Cloud Enterprise Network:Use Enterprise Edition transit routers to connect VPCs across regions and accounts

Scenario

The following scenario is used as an example. A company uses Account A to deploy a VPC named VPC1 in the China (Hangzhou) region and a VPC named VPC3 in the China (Qingdao) region. The company uses Account B to deploy a VPC named VPC2 in the China (Hangzhou) region. ECS instances are deployed in the VPCs. The VPCs cannot communicate with each other. Due to business growth, the company wants to enable the VPCs to communicate with each other.

In this case, the company can use CEN to connect VPC1 and VPC2 to the Enterprise Edition transit router in the China (Hangzhou) region that belongs to Account A. Then, the company can connect VPC3 to the Enterprise Edition transit router in the China (Qingdao) region that belongs to Account A. This way, the company can use bandwidth plans to create inter-region connections between the transit routers in the China (Hangzhou) and China (Qingdao) regions to enable network communication between VPC1, VPC2, and VPC3.

Prerequisites

• A VPC is deployed in the China (Hangzhou) region and another VPC is deployed in the China (Qingdao) region by using Account A. A VPC is deployed in the China (Hangzhou) region by using Account B. ECS instances are deployed in the VPCs. For more information, see Create a VPC with an IPv4 CIDR block.

  Sufficient vSwitches are deployed for each VPC in the zones of the Enterprise Edition transit router. Each vSwitch has at least one idle IP address.

  • If the Enterprise Edition transit router supports only one zone, for example, China (Nanjing-Local Region), the VPC must have at least one vSwitch in the zone.
  • If the Enterprise Edition transit router supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.

  For more information, see How a VPC connection works.

  Click to view regions and zones that support Enterprise Edition transit routers

  Table 1. Regions and zones that support Enterprise Edition transit routers

  Area	Region	Zone
  Chinese mainland	China (Hangzhou)	Zone H, Zone I, Zone J, and Zone K
  	China (Shanghai)	Zone F, Zone G, Zone E, Zone B, Zone N, Zone M, and Zone L
  	China (Nanjing - Local Region)	Zone A
  	China (Fuzhou - Local Region)	Zone A
  	China (Shenzhen)	Zone D, Zone E, Zone F, and Zone A
  	China (Heyuan)	Zone A and Zone B
  	China (Guangzhou)	Zone A and Zone B
  	China (Qingdao)	Zone B and Zone C
  	China (Beijing)	Zone H, Zone G, Zone J, Zone K, Zone I, and Zone L
  	China (Zhangjiakou)	Zone A, Zone B, and Zone C
  	China (Hohhot)	Zone A and Zone B
  	China (Ulanqab)	Zone A, Zone B, and Zone C
  	China (Chengdu)	Zone A and Zone B
  Asia Pacific	Singapore (Singapore)	Zone A, Zone B, and Zone C
  	China (Hong Kong)	Zone B, Zone C, and Zone D
  	Malaysia (Kuala Lumpur)	Zone A and Zone B
  	India (Mumbai)	Zone A and Zone B
  	Indonesia (Jakarta)	Zone A, Zone B, and Zone C
  	Philippines (Manila)	Zone A
  	Japan (Tokyo)	Zone A, Zone B, and Zone C
  	South Korea (Seoul)	Zone A
  	Thailand (Bangkok)	Zone A
  Europe	Germany (Frankfurt)	Zone A and Zone B
  	UK (London)	Zone A and Zone B
  North America	US (Virginia)	Zone A and Zone B
  	US (Silicon Valley)	Zone A and Zone B
  Australia	Australia (Sydney)	Zone A and Zone B
  Middle East	SAU (Riyadh)	Zone A and Zone B

  The following table shows the CIDR blocks that are allocated to the VPCs. Make sure that the CIDR blocks do not overlap.

