All Products
Search
Document Center

Virtual Private Cloud:Create and manage a VPC peering connection

Last Updated:Jan 26, 2024

A Virtual Private Cloud (VPC) peering connection is a private network connection between two VPCs. After you create a VPC peering connection between two VPCs, the VPCs can communicate with each other over the connection. This topic describes how to create and manage a VPC peering connection.

Prerequisites

Two VPCs between which you want to create a VPC peering connection are created. If the VPCs belong to different Alibaba Cloud accounts, make sure that both the requester and accepter accounts have a VPC. For more information, see Create and manage a VPC.

Create a VPC peering connection

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click VPC Peering Connection.
  3. If this is the first time you create a VPC peering connection, click Activate CDT on the VpcPeer page, and click Activate in the message that appears.

    If the VPCs belong to different Alibaba Cloud accounts, make sure that both the requester and accepter accounts have the Cloud Data Transfer (CDT) service activated.

  4. On the VpcPeer page, click Create VPC Peering Connection.

  5. On the Create VPC Peering Connection page, set the following parameters and click OK.

    You can create VPC peering connections of the following types: same-account and intra-region, same-account and inter-region, cross-account and intra-region, and cross-account and inter-region.

    The following table describes the parameters that are required when you create different types of VPC peering connections.

    Parameter

    Description

    Peering Connection Name

    Enter a name for the VPC peering connection.

    Resource Group

    Select a resource group for the peering connection.

    Requester VPC

    You can select a VPC as the requester by using one of the following methods:

    • Enter a VPC name or ID in the drop-down list to perform fuzzy search.

    • Select a VPC from the drop-down list.

    Accepter Account Type

    Select whether the requester VPC and accepter VPC belong to the same Alibaba Cloud account. Valid values:

    • Same-Account: The requester VPC and accepter VPC belong to the same Alibaba Cloud account.

      After you initiate a connection request from the requester VPC, the VPC peering connection is automatically established. You do not need to accept the request on the accepter VPC.

    • Cross-Account: The requester VPC and accepter VPC belong to different Alibaba Cloud accounts, for example, different accounts on the Alibaba Cloud China site, or an Alibaba Cloud China site account and an Alibaba Cloud International site account.

      After you initiate a connection request from the requester VPC, you can accept or reject the request on the accepter VPC to establish or deny the VPC peering connection.

      If you select Cross-Account, enter the ID of the Alibaba Cloud account to which the accepter VPC belongs in the UID of the receiver field.

    Accepter Region Type

    Select whether the requester VPC and accepter VPC belong to the same region. Valid values:

    • Intra-Region: The requester VPC and accepter VPC belong to the same region.

    • Inter-Region: The requester VPC and accepter VPC belong to different regions.

      If you select Inter-Region, select the region where the accepter VPC is deployed from the Accepter Region drop-down list.

    Accepter VPC

    You can select a VPC as the accepter by using one of the following methods:

    • Enter a VPC name or ID in the drop-down list to perform fuzzy search.

    • Select a VPC from the drop-down list.

  6. If the VPCs belong to different Alibaba Cloud accounts, the accepter VPC can accept or reject the request. The following procedure shows how to accept or reject a request:

    1. Log on to the VPC console with the account of the accepter VPC.

    2. In the left-side navigation pane, click VPC Peering Connection.

    3. On the VpcPeer page, find the VPC peering connection and perform the following operations:

      The status of the peering connection is Peer Accepting.

      • To accept the request, click Accept in the Actions column.

        Then, the status of the peering connection changes from Peer Accepting to Updating. After the peering connection is activated, it enters the Activated state and is ready for use.

      • To reject the request, click Reject in the Actions column.

        Then, the status of the peering connection changes from Peer Accepting to Rejected.

        A VPC peering connection in the Rejected state is unavailable. You can delete the VPC peering connection on the requester VPC or accepter VPC.

      Note

      If you do not accept or reject the request within seven days, the VPC peering connection enters the Expired state.

  7. On the VpcPeer page, check the status of the peering connection.

    • An activated VPC peering connection is in the Activated state and is ready for use.

    • You can view the following information about the requester VPC and accepter VPC: the VPC ID, region, CIDR block, and owner Alibaba Cloud account.

Configure routes

After you create a VPC peering connection, you must add a route that points to the peer VPC for both the accepter VPC and requester VPC.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click VPC Peering Connection.
  3. On the VpcPeer page, find the peering connection that you want to manage and perform the following steps to add routes:

    • Configure a route for the requester VPC

      1. Click Configure Route in the Requester VPC column.

      2. In the Configure Route dialog box, set the following parameters and click OK.

        Parameter

        Description

        VPC

        The requester VPC is automatically displayed.

