All Products
Search
Document Center

Cloud Enterprise Network:Enable secure network communication using Enterprise Edition transit routers

Last Updated:Jan 06, 2025

Enterprise Edition transit routers offer flexible route management features that allow you to route network traffic through an access control server for scrubbing. This ensures that only trusted traffic is permitted, thus enhancing network security. This topic explains how to use an Enterprise Edition transit router to enable and secure network communication.

Note

You can run the sample code in this example with one click.

Scenario

The following example shows how to use an Enterprise Edition transit router to establish secure intra-region communication. A company has deployed three VPCs that are isolated from one another in the China (Hong Kong) region. Security services are deployed in VPC1. To accommodate business growth and security requirements, the company wants to establish network communication between VPC2 and VPC3, and route network traffic to VPC1 for scrubbing.

In this case, the company can connect VPC2 and VPC3 to an Enterprise Edition transit router and then add custom routing policies to the transit router to establish communication between VPC2 and VPC3.

image

Prerequisites

  • Ensure that the region where the security VPC is deployed supports Enterprise Edition transit routers. For more information about the supported regions and zones, see Regions and zones that support Enterprise Edition transit routers.

  • Three VPCs have been created in the China (Hangzhou) region, with each VPC hosting ECS instances. For more information, see Create a VPC with an IPv4 CIDR block.

    Sufficient vSwitches are deployed in each VPC in the zones of the Enterprise Edition transit router. Each vSwitch has at least one idle IP address.

    • If the Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing - Local Region), the VPC must have at least one vSwitch in the zone.

    • If the Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.

    For example, if you create a VPC in the China (Hangzhou) region, it must have at least one vSwitch in both Zone B and Zone C, with each vSwitch having at least one idle IP address.

    Note

    The Enterprise Edition transit router associates an elastic network interface (ENI) with each vSwitch in a zone. The ENIs function as ingresses that forward network traffic from VPCs to the transit router. Each ENI occupies one IP address.

    In this example, VPC1 has three vSwitches. vSwitch 1 hosts the access control service, whereas vSwitch 2 and vSwitch 3 are connected to the Enterprise Edition transit router. The following table describes the CIDR blocks allocated to the VPCs. Make sure that the CIDR blocks do not overlap and set the images for three ECS instances as Alibaba Cloud Linux.

    VPC

    vSwitch

    vSwitch Zone

    CIDR Block

    ECS Address

    VPC1

    CIDR Block: 10.0.0.0/16

    vSwitch 1

    Zone I

    10.0.0.0/24

    ECS1

    10.0.0.1

    vSwitch 2

    Zone J

    10.0.1.0/24

    vSwitch 3

    Zone K

    10.0.2.0/24

    VPC2

    CIDR Block: 10.1.0.0/16

    vSwitch 4

    Zone I

    10.1.0.0/24

    ECS2

    10.1.0.1

    vSwitch 5

    Zone J

    10.1.1.0/24

    vSwitch 6

    Zone K

    10.1.2.0/24

    VPC3

    CIDR Block: 10.2.0.0/16

    vSwitch 7

    Zone I

    10.2.0.0/24

    ECS3

    10.2.0.1

    vSwitch 8

    Zone J

    10.2.1.0/24

    vSwitch 9

    Zone K

    10.2.2.0/24

  • You are familiar with the security group rules of the ECS instances in VPC1, 2, and 3. The security group rules allow the ECS instances to communicate with each other. For more information, see Query security group rules and Add security group rules.

Start configuration

This topic provides two configuration methods: console and Terraform. Choose the method that best suits your needs.

Console

Step 1: Create a Cloud Enterprise Network (CEN) instance

A CEN instance is the foundational resource for creating and managing an integrated network. Before connecting network instances to an Enterprise Edition transit router, you must first create a CEN instance.

  1. Log on to the CEN console.

  2. On the Instances page, click Create CEN Instance.

  3. In the Create CEN Instance dialog box, configure the following parameters and click OK:

    • Name: Enter a name for the CEN instance.

    • Description: Enter a description for the CEN instance.

    • Resource Group: Select a resource group for the CEN instance.

      In this example, no resource group is selected. The CEN instance is added to the default resource group.

    • Tag: Add tags to the CEN instance. In this example, no tag is added to the network instance connection.

Step 2: Create a transit router instance

Before connecting network instances, you must create a transit router in the region where the network instance is deployed within the CEN instance.

  1. Log on to the CEN console.

  2. On the Instances page, select the CEN instance created in Step 1, and click the CEN instance ID.

  3. On the Basic Information > Transit Router tab, click Create Transit Router.

  4. In the Create Transit Router dialog box, configure the transit router instance information, and then click OK.

    Parameter

    Description

    Value

    Region

    Select the region where you want to create the transit router.

    In this example, China (Hangzhou) is selected.

    Edition

    The edition of the transit router instance.

    The transit router edition supported in the selected region is automatically displayed.

    Enable Multicast

    Specify whether to enable multicast.

    The default value is maintained, with multicast not activated.

    Name

    Enter the name of the transit router instance.

    In this example, a custom name is specified for the transit router.

    Description

    Enter a description for the transit router instance.

    Specify a custom description for the transit router instance.

    Tag

    Add tags to the transit router.

    In this example, no tag is added.

    Transit Router CIDR

    Enter a CIDR block for the transit router.

    For more information, see Transit router CIDR block.

    In this example, no CIDR block is specified for the transit router.

Step 3: Connect VPCs to the transit router

Attach the network instances that you want to connect to the Enterprise Edition transit router in the region where each network instance is deployed.

  1. Log on to the CEN console.

  2. On the Instances page, click the ID of the CEN instance that you want to manage.

  3. Go to the Basic Information > Transit Router tab, find the transit router that you want to manage, and then click Create Connection in the Actions column.

  4. On the Connection with Peer Network Instance page, configure the following information, and then click OK:

    The following table describes the settings of each VPC. Connect VPC1, 2, and 3 to an Enterprise Edition transit router:

    Parameter

    Description

    VPC1

    VPC2

    VPC3

    Instance Type

    Select the type of network instance to connect.

    Virtual Private Cloud (VPC)

    Virtual Private Cloud (VPC)

    Virtual Private Cloud (VPC)

    Region

    Select the region where the network instance is deployed.

    China (Hangzhou)

    China (Hangzhou)

    China (Hangzhou)

    Transit Router

    The ID of the transit router in the selected region is displayed.

    Resource Owner ID

    Select the Alibaba Cloud account to which the network instance belongs.

    Current Account

    Current Account

    Current Account

    Billing Method

    The default value is Pay-As-You-Go.

    Attachment Name

    Enter a name for the network connection.

    VPC1 Connection

    VPC2 Connection

    VPC3 Connection

    Tag

    Add tags to the network instance connection.

    In this example, no tag is added.

    In this example, no tag is added.

    In this example, no tag is added.

    Network Instance

    Select the network instance to connect.

    VPC1

    VPC2

    VPC3

    VSwitch

    Select a vSwitch in a zone of the transit router.

    If each zone of the transit router has a vSwitch, you can select multiple zones and select a vSwitch in each of the zones to enable zone-disaster recovery.

    • China (Hangzhou) Zone J: vSwitch 2

    • China (Hangzhou) Zone K: vSwitch 3

    • China (Hangzhou) Zone J: vSwitch 2

    • China (Hangzhou) Zone K: vSwitch 3

    • China (Hangzhou) Zone I: vSwitch 4

    • China (Hangzhou) Zone J: vSwitch 8

    Advanced Settings

    The following advanced features are disabled for VPC1, 2, and 3:

    • Associate with Default Route Table of Transit Router

    • Propagate System Routes to Default Route Table of Transit Router

    • Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC

    Note

    If the advanced features are enabled, VPC1, 2, and 3 can automatically learn routes from one another, but the traffic is not scrubbed. In this example, the advanced features are disabled. In the following steps, custom route tables