  Item	VPC1	VPC2	VPC3
  Network instance owner account	Account A	Account B	Account A
  Network instance region	China (Hangzhou)	China (Hangzhou)	China (Qingdao)
  Network instance CIDR block	VPC CIDR block: 192.168.0.0/16 vSwitch 1 CIDR block: 192.168.20.0/24 vSwitch 2 CIDR block: 192.168.21.0/24	VPC CIDR block: 10.0.0.0/16 vSwitch 1 CIDR block: 10.0.0.0/24 vSwitch 2 CIDR block: 10.0.1.0/24	VPC CIDR block: 172.16.0.0/16 vSwitch 1 CIDR block: 172.16.0.0/24 vSwitch 2 CIDR block: 172.16.1.0/24
  vSwitch zone	vSwitch 1 in Zone H vSwitch 2 in Zone I	vSwitch 1 in Zone H vSwitch 2 in Zone I	vSwitch 1 in Zone B vSwitch 2 in Zone C
  ECS instance IP address	192.168.20.161	10.0.0.33	172.16.0.89

• You must be aware of the security group rules that apply to the ECS instances in the VPCs. Make sure that the security group rules allow the VPCs to communicate with each other. For more information, see View security group rules and Add a security group rule.

Procedure

Step 1: Create a CEN instance

In this example, VPC2 within Account B is connected to the CEN instance within Account A to enable network communication among VPC1, VPC2, and VPC3. You must first use Account A to create a CEN instance.

1. Log on to the CEN console with Account A.

2. On the Instances page, click Create CEN Instance.
3. In the Create CEN Instance dialog box, set the following parameters and click OK.
   • Name: Enter a name for the CEN instance.
   • Description: Enter a description for the CEN instance.

Step 2: Create a transit router

Before you can create network instance connections, you need to create a transit router in the region where the network instance is deployed.

1. Log on to the CEN console with Account A.

2. On the Instances page, click the ID of the CEN instance created in Step 1.

3. Navigate to the Basic Settings > Transit Router tab and click Create Transit Router.

4. In the Create Transit Router dialog box, set the parameters and click OK.

   The following table describes the parameters that are used to create a transit router in China (Hangzhou) and another one in China (Qingdao).

   Parameter	Description	China (Hangzhou)	China (Qingdao)
   Region	Select the region where you want to create the transit router.	In this example, China (Hangzhou) is selected.	In this example, China (Qingdao) is selected.
   Edition	The edition of the transit router.	The transit router edition that is supported in the selected region is automatically displayed.	The transit router edition that is supported in the selected region is automatically displayed.
   Activate Multicast	Specify whether to enable multicast.	In this example, the default setting is used. Multicast is disabled.	In this example, the default setting is used. Multicast is disabled.
   Name	Enter a name for the transit router.	In this example, a custom name is specified for the transit router.	In this example, a custom name is specified for the transit router.
   Description	Enter a description for the transit router.	In this example, a custom description is specified for the transit router.	In this example, a custom description is specified for the transit router.
   Transit Router CIDR	Enter a CIDR block for the transit router. For more information, see Transit router CIDR blocks.	In this example, no CIDR block is specified for the transit router.	In this example, no CIDR block is specified for the transit router.

Step 3: Grant permissions to Account A

Before you can connect VPC2 that belongs to Account B to the transit router that belongs to Account A, you must grant the required permissions to Account A. Otherwise, the transit router that belongs to Account A cannot connect to VPC2.

1. Log on to the VPC console with Account B.

2. In the top navigation bar, select the region where VPC2 is deployed.

   In this example, China (Hangzhou) is selected.

3. On the VPCs page, click the ID of VPC2.

4. Click the Authorize Cross Account Attach CEN tab. Then, click Authorize Cross Account Attach CEN.

5. In the Attach to CEN dialog box, set the following parameters and click OK.

   Parameter	Description
   Peer Account UID	Enter the UID of the Alibaba Cloud account to which the transit router belongs. In this example, the UID of Account A is used.
   Peer Account CEN ID	Enter the ID of the CEN instance to which the transit router belongs. In this example, the ID of the CEN instance created in Step 1 is used.
   Payer	Select the account that pays the bills. CEN Instance Owner: The account to which the transit router belongs pays the connection fee and data transfer fee. This is the default value. VPC Owner: The account to which the VPC belongs pays the connection fee and data transfer fee. The default value is used in this example. Important Proceed with caution. Your services may be disrupted if you change the payer account. For more information, see Change the account that pays the bills.

