CEN FAQ - Cloud Enterprise Network - Alibaba Cloud Documentation Center

This topic provides answers to some frequently asked questions about Cloud Enterprise Network (CEN).

Quick links

Category	Quick links
Basics	Does CEN support same-region, cross-account VPC-to-VPC connections? Does CEN support same-account, cross-region VPC-to-VPC connections? Can I create only one transit router in each region? What are the differences between CEN and VBR-to-VPC connections? What are the differences between CEN and VPC peering connections? How do I check the latency of cross-region access when I use CEN? How do I use CEN to establish network connectivity among VPCs that belong to three different Alibaba Cloud accounts?
Billing questions	Billing FAQ
Network instance connections	What do I do if the console displays the "Forbbiden.AttachChildInstanceAcrossBid" error? What do I do if an error is reported when I connect a transit router to a VBR instance? How do I connect to a VPC instance using an un-upgraded Enterprise Edition transit router? Can I change a VPC connection that is attached to multiple vSwitches to be attached to only one vSwitch?
Route learning	If route synchronization is disabled, does it affect communication between VPCs? After I attach multiple VBR instances to a CEN instance, why do the VBR instances fail to learn routes from each other? After I attach a VBR instance and a VPC instance to a CEN instance, why does the VBR instance fail to learn routes from the VPC instance? Why does a VPC instance fail to learn routes from a CEN instance? Why does the route table of a Basic Edition transit router contain a route whose next hop is a VPC in a different region?
Route conflicts	What do I do if a "Route Conflict" error is reported in a VPC route table or CEN? What do I do if the CIDR blocks of vSwitches in a VPC conflict?
Network connectivity	After I attach network instances from different regions to a CEN instance, why can I ping services but cannot access them? Why can't an SAG instance access an Alibaba Cloud service through an Enterprise Edition transit router? After two VPCs are attached to a CEN instance, why do the ECS instances in the VPCs fail to communicate with each other? After I use CEN to connect two VPCs, why can I ping the peer instance but cannot connect to its Telnet port? After I create an Express Connect circuit, why can't I ping the IP address of the Express Connect circuit and the IP address of the data center?
Cross-account scenarios	Why can't I attach a cross-account VPC instance to a CEN instance? After I create a CEN instance and grant cross-account permissions, why does the network connection fail? When I create a VPC firewall for a CEN instance, why is the "Creation is not allowed due to an unauthorized network instance" error reported?

Does CEN support same-region, cross-account VPC-to-VPC connections?

This feature is supported.

For more information, see the following documents. You do not need to purchase a bandwidth plan or create an inter-region connection.

Does CEN support same-account, cross-region VPC-to-VPC connections?

Yes.

For more information, see the following documents. In this scenario, you do not need to grant permissions to a cross-account VPC.

Can I create only one transit router in each region?

A CEN instance manages a single network. Within that CEN instance, you can create one transit router per region. To establish network connectivity between network instances, you must attach them to the same CEN instance.

You can create multiple CEN instances. By default, the networks of different CEN instances are isolated from each other. This lets you create a transit router in the same region for different CEN instances.

For example, you can create a transit router in the China (Hangzhou) region for CEN Instance 1 and another transit router in the China (Hangzhou) region for CEN Instance 2.

What are the differences between CEN and VBR-to-VPC connections?

Both CEN and VBR-to-VPC connections through Express Connect can establish connections between data centers and VPCs. However, they differ in terms of network connectivity, route configuration, and billing.

Item	CEN	VBR-to-VPC connection
Network connectivity	Multipoint connection After a VBR instance and a VPC instance are connected to a transit router, the data center can communicate with the VPC instance. The data center can also communicate with other VPC instances, CCN instances, VBR instances, and IPsec-VPN connections that are connected to the transit router.	Point-to-point connection VBR-to-VPC connections are not transitive. After you use a VBR-to-VPC connection, the data center can communicate only with the peer VPC instance of the VBR instance.
Route configuration	Dynamic learning Advanced configurations are available when you connect VBR and VPC instances to a transit router. After you use the advanced configurations, routes are automatically propagated and learned. You do not need to manually configure routes. Manual configuration Advanced configurations are available when you connect VBR and VPC instances to a transit router. If you do not use the advanced configurations, you can use routing features such as route learning, associated forwarding, routing policies, and prefix lists of the transit router to customize network connectivity. This provides fine-grained control over network communication.	Manual configuration You must manually add routes for the VBR and VPC instances. Route control features such as routing policies are not supported.
Billing	If the VBR and VPC instances are in the same region, you are charged connection fees and data processing fees for the Enterprise Edition transit router. If the VBR and VPC instances are in different regions, you are charged connection fees, data processing fees, and bandwidth plan instance fees or data transfer fees for the inter-region connection. For more information about billing rules, see Billing of CEN.	If the VBR and VPC instances are in the same region, no fees are charged. If the VBR and VPC instances are in different regions, you are charged for the connection. For more information about billing rules, see Billing of VBR-to-VPC connections.