        Route Table

        Select a route table associated with the VPC from the drop-down list.

        Name

        Enter a name for the route.

        Destination CIDR Block

        • To add an IPv4 route:

          Select IPv4 and enter the IPv4 CIDR block of the accepter VPC.

        • To add an IPv6 route:

          Select IPv6 and enter the IPv6 CIDR block of the accepter VPC.

        Next Hop

        The next hop is automatically displayed.

    • Configure a route for the accepter VPC that belongs to the same Alibaba Cloud account

      1. Click Configure Route in the Accepter column.

      2. In the Configure Route dialog box, set the following parameters and click OK.

        Parameter

        Description

        VPC

        The system automatically displays the accepter VPC.

        Route Table

        Select a route table associated with the VPC from the drop-down list.

        Name

        Enter a name for the route.

        Destination CIDR Block

        • To add an IPv4 route:

          Select IPv4 and enter the IPv4 CIDR block of the requester VPC.

        • To add an IPv6 route:

          Select IPv6 and enter the IPv6 CIDR block of the requester VPC.

        Next Hop

        The next hop is automatically displayed.

    • Configure a route for the accepter VPC that belongs to a different Alibaba Cloud account

      1. Log on to the VPC console with the account of the accepter VPC.

      2. In the left-side navigation pane, click VPC Peering Connection.

      3. On the VpcPeer page, find the VPC peering connection that you want to manage and click Configure Route in the Accepter column.

      4. The subsequent operations are the same as the operations that you perform to configure a route for the VPC that belongs to the same Alibaba Cloud account.

    After you configure the routes, you can click the ID of the VPC peering connection on the VpcPeer page to view the information about the routes in the Route Entry List section.

Test network connectivity

Before you begin, make sure that Elastic Compute Service (ECS) instances are deployed in the requester and accepter VPCs, and the security group rules of ECS instances allow access between the VPCs. For more information, see Create a security group. Perform the following operation to test network connectivity between the requester and accepter VPCs:

  1. Log on to an ECS instance in the requester VPC. For more information, see Connection methods.

  2. Run the ping command to ping the private IP address of an ECS instance in the accepter VPC.

    If you can receive echo reply packets, it indicates that the requester VPC can access the accepter VPC.

  3. Log on to an ECS instance in the accepter VPC.

  4. Run the ping command to ping the private IP address of an ECS instance in the requester VPC.

    If you can receive echo reply packets, it indicates that the accepter VPC can access the requester VPC.

    After you verify the connectivity, you can deploy your services in the VPCs.

    Note

    If the communication failed, you can refer to ECS FAQ and Security FAQ to troubleshoot.

Delete a VPC peering connection

You can delete a VPC peering connection in one of the following ways:

  • Unforceful deletion: Before you delete the VPC peering connection, you must first delete the route that points to the VPC peering connection from the route table. For more information about how to delete custom routes, see Create and manage a route table.

  • Forceful deletion: You do not need to delete the routes that point to the VPC peering connection from the route table. After you delete the VPC peering connection, the system automatically deletes the routes.

Warning

After you delete a VPC peering connection, it cannot be restored, and access to the VPC is disabled. Proceed with caution.

  1. Log on to the VPC console.
  2. On the VpcPeer page, find the peering connection that you want to delete and click Delete in the Actions column.

  3. In the dialog box that appears, click OK.

    To forcefully delete a VPC peering connection, select I confirm that my services will not be affected and want to delete all the preceding VPC peering connections and routes in the dialog box.

What to do next

Modify the bandwidth of an inter-region VPC peering connection

  1. On the VpcPeer page, click the ID of the VPC peering connection that you want to modify.

  2. On the details page of the peering connection, find the Information section and click Edit on the right side of Bandwidth (Mbit/s).

  3. In the dialog box that appears, enter a new bandwidth value and click OK.

    The bandwidth value must be an integer greater than 0. The maximum bandwidth value is 1024.

Modify the name or description of a VPC peering connection

  1. On the VpcPeer page, click the ID of the VPC peering connection that you want to manage.

  2. On the details page of the peering connection, find the Information section and click Edit on the right side of VPC Peering Connection Name.

  3. In the dialog box that appears, enter a new name and click OK.

  4. On the details page of the peering connection, find the Information section and click Edit on the right side of Description.

  5. In the dialog box that appears, enter a new description and click OK.

References