Multiple cloud enterprise networks using shared services - Cloud Enterprise Network

Networks of different Cloud Enterprise Networks (CEN) are isolated from each other by default. You can enable cross-CEN resource sharing by connecting a single virtual private cloud (VPC) to multiple CENs.

Scenario

To designate VPC3 as the shared service VPC for two CENs, connect VPC3 to transit routers 1 and 2 and configure routes of each VPC. After configuration, you can enable communication between VPC1 and VPC3, and communication between VPC2 and VPC3, while VPC1 and VPC2 remain isolated from each other.

Preparations

Before you begin, ensure that you have completed the following steps:

Set up two CEN instances named CEN1 and CEN2. Create one transit router in each CEN, named TR1 and TR2, in the China (Hangzhou) region.
Create three VPCs that are not connected to the transit router.
Create three ECS instances, each deployed under a different VPC, respectively named ECS1, ECS2, and ECS3.

The details of the three VPCs are as follows:

Parameter	VPC1	VPC2	VPC3
Region	China (Hangzhou)	China (Hangzhou)	China (Hangzhou)
IPv4 CIDR block	10.0.0.0/8	172.16.0.0/12	192.168.0.0/16
vSwitch 1	Zone J. CIDR block 10.0.0.0/24	Zone J. CIDR block 172.16.0.0/24	Zone J. CIDR block 192.168.0.0/24
vSwitch 2	Zone K. CIDR block 10.0.1.0/24	Zone K. CIDR block 172.16.1.0/24	Zone K. CIDR block 192.168.1.0/24
ECS (all in vSwitch 1)	IP address of ECS1: 10.0.0.1	IP address of ECS2: 172.16.0.1	IP address of ECS3: 192.168.0.1

Note

When planning resources, ensure:
1. The CIDR blocks of the three VPCs do not overlap.
2. In regions where Enterprise Edition transit routers support multiple zones, you must create vSwitches in at least two zones for disaster recovery.
For more information on creating each resource, see Create a CEN instance, Create a transit router, Create a VPC and a vSwitch, and Create an ECS instance.

Procedure

This section shows how to connect the VPCs to the transit routers, configure the route tables for each VPC, and finally verify the results.

Step 1: Connect VPCs to transit routers

Four VPC connections are created in the step. Below are the general instructions on how to create a VPC connection. For specific parameters, see the table provided after the steps.

Log on to the CEN console. On the Instances page, click the CEN instance ID.
On the Basic Information > Transit Router tab, find the transit router and click Actions in the Create Connection column.
On the Connection with Peer Network Instance page, configure the parameters based on the following table, and then click OK.

The table below lists the parameters for each step:

Parameter		VPC1 connects to TR1	VPC2 connects to TR2	VPC3 connects to TR1	VPC3 connects to TR2
CEN		`CEN1`	`CEN2`	`CEN1`	`CEN2`
Transit router		`TR1`	`TR2`	`TR1`	`TR2`
Connect Network Instance	Instance Type	VPC
	Region	China (Hangzhou)
	Resource Owner ID	Same Account
	Billing Method	Pay-as-you-go
	Attachment Name	`Attach1`	`Attach2`	`Attach3-1`	`Attach3-2`
	Network Instance	VPC1	VPC2	VPC3	VPC3
	vSwitch	The system automatically selects the vSwitch created under each VPC. Zone J: vSwitch 1 Zone K: vSwitch 2
	Advanced Settings	Select the first 2 options: Associate with Default Route Table of Transit Router Propagate System Routes to Default Route Table of Transit Router Keep the third option unchecked: Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC Note Here, we choose to not select the third option, which means the system will not automatically configure the VPC route tables. We will manually configure them in the later steps. Click to view the description of advanced settings Associate with Default Route Table of Transit Router When enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards traffic based on the default route table. Propagate System Routes to Default Route Table of Transit Router After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. The VPC can then communicate with other network instances that are connected to the transit router. Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward IPv4 traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs. Important If the route table of the VPC already contains routes with destination CIDR blocks 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, the system cannot automatically advertise these routes. You must manually add routes pointing to the VPC connection to enable communication between the VPC and the transit router. You can click Initiate Route Check to check whether the above routes exist in the network instance. If the VPC instance requires IPv6 communication, after creating the VPC connection, you must enable the route synchronization feature for the VPC connection or manually add IPv6 route entries pointing to the VPC connection in the VPC. Only then can the IPv6 traffic enter the transit router.

Step 2: Configure route tables

Add custom route entries to the route tables of the three VPCs.

Log on to the VPC console.
In the left-side navigation pane, click Route Tables.
In the top menu bar, select the China (Hangzhou) region.
On the Route Tables page, click the ID of the route table corresponding to VPC1.
On the details page, click the Route Entry List tab, and then click the Custom Route Entry tab.
Click Add Route Entry, enter the destination CIDR block 192.168.0.0/16 in the Add Route Entry panel that appears, choose Next Hop Type as Transit Router, select the transit router Attach1, and then click OK.
Return to the Route Tables page, repeat the same steps for the route tables of VPC2 and VPC3, and add custom route entries.
The table below displays the Custom Route required for each VPC.
VPC
Destination CIDR Block
Next Hop
Route Type
VPC1
192.168.0.0/16
Attach1
Custom
VPC2
192.168.0.0/16
Attach2
Custom
VPC3
10.0.0.0/8
Attach3-1
Custom
172.16.0.0/12
Attach3-2
Custom

Step 3: Verify results

Note

Before proceeding, ensure that the security group rules for the three ECS instances allow the ICMP protocol. For details, see Query security group rules and Add security group rules.

Log on to the ECS1 instance and run the ping command to access ECS3:

ping 192.168.0.1

As shown in the figure, if the ping is successful, it indicates that VPC1 and VPC3 are connected.

Use the same method to verify communication and isolation:

Log on to the ECS2 instance and run the ping command to access ECS3. A successful ping indicates that VPC2 and VPC3 are connected.
Log on to the ECS1 instance and run the ping command to access ECS2. A failed ping indicates that VPC1 and VPC2 are isolated from each other.

FAQs

How many CEN instances can be created in an Alibaba Cloud account?

The default limit is five, but you can request an increase. For more information, see Quota.

How many transit routers can a VPC connect to?

The default limit is five, but you can request an increase. For more information, see Quota.

What do I do if the network fails?

Check the routes, security groups, and the firewall settings of the ECS operating system.

Use the routes in this topic as an example. For ECS1 to access ECS3, verify the route tables of VPC1, the transit router, and VPC3 to ensure that there are appropriate round-trip route entries. For more information, see FAQs.

VPC	Destination CIDR Block	Next Hop	Route Type
VPC1	192.168.0.0/16	`Attach1`	Custom
VPC2	192.168.0.0/16	`Attach2`	Custom
VPC3	10.0.0.0/8	`Attach3-1`	Custom
VPC3	172.16.0.0/12	`Attach3-2`	Custom