routes from VPCs. If you want a Basic Edition transit router to learn other routes from VPCs, advertise the routes to the transit router. For more information, see Advertise routes to a transit router.

  3. Check the routing policy used by the route table of the transit router to which the VBR is connected. Make sure that the routing policy allows the VBR to learn routes from the VPC. For more information, see Routing policy overview.

Why does a VPC fail to learn routes from the CEN instance?

Troubleshoot errors based on the edition of the transit router to which the VPC is connected.

Enterprise Edition transit router

  1. By default, VPCs connected to an Enterprise Edition transit router do not learn routes from the Enterprise Edition transit router. You can associate the VPC connection with a route table of the transit router and enable route synchronization for the VPC. Then, the VPC can automatically learn routes from the route table with which the VPC connection is associated. Make sure that at least one route in the route table of the Enterprise Edition transit router is learned by a network instance.

    For more information about how to associate a VPC connection with a route table of an Enterprise Edition transit router and how to enable route synchronization for a VPC, see Associated forwarding and Route synchronization.

  2. Check whether a route in the route tables of the Enterprise Edition transit router overlaps with a route in the route table of the VPC.

  3. Check whether a routing policy is used by the route tables of the Enterprise Edition transit router. If yes, make sure that the routing policy allows the VPC to learn routes from the route tables of the Enterprise Edition transit router. For more information, see Routing policy overview.

Basic Edition transit router

By default, VPCs connected to a Basic Edition transit router automatically learn routes from the transit router. Perform the following operations to troubleshoot errors:

  1. Make sure that at least one route in the route table of the Basic Edition transit router is learned by a network instance.

  2. Check whether a route in the route table of the Enterprise Edition transit router overlaps with a route in the route table of the VPC.

  3. Check whether a routing policy is used by the route table of the Basic Edition transit router. If yes, make sure that the routing policy allows the VPC to learn routes from the route table of the Basic Edition transit router. For more information, see Routing policy overview.

Why does my VPC or CEN instance prompt the Route Conflict error?

For more information, see Why does a VPC route table or CEN prompt the Route Conflict error message?

What do I do if the CIDR blocks of the vSwitches in a VPC overlap with each other?

For more information, see What can I do if the CIDR blocks of the vSwitches in a VPC overlap with each other?

After I attach network instances that are in different regions to the same CEN instance, why do requests fail to reach the services but ping packets can?

After a Smart Access Gateway (SAG) instance is attached to an Enterprise Edition transit router, why do requests from the SAG instance fail to access another cloud service?

  1. Make sure that the region in which the cloud service is deployed has at least one VPC attached to the Enterprise Edition transit router. For more information, see Use an Enterprise Edition transit router to connect VPCs.

  2. Make sure that an inter-region connection is established between the Enterprise Edition transit router to which the VPC is connected and the transit router to which the CCN instance is attached. For more information, see Use an Enterprise Edition transit router to create an inter-region connection.

  3. Make sure that a route that points to the cloud service is added to the route table of the Enterprise Edition transit router. In addition, you must set the next hop of the route to the VPC connection. For more information, see Enable access to a cloud service from an Enterprise Edition transit router.

  4. Make sure that a route whose source CIDR block falls into the CIDR block of the SAG instance is added to the route table of the transit router to which the CCN instance is connected.

  5. Check whether a routing policy is used by the route table of the transit router to which the CCN instance is connected and the route tables of the Enterprise Edition transit router. If yes, make sure that the routing policy allows the CIDR block of the SAG to communicate with the CIDR block of the cloud service. For more information, see Routing policy overview.

  6. Check whether the route table of the VPC contains a route that points to the SAG instance. If not, add one and set the next hop to the VPC connection on the transit router. For more information, see Add and delete routes.

  7. Check whether the routes in the route table of the transit router to which the CCN instance is connected, the routes in the route tables of the Enterprise Edition transit router, and the routes in the route table of the VPC overlap with each other.

  8. Check the ACL.

    • Check whether an ACL is configured for the SAG instance. If yes, make sure that the ACL allows the SAG instance to access the cloud service. For more information, see ACL overview.

    • Check whether an ACL is configured for the VPC. If yes, make sure that the ACL allows the SAG instance to access the cloud service. For more information about ACLs, see Overview of network ACLs.

  9. Check whether the services and cloud resources associated with the SAG instance are running as expected.

After I attach two VPCs to a CEN instance, why do the Elastic Compute Service (ECS) instances in the VPCs fail to communicate with each other?

Troubleshoot errors based on the edition of the transit routers to which the VPCs are connected.

Enterprise Edition transit router

If one of the VPCs is attached to an Enterprise Edition transit router, perform the following operations to troubleshoot errors:

  1. Check whether the VPCs are attached to the same CEN instance.

    The VPCs in which the ECS instances are deployed must be attached to the same CEN instance. For more information, see Connect VPCs.

  2. Use the reachability analyzer and the instance diagnostics feature of transit routers to identify errors. For more information, see Work with the reachability analyzer and Diagnose a transit router.

  3. If two VPCs are in different regions, make sure that an inter-region connection is established between the transit routers to which the VPCs are connected. For more information, see Use an Enterprise Edition transit router to create an inter-region connection.

  4. Check whether ACLs are configured for the VPCs. If yes, make sure that the ACLs allow the ECS instances to communicate with each other. For more information about ACLs, see Overview of network ACLs.

  5. Check the security group rules applied to the VPCs. Make sure that the security group rules allow the ECS instances to communicate with each other. For more information, see View security group rules and Add a security group rule.

  6. Check whether the CIDR blocks of the VPCs that need to communicate with each other are advertised to the transit routers. For more information, see Advertise routes to a transit router.

  7. Check whether routing policies are used by the route tables of the transit routers to which the VPCs are connected. If yes, make sure that the routing policies allow the CIDR blocks to communicate with each other.

  8. Check whether routes in the route tables of the transit routers to which the VPCs are connected conflict with the routes in the route tables of the VPCs.

  9. If the problem persists, send ping packets from an ECS instance in a VPC to test whether the packets can reach the destination ECS instance in the other VPC.

Basic Edition transit router

If both of the VPCs are connected to Basic Edition transit routers, perform the following operations to troubleshoot:

  1. Check whether the VPCs are attached to the same CEN instance.

    The VPCs in which the ECS instances are deployed must be attached to the same CEN instance. For more information, see Connect VPCs.

  2. If the VPCs are in different regions, make sure that an inter-region connection is established between the transit routers to which the VPCs are connected. For more information, see Use a Basic Edition transit router to create an inter-region connection.

  3. Check whether ACLs are configured for the VPCs. If yes, make sure that the ACLs allow the ECS instances to communicate with each other. For more information about ACLs, see Overview of network ACLs.

  4. Check the security group rules applied to the VPCs. Make sure that the security group rules allow the ECS instances to communicate with each other. For more information, see View security group rules and Add a security group rule.

  5. Check whether the CIDR blocks of the VPCs that need to communicate with each other are advertised to the transit routers.

    By default, Basic Edition transit routers automatically learn system routes from VPCs. If you want a Basic Edition transit router to learn other routes from VPCs, advertise the routes to the transit router. For more information, see Advertise routes to a transit router.

  6. Check whether routing policies are used by the route tables of the transit routers to which the VPCs are connected. If yes, make sure that the routing policies allow the CIDR blocks to communicate with each other.

  7. Check whether routes in the route tables of the transit routers to which the VPCs are connected conflict with the routes in the route tables of the VPCs.

  8. If the problem persists, send ping packets from an ECS instance in a VPC to test whether the packets can reach the destination ECS instance in the other VPC.

After I attach two VPCs to the same CEN instance, why can ping packets reach the VPCs but the Telnet ports of the VPCs are inaccessible?

For more information, see After I attach two VPCs to the same CEN instance, why can ping packets reach the VPCs but the Telnet ports of the VPCs are inaccessible?

After I deploy an Express Connect circuit, why are the IP address of the Express Connect circuit and the IP address of the data center inaccessible?

For more information, see After I attach two VPCs to the same CEN instance, why can ping packets reach the VPCs but the Telnet ports of the VPCs are inaccessible?

After I create a CEN instance and grant permissions on cross-account networking, why do networks fail to communicate with each other?

For more information, see After I grant permissions on cross-account networking, why do networks fail to communicate with each other?

When I create a VPC firewall for my CEN instance, why does the system prompt the following error: It is not allowed to be created because of the existing unauthorized network instance?

For more information, see When I create a VPC firewall for my CEN instance, why does the system prompt the following error: It is not allowed to be created because of the existing unauthorized network instance?

Why do I fail to attach a VPC that belongs to another Alibaba Cloud account to my CEN instance?

Perform the following operations to troubleshoot errors:

  1. Check whether the accounts to which the VPC and CEN instance belong are of the same type.

    If the VPC belongs to an Alibaba Cloud account on the China site but the CEN instance belongs to an Alibaba Cloud account on the International site, the VPC cannot be attached to the CEN instance. Only VPCs that belong to Alibaba Cloud accounts on the China site can be attached to the CEN instance.

  2. Check whether the required permissions on the VPC are granted to the CEN instance. For more information, see Grant Account B permissions on the VPC.