What are the differences between CEN and VPC peering connections?

Both CEN and VPC peering connections can establish private connectivity between VPCs. However, they differ in terms of network scale, connectivity, extensibility, route configuration, and billing.

Comparison point	CEN	VPC peering connection
Supported scenarios	Same-account VPC-to-VPC connection in the same region Cross-account VPC-to-VPC connection in the same region Same-account VPC-to-VPC connection across regions Cross-account VPC-to-VPC connection across regions	Same-account VPC-to-VPC connection in the same region Cross-account VPC-to-VPC connection in the same region Same-account VPC-to-VPC connection across regions Cross-account VPC-to-VPC connection across regions
Supported network scale	A transit router supports connections to 1,000 VPCs.	By default, a VPC supports connections to 10 VPCs in the same region and 20 VPCs across regions.
Network connectivity	Multipoint connection After a VPC is attached to a transit router, it can communicate with all other network instances attached to the same transit router, such as other VPCs, VBRs, and IPsec-VPN connections.	Point-to-point connection A VPC can establish a private connection only with its peer VPC. If you want to enable communication among multiple VPCs, you must create a peering connection and add a route between each pair of VPCs.
Network extensibility	Strong CEN is easy to configure. To add more VPCs, simply attach them to the transit router and configure routes or inter-region connections as needed.	Weak VPC peering connections require end-to-end manual configuration. To add a VPC, you must create a peering connection and configure routes between the new VPC and each of the VPCs that you want to connect.
Route configuration	Dynamic learning When you attach a VPC to a transit router, advanced configurations are available. If you use these configurations, routes are automatically propagated and learned. You do not need to manually configure routes. Manual configuration If you do not use the advanced configurations, you can use routing features such as route learning, associated forwarding, routing policies, and prefix lists to customize network connectivity. This provides fine-grained control over network communication.	Manual configuration After you create a VPC peering connection, you must manually configure end-to-end routes. VPC peering connections are not transitive. Assume that you have three VPCs: VPC1, VPC2, and VPC3. A VPC peering connection is established between VPC1 and VPC2, and another VPC peering connection is established between VPC2 and VPC3. VPC1 and VPC3 cannot communicate with each other through VPC2. VPC peering connections do not support route control features such as routing policies.
Billing	For same-region VPC-to-VPC connections, you are charged connection fees and data processing fees for the Enterprise Edition transit router. For cross-region VPC-to-VPC connections, you are charged connection fees, data processing fees, and bandwidth plan instance fees or data transfer fees for the inter-region connection. For more information about billing rules, see Billing of CEN.	No fees are charged for same-region VPC-to-VPC connections. For cross-region VPC-to-VPC connections, you are charged data transfer fees for outbound traffic by Cloud Data Transfer (CDT). For more information, see Billing overview of CDT.
Recommended scenarios	Private network peering among many VPCs Fine-grained control over network communication Frequent changes to network configurations	Private network peering among a small number of VPCs Simple network communication scenarios with low requirements for route control Infrequent changes to network configurations

How do I check the latency of cross-region access when I use CEN?

You can create an inter-region connection between the regions and then view the monitoring data of the connection to check the cross-region access latency. For more information, see Inter-region connection and Monitor an inter-region connection.

How do I use CEN to establish network connectivity among VPCs that belong to three different Alibaba Cloud accounts?