Step 4: Connect the VPCs to the transit router

After Account A acquires the required permissions, you must connect VPC1, VPC2, and VPC3 to the transit router that belongs to Account A. This enables network communication among the VPCs.

1. Log on to the CEN console with Account A.

2. On the Instances page, click the ID of the CEN instance created in Step 1.

3. Navigate to the Basic Settings > Transit Router tab, find the transit router that you want to manage, and then click Create Connection in the Actions column.

4. On the Connection with Peer Network Instance page, set the following parameters and click OK.

   The following table describes the settings of each VPC. Connect VPC1, VPC2, and VPC3 to the transit router that belongs to Account A.

   Parameter	Description	VPC1	VPC2	VPC3
   Network Type	Select the type of the network instance that you want to connect.	Virtual Private Cloud (VPC)	Virtual Private Cloud (VPC)	Virtual Private Cloud (VPC)
   Region	Select the region where the network instance is deployed.	China (Hangzhou)	China (Hangzhou)	China (Qingdao)
   Transit Router	The ID of the transit router in the selected region is automatically displayed.
   Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs.	Your Account	Different Account If you select Different Account, you need to specify the ID of Account B.	Your Account
   Billing Method	Default value: Pay-As-You-Go.
   Attachment Name	Enter a name for the network connection.	VPC1-test	VPC2-test	VPC3-test
   Network Instance	Select the ID of the network instance.	VPC1	VPC2	VPC3
   VSwitch	Select a vSwitch in a zone of the transit router. If your transit router is deployed in a region that supports multiple zones and vSwitches are deployed in each of the zones, you can select multiple zones and a vSwitch in each zone to enable zone-disaster recovery.	Hangzhou Zone H: vSwitch 1 Hangzhou Zone I: vSwitch 2	Hangzhou Zone H: vSwitch 1 Hangzhou Zone I: vSwitch 2	Qingdao Zone B: vSwitch 1 Qingdao Zone C: vSwitch 2
   Advanced Settings	The following advanced features are selected by default. You can clear or select the advanced features based on business requirements. Keep the default settings for VPC1, VPC2, and VPC3. All advanced features are enabled for the VPCs. Associate with Default Route Table of Transit Router After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table. Propagate System Routes to Default Route Table of Transit Router After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router. Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs.

   After the VPCs are connected to the transit router, VPC1 and VPC2 can communicate with each other because they are in the same region. VPC3 cannot communicate with VPC1 or VPC2 because they are in different regions. To enable network communication between VPC1 and VPC3, and between VPC2 and VPC3, you must purchase a bandwidth plan that supports inter-region connections.

Step 5: Purchase a bandwidth plan

1. Log on to the CEN console with Account A.

2. On the Instances page, click the ID of the CEN instance created in Step 1.

3. On the details page of the CEN instance, choose Basic Settings > Bandwidth Plans, and click Purchase Bandwidth Plan(Subscription).

4. On the buy page, set the following parameters, click Buy Now, and then complete the payment.

   Parameter	Description
   CEN ID	Select the CEN instance for which you want to purchase a bandwidth plan. After you complete the payment, the bandwidth plan is automatically associated with the CEN instance. In this example, the CEN instance created in Step 1 is used.
   Area A	Select one of the areas where you want to enable inter-region communication. In this example, Mainland China is selected. Note You cannot change the areas after the bandwidth plan is purchased. For more information, see Work with a bandwidth plan.
   Area B	Select the other area where you want to enable inter-region communication. In this example, Mainland China is selected.
   Metering Method	Displays the billing method of the bandwidth plan. Default value: Pay- By-Bandwidth. For more information, see Billable item.
   Bandwidth	Select a bandwidth value based on your business requirements. Unit: Mbit/s.
   Bandwidth Plan Nam	Enter a name for the bandwidth plan.
   Subscription Duration	Select a subscription duration for the bandwidth plan. You can select Auto-renewal to enable auto-renewal for the bandwidth plan.
   Resource Group	Select the resource group to which the bandwidth plan belongs.

