All Products
Document Center

Use CSG in multiple VPCs connected through Express Connect

Last Updated: Sep 17, 2019


CSG is a storage service that integrates your on-premise applications, infrastructure, and data storage with Alibaba Cloud. You can deploy CSG with industry-standard storage protocols and connect the existing storage applications and workloads to CSG. This allows you to directly access the storage and computing services of Alibaba Cloud.

CSG is currently in beta testing. It supports automatic deployment and simplifies the operation process. CSG supports ECS instances in the same VPCs by default. In Alibaba Cloud, a large number of enterprise users connect multiple VPCs to support large-scale ECS clusters. CSG V1.0.31 and earlier versions only support connecting ECS instances that are in the same VPC. They do not support instances in interconnected VPCs. CSG V1.0.31 and later versions support multiple VPC network CIDR blocks. CSG now supports all VPC CIDR blocks that meet the following Alibaba Cloud standards:,, and The following example describes how to configure networks, Express Connect, and security groups in three interconnected VPCs so that instances in these VPCs can access CSG services.


The following example uses three VPCs that are interconnected through Express Connect to introduce how to share CSG services in all VPC CIDR blocks.

Network topology and configuration



SG stands for security group

VPC stands for virtual private cloud, followed by its CIDR block such as

2、The following sections describes how to configure a gateway for VPC-172 and establish peering connections from VPC-172 to VPC-10 and from VPC-172 to VPC-192. For more information about how to create a express connect, see Interconnect two VPCs under the same account.


Configure routes

After a peering connection is established, you need to configure routes for the interconnected VPCs, as shown in the following figure:


Click Add Route and enter the CIDR block of the VPC or other VSwitches that you want to connect with. Click OK. The CIDR blocks of the peer VPC in this step are (VPC-192) and (VPC-10).


After the route is configured and if the two connections have successfully been established, you can configure security group rules. You can use an ECS instance in VPC-172 to ping ECS instances in VPC-192 and VPC-10 to test whether peering connections are available.

Configure security group rules

After a peering connection is established between two VPCs, you need to configure security group rules to connect ECS instances across the two VPCs. You can create multiple security groups in a VPC and configure security group rules as needed. This example uses three security groups that are created in three different VPCs, which are SG-10, SG-172, and SG-192.

You need to enable three more ports. In the CSG console, select Security Group in Authorization Type, and enter security groups SG-10 and SG-192 in Authorization Objects, as shown in the following figure:


Configure security group rules for security group SG-10 and security group SG-192, as shown in the following figure:


If you need to use the LDAP and AD, add two more rules in the security group: TCP 53/636 and UDP 53/636.

Mount share service to a client

The ECS instance that you have configured is connected with CSG services.

1.You can use the following command to mount the NFS share service to a Linux client. For more information, see Access an NFS share from a client.

mount.nfs<nfs shared name> <linux local folder>

After the configuration is complete, you can use the df -ah command to view the results, as shown in the following figure:


The local directory/mnt/test is connected with OSS. OSS serves as a local folder.

2.You can also mount CIFS share service on a Windows client, as shown in the following figure. For more information, seeAccess an SMB share from a client.


3.For configuring volumes on a Windows or Linux client, see Access volumes.

Notes on upgrading CSG

CSG V1.0.32 and later versions support CIDR blocks of VPCs that are connected with each other. Due to the deployment limitations of the previous network environment, earlier versions of CSG cannot support all CIDR blocks. Supported CIDR blocks are listed in the following table.



By configuring security group rules, ECS instances in CEN can receive files transferred using the NFS, CIFS, and iSCSI protocols and store them in OSS. CSG provides services for multiple scenarios such as storage extension, sharing and distributing data across regions, and archiving and storing backup data. It is also compatible with traditional applications. For more information, see CSG Applicable Scenarios.