For example, VPC1 belongs to Account A, VPC2 belongs to Account B, and VPC3 belongs to Account C. To enable communication among these VPCs, grant the CEN instance of Account A permissions to access VPC2 and VPC3. Then, attach both VPC2 and VPC3 to the CEN instance of Account A. For more information, see Cross-account VPC-to-VPC connection and Use CEN to establish a cross-region and cross-account VPC-to-VPC connection (Basic Edition).

What do I do if the console displays the Forbbiden.AttachChildInstanceAcrossBid error?

When you attach a cross-account VPC to a transit router, the VPC must belong to an account of the same type as the account that owns the transit router.

For example, a transit router that belongs to an account on the Alibaba Cloud China Website (www.aliyun.com) can be attached only to VPCs that belong to accounts on the Alibaba Cloud China Website. A transit router that belongs to an account on the Alibaba Cloud International Website (www.alibabacloud.com) can be attached only to VPCs that belong to accounts on the Alibaba Cloud International Website.

For more information about other VPC connection solutions, see Network connectivity.

What do I do if an error is reported when I connect a transit router to a VBR instance?

When you attach a VBR instance, if the error shown in the following figure is reported, it indicates that the underlying access device associated with the VBR instance does not support attaching the VBR instance to the transit router. To request assistance, submit a ticket. Alibaba Cloud will help you attach the VBR instance to the transit router. 连接VBR报错

How do I connect to a VPC instance using an un-upgraded Enterprise Edition transit router?

When you use an un-upgraded Enterprise Edition transit router to create a VPC connection, specify a primary and a secondary zone for the Enterprise Edition transit router. The VPC must have one vSwitch in the primary zone and one vSwitch in the secondary zone. Each vSwitch must have at least one idle IP address. When you attach the VPC, the Enterprise Edition transit router creates an elastic network interface (ENI) in each of the vSwitches in the primary and secondary zones. The ENI uses an IP address from the vSwitch and serves as an interface for traffic between the VPC and the Enterprise Edition transit router.

Traffic from the VPC is routed by preference through the ENI in the primary zone. If the ENI in the primary zone is unavailable, traffic is routed through the ENI in the secondary zone.

Note the following when you specify the zones:

The primary and secondary zones that you specify must belong to the same VPC. Each zone must contain at least one vSwitch.
The route table and network ACL associated with the vSwitch where the ENI is created affect how the transit router forwards traffic to the VPC. If the ENIs are in vSwitches that are associated with different route tables and network ACLs, traffic may be processed differently. For more information about network ACLs, see Network ACL.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.

On the Connection with Peer Network Instance page, configure the connection and click OK.

The following table describes only the configuration items that are relevant to this topic. For more information about other configuration items, see Create a VPC connection.

Configuration item	Description
Instance Type	Select VPC.
Region	Select the region where the VPC instance that you want to connect is deployed.
Transit Router	The system automatically displays the transit router instance that is created in the current region.
Set Primary/Secondary Zone for Transit Router	Select the primary and secondary zones for the transit router. After you select the zones, the system creates ENIs on the vSwitches in the specified zones.
Network Instance	Select the ID of the VPC instance that you want to connect.
vSwitch	Select a vSwitch in the primary zone and a vSwitch in the secondary zone.

If route synchronization is disabled, does it affect communication between VPCs?

The route synchronization feature allows an Enterprise Edition transit router to advertise routes from the route table associated with a network instance connection to the network instance. If you disable route synchronization for a VPC, the Enterprise Edition transit router does not advertise any routes to the VPC by default, including routes to the peer network instance. You must ensure that the route table of the VPC contains a route that points to the peer network instance for communication to be successful.

In addition to enabling route synchronization, you can also use the following methods to add routes to the route table of the VPC. This allows traffic from the VPC to be routed to the transit router, which then forwards the traffic to the peer network instance:

When you create a VPC connection, select Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC in the advanced configuration section. For more information, see Create a VPC connection.
The system automatically adds three routes whose destination CIDR blocks are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 to all route tables of the VPC. The next hop of these routes is the VPC connection.
Important
If a route table of the VPC already contains a route whose destination CIDR block is 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, the system cannot automatically add the route. You must manually add a route that points to the VPC connection to the VPC route table.
When you create the VPC connection, you can click Initiate Route Check to check whether the preceding routes exist in the network instance.
Manually add a route that points to the peer network instance to the route table of the VPC. Set the next hop type to Transit Router. For more information, see Use a custom route table to manage network traffic.