Step 6: Create inter-region connections

1. Log on to the CEN console with Account A.

2. On the Instances page, click the ID of the CEN instance created in Step 1.

3. Navigate to the Basic Settings > Bandwidth Plans tab and click Set Region Connection.

4. On the Connection with Peer Network Instance page, set the following parameters and click OK.

   Parameter	Description
   Network Type	Select Inter-region Connection.
   Region	Select one of the regions to be connected. In this example, China (Hangzhou) is selected.
   Transit Router	The ID of the transit router in the selected region is automatically displayed.
   Attachment Name	Enter a name for the inter-region connection. In this example, Cross-Region-test is used.
   Peer Region	Select the other region to be connected. In this example, China (Qingdao) is selected.
   Transit Router	The ID of the transit router in the selected region is automatically displayed.
   Bandwidth Allocation Mode	The following modes are supported: Allocate from Bandwidth Plan: Bandwidth resources are allocated from a purchased bandwidth plan. Pay-By-Data-Transfer: You are charged for data transfer over the inter-region connection. In this example, Allocate from Bandwidth Plan is selected.
   Bandwidth Plan	Select the bandwidth plan that is associated with the CEN instance.
   Bandwidth	Specify a maximum bandwidth value for the inter-region connection. Unit: Mbit/s.
   Advanced Settings	By default, all advanced features are selected. In this example, the default settings are used. Associate with Default Route Table of Transit Router After this feature is enabled, the inter-region connection is automatically associated with the default route table of the transit router. The transit router uses the default route table to forward network traffic across regions. Propagate System Routes to Default Route Table of Transit Router After this feature is enabled, the inter-region connection advertises system routes to the default route table of the transit router. Automatically Advertise Routes to Peer Region After this feature is enabled, the routes of the transit router deployed in the current region are automatically advertised to the route table of the peer transit router. The routes are used for cross-region communication between network instances.

Step 7: Test network connectivity

After you complete the preceding steps, VPC1, VPC2, and VPC3 can communicate with each other. This section describes how to test the network connectivity between the VPCs.

1. Test the network connectivity between VPC1 and VPC2.

   1. Log on to an ECS instance that is deployed in VPC 1. For more information, see Connection methods.

   2. On the ECS instance, run the ping command to test whether you can access an ECS instance in VPC2.

      ping <The IP address of the ECS instance in VPC2>

      The following echo reply packet indicates that VPC1 is connected to VPC2.

      

2. Test the network connectivity between VPC1 and VPC3.

   1. Log on to an ECS instance in VPC 3.

   2. On the ECS instance, run the ping command to test whether you can access an ECS instance in VPC1.

      ping <The IP address of the ECS instance in VPC1>

      The following echo reply packet indicates that VPC1 is connected to VPC3.

3. Test the network connectivity between VPC2 and VPC3.

   1. Log on to an ECS instance in VPC 3.

   2. On the ECS instance, run the ping command to test whether you can access an ECS instance in VPC2.

      ping <The IP address of the ECS instance in VPC2>

      The following echo reply packet indicates that VPC2 is connected to VPC3.

Route descriptions

In this topic, the CEN instance automatically learns and advertises routes for the VPCs when you connect the VPCs or create inter-region connections.

• The transit routers in the China (Hangzhou) and China (Qingdao) regions automatically learn routes from VPC1, VPC2, and VPC3.

• The CEN instance automatically adds the following route entries to the route tables of VPC1, VPC2, and VPC3: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops are the network instance connections.

  Network traffic from VPC1, VPC2, and VPC3 is routed to the transit routers. The transit routers enable the VPCs to communicate with each other.