All Products
Document Center

Cloud Enterprise Network:CreateTransitRouterCidr

Last Updated:Jul 19, 2024

Creates a custom CIDR block for a transit router. Custom CIDR blocks of a transit router are similar to the CIDR blocks of the loopback interface of a router.

Operation description

You can specify a CIDR block for a transit router. The CIDR block works in a similar way as the CIDR block of the loopback interface on a router. IP addresses within the CIDR block can be assigned to IPsec-VPN connections. For more information, see Transit router CIDR blocks.

The CreateTransitRouterCidr operation can be used to create a CIDR block only after you create a transit router.

The CIDR block must meet the following requirements:

  • Only Enterprise Edition transit routers support custom CIDR blocks.

  • For more information, see Limits in transit router CIDR blocks.

  • Each transit router supports at most five CIDR blocks. The subnet mask of a CIDR block must be 16 bits to 24 bits in length.

  • The following CIDR blocks and their subnets are not supported:,,, and

  • The CIDR block cannot overlap with the CIDR blocks of the network instances that communicate with each other by using the CEN instance.

  • On the same CEN instance, each transit router CIDR block must be unique.

  • When you create the first VPN connection after you add a CIDR block for a transit router, three CIDR blocks within the CIDR block are reserved. An IP address is allocated from the remaining CIDR blocks to the IPsec-VPN connection.

    You can call the ListTransitRouterCidrAllocation operation to query reserved CIDR blocks and IP addresses allocated to network connections.


OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters


The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters.

Note If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request.

The ID of the transit router.


The ID of the region to which the transfer router belongs.

You can call the DescribeChildInstanceRegions operation to query the most recent region list.


The name of the transit router CIDR block.

The name must be 1 to 128 characters in length, and cannot start with http:// or https://. You can also leave this parameter empty.


The description of the transit router CIDR block.

The description must be 1 to 256 characters in length, and cannot start with http:// or https://. You can also leave this parameter empty.


Specifies whether to perform a dry run. Valid values:

  • true: performs a dry run. The system checks the required parameters, request syntax, and limits. If the request fails the dry run, an error message is returned. If the request passes the dry run, the DryRunOperation error code is returned.
  • false (default): performs a dry run and sends the request.

The CIDR block of the transit router.

Specifies whether to allow the system to automatically add a route that points to the CIDR block to the route table of the transit router.

  • true (default)

    If you set the value to true, after you create a VPN attachment on a private VPN gateway and enable route learning for the VPN attachment, the system automatically adds the following route to the route table of the transit router that is in route learning relationship with the VPN attachment:

    A blackhole route whose destination CIDR block is the transit router CIDR block, which refers to the CIDR block from which gateway IP addresses are allocated to the IPsec-VPN connection. The blackhole route is advertised only to the route tables of virtual border routers (VBRs) connected to the transit router.

  • false


Response parameters


The response.


The ID of the CIDR block.


The ID of the request.



Sample success responses


  "TransitRouterCidrId": "cidr-0zv0q9crqpntzz****",
  "RequestId": "0876E54E-3E36-5C31-89F0-9EE8A9266F9A"

Error codes

HTTP status codeError codeError messageDescription
400OverLappingExist.CidrThe cidr overlapping exist.The error message returned because CIDR overlapping is already enabled.
400OperationUnsupported.TransitRouterCidrTransit region does not support the operation.The error message returned because this operation is not supported in the specified region.
400IllegalParam.CidrThe specified cidr is invalid.The error message returned because the specified CIDR block is invalid.
400IllegalParam.RegionIdThe specified RegionId is illegal.The error message returned because the specified region is invalid.
400InstanceNotExistThe instance is not exist.The error message returned because the specified instance does not exist.
400InvalidParameterInvalid parameter.The error message returned because the parameter is set to an invalid value.
400UnauthorizedThe AccessKeyId is unauthorized.The error message returned because you do not have the permissions to perform this operation.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-01-18The Error code has changedView Change Details
2023-03-09The Error code has changedView Change Details