After I attach multiple VBR instances to a CEN instance, why do the VBR instances fail to learn routes from each other?

Cause

After a VBR instance is attached to a CEN instance, the system adds a routing policy to the route table of the transit router that is associated with the VBR connection. The direction of the routing policy is Outgoing Regional Gateway, the policy priority is 5000, and the policy behavior is Reject. By default, this routing policy prevents the VBR instance from communicating with other VBR instances that are attached to the transit router. A Basic Edition transit router has only one route table. For more information, see Default routing policies.

Solution

The default routing policy created by the system (with a policy priority greater than 1000) cannot be modified. To override the default routing policy, you can add a custom routing policy that has a higher priority than the default routing policy to customize network communication. For more information, see Use routing policies.

After I attach a VBR instance and a VPC instance to a CEN instance, why does the VBR instance fail to learn routes from the VPC instance?

Troubleshoot the issue based on the edition of the transit router to which the VBR and VPC instances are attached:

Enterprise Edition transit router

If the VBR and VPC instances are attached to an Enterprise Edition transit router, perform the following steps to troubleshoot the issue:

Use the path analysis and instance diagnosis features of the transit router to troubleshoot the issue. For more information, see Use path analysis and Diagnose a transit router instance.
If the VBR and VPC instances are in different regions, ensure that an inter-region connection is created between the two transit routers. For more information, see Create an inter-region connection using an Enterprise Edition transit router.
Ensure that the route table of the transit router to which the VBR instance is attached contains a route to the VPC instance.
Check the routing policies applied to the route table of the transit router to which the VBR instance is attached. Ensure that the routing policies allow the VBR instance to learn routes from the VPC instance. For more information, see Routing policy.

Basic Edition transit router

If both the VBR and VPC instances are attached to a Basic Edition transit router, perform the following steps to troubleshoot the issue:

If the VBR and VPC instances are in different regions, ensure that an inter-region connection is created between the two transit routers. For more information, see Create an inter-region connection using a Basic Edition transit router.
Ensure that the route table of the Basic Edition transit router to which the VBR instance is attached contains a route to the VPC instance.
By default, a Basic Edition transit router automatically learns routes from the route table of the VBR instance and system routes from the VPC instance. If you want the Basic Edition transit router to learn other routes from the VPC instance, you must publish the routes to the transit router. For more information, see Publish a route to a transit router.
Check the routing policies applied to the route table of the Basic Edition transit router to which the VBR instance is attached. Ensure that the routing policies allow the VBR instance to learn routes from the VPC instance. For more information, see Routing policy.

Why does a VPC instance fail to learn routes from a CEN instance?

Troubleshoot the issue based on the edition of the transit router to which the VPC instance is attached:

Enterprise Edition transit router

After a VPC is attached to an Enterprise Edition transit router, it does not learn routes from the transit router by default. You can associate the VPC connection with a route table of the Enterprise Edition transit router and enable route synchronization for the VPC. After you enable route synchronization, the VPC automatically learns the routes in the route table of the Enterprise Edition transit router that is associated with the VPC connection. Ensure that the route table of the Enterprise Edition transit router associated with the VPC connection contains the required routes.
For more information about how to associate a VPC connection with a route table of an Enterprise Edition transit router and how to enable route synchronization for a VPC, see Create an associated forwarding correlation and Enable route synchronization.
Check whether route conflicts exist between the route table of the Enterprise Edition transit router and the route table of the VPC.
Check whether a routing policy is configured for the route table of the Enterprise Edition transit router. Ensure that the routing policy allows the VPC to learn routes from the route table of the Enterprise Edition transit router. For more information, see Routing policy.

Basic Edition transit router

After a VPC is attached to a Basic Edition transit router, it learns the routes in the route table of the Basic Edition transit router by default. Perform the following steps to troubleshoot the issue:

Ensure that the route table of the Basic Edition transit router contains the required routes.
Check whether route conflicts exist between the route table of the Basic Edition transit router and the route table of the VPC.
Check whether a routing policy is configured for the route table of the Basic Edition transit router. Ensure that the routing policy allows the VPC to learn routes from the Basic Edition transit router. For more information, see Routing policy.

What do I do if a "Route Conflict" error is reported in a VPC route table or CEN?

For more information, see Solutions to the "Route Conflict" error reported in a VPC route table or CEN.

What do I do if the CIDR blocks of vSwitches in a VPC conflict?

For more information, see Solutions to CIDR block conflicts among vSwitches in a VPC in CEN.

After I attach network instances from different regions to a CEN instance, why can I ping services but cannot access them?

If both cross-region network instances are attached to Basic Edition transit routers, create an inter-region connection between the transit routers. For more information, see Create an inter-region connection using a Basic Edition transit router.
By default, a Basic Edition transit router provides a cross-region bandwidth of 1 Kbps, which is for connectivity tests only and does not support production traffic.
If one of the cross-region network instances is attached to an Enterprise Edition transit router, create an inter-region connection between the transit routers. For more information, see Create an inter-region connection using an Enterprise Edition transit router.

Why can't an SAG instance access an Alibaba Cloud service through an Enterprise Edition transit router?

Ensure that a VPC in the region where the Alibaba Cloud service is deployed has been attached to the Enterprise Edition transit router. For more information, see Create a VPC connection using an Enterprise Edition transit router.
Ensure that an inter-region connection is created between the transit router to which the CCN instance is attached and the Enterprise Edition transit router to which the VPC is attached. For more information, see Create an inter-region connection using an Enterprise Edition transit router.
Ensure that you have added a route to the Alibaba Cloud service in the route table of the Enterprise Edition transit router. The next hop of the route must be the VPC connection. For more information, see Configure access to Alibaba Cloud services.
Ensure that the route table of the transit router to which the CCN instance is attached contains a route to the CIDR block of the SAG instance.
Check the routing policies applied to the route table of the transit router to which the CCN instance is attached and the route table of the Enterprise Edition transit router. Ensure that the routing policies allow the CIDR blocks of the SAG instance and the Alibaba Cloud service to be advertised. For more information, see Routing policy.
Check whether the route table of the VPC contains a route to the CIDR block of the SAG instance. If not, manually add a route. The next hop of the route must be the VPC connection on the transit router. For more information, see Create and manage a route table.
Check whether route conflicts exist among the route table of the transit router to which the CCN instance is attached, the route table of the Enterprise Edition transit router, and the route table of the VPC.
Check the access control policies.
- Check whether an access control policy is configured for the SAG instance. Ensure that the access control policy allows the SAG instance to access the Alibaba Cloud service. For more information, see Access control overview.
- Check whether a network ACL is configured for the VPC. Ensure that the network ACL allows the SAG instance to access the Alibaba Cloud service. For more information about network ACLs, see Network ACL.
Check whether the services associated with the SAG instance and the Alibaba Cloud service are running as expected.

After two VPCs are attached to a CEN instance, why do the ECS instances in the VPCs fail to communicate with each other?

Troubleshoot the issue based on the edition of the transit router to which the VPCs are attached:

Enterprise Edition transit router

If at least one of the two VPCs is attached to an Enterprise Edition transit router, perform the following steps to troubleshoot the issue:

Ensure that the VPCs to which the ECS instances belong are attached to the same CEN instance.
The VPCs to which the communicating ECS instances belong must be attached to the same CEN instance. For more information, see Create a VPC connection.
Use the path analysis and instance diagnosis features of the transit router to troubleshoot the issue. For more information, see Use path analysis and Diagnose a transit router instance.
If the two VPCs are in different regions, ensure that an inter-region connection is created between the two transit routers. For more information, see Create an inter-region connection using an Enterprise Edition transit router.
Check whether network ACLs are configured for the two VPCs. Ensure that the network ACLs allow communication between the ECS instances. For more information about network ACLs, see Network ACL.
Check the security group rules applied to the two VPCs. Ensure that the security group rules allow communication between the ECS instances. For more information, see Query security group rules and Add a security group rule.
Ensure that the CIDR blocks of the two VPCs have been published to the transit router. For more information, see Publish a route to a transit router.
Check whether routing policies exist in the route tables of the transit routers to which the two VPCs are attached. Ensure that the routing policies allow communication between the CIDR blocks.
Check whether route conflicts exist between the route tables of the transit routers to which the two VPCs are attached and the route tables of the VPCs.
Resolve the route conflicts. For more information, see What do I do if a "Route Conflict" error is reported in a VPC route table or CEN? and What do I do if the CIDR blocks of vSwitches in a VPC conflict?.
If the issue persists, capture packets on the ECS instances to check whether data packets are received.

Basic Edition transit router

If both of the two VPCs are attached to Basic Edition transit routers, perform the following steps to troubleshoot the issue:

Check whether the VPCs that contain the ECS instances are attached to the same CEN instance.
The VPCs that contain the communicating ECS instances must be attached to the same CEN instance. For more information, see Create a VPC connection.
If the two VPCs are in different regions, ensure that you have created an inter-region connection between the two transit routers. For more information, see Create an inter-region connection using a Basic Edition transit router.
Verify that network ACLs are configured for the instances in the two VPCs. Ensure that the network ACLs allow the ECS instances to communicate with each other. For more information about network ACLs, see Network ACL.
Check the security group rules for the two ECS instances. Ensure that the rules allow the instances to communicate with each other. For more information, see Query security group rules and Add a security group rule.
Check whether the CIDR blocks of the two VPC instances that need to communicate with each other have been published to the transit router.
By default, a Basic Edition transit router automatically learns system routes from VPC instances. If you want the Basic Edition transit router to learn other routes from a VPC instance, publish those routes to the transit router. For more information, see Publish a route to a transit router.
Check whether routing policies exist in the route tables of the transit routers to which the two VPC instances are connected, and ensure that these policies allow communication between the CIDR blocks.
You can check for route conflicts between the route tables of the transit routers connected to the two VPC instances and the route tables of the VPC instances.
Resolve the route conflicts. For more information, see What do I do if a "Route Conflict" error is reported in a VPC route table or CEN? and What do I do if the CIDR blocks of vSwitches in a VPC conflict?.
If the issue persists, capture packets on the ECS instances to check for incoming data packets.

After I use CEN to connect two VPCs, why can I ping the peer instance but cannot connect to its Telnet port?

For more information, see After connecting two VPCs with CEN, why can I ping the peer instance but not connect to its Telnet port?.

After I create an Express Connect circuit, why can't I ping the IP address of the Express Connect circuit and the IP address of the data center?

For more information, see After creating an Express Connect circuit, why can't I ping the Alibaba Cloud-side or customer-side IP address of the Express Connect circuit?.

After I create a CEN instance and grant cross-account permissions, why does the network connection fail?

For more information, see Why does the network connection fail after a cross-account VPC instance is authorized to use a CEN instance?.

When I create a VPC firewall for a CEN instance, why is the "Creation is not allowed due to an unauthorized network instance" error reported?

For more information, see Why do I receive the "Creation is not allowed due to an unauthorized network instance" error when I create a VPC firewall for a CEN instance?.

What can I do if Cloud Enterprise Network fails to load cross-account VPC-connected instances?

Perform the following steps to troubleshoot the issue:

Check whether the VPC instance and the CEN instance belong to accounts of the same type.
For example, if a VPC instance belongs to an account on the Alibaba Cloud China website and the CEN instance belongs to an account on the Alibaba Cloud International website, you cannot attach the VPC instance to the CEN instance. A CEN instance can connect only to VPC instances that belong to accounts on the same Alibaba Cloud platform.
Check whether the CEN instance is authorized to attach the cross-account VPC instance. For more information, see Authorize a VPC instance.

Can I change a VPC connection that is attached to multiple vSwitches to be attached to only one vSwitch?

Yes, you can. However, high availability (HA) is lost after the modification, and service traffic may be interrupted. Take preventive measures in advance to avoid service disruption.

To do this, call the UpdateTransitRouterVpcAttachmentZones operation and specify the RemoveZoneMappings parameter.

Why does the route table of a Basic Edition transit router contain a route whose next hop is a VPC in a different region?

This occurs because Basic Edition transit routers within the same CEN instance propagate routes to each other. This is the default routing logic for Basic Edition transit routers.

By default, a test bandwidth of 1 Kbps is available between Basic Edition transit routers. This bandwidth is for network connectivity tests only. To carry cross-region service traffic, you must purchase a bandwidth plan and configure an inter-region connection.

To control route propagation, you can upgrade to the Enterprise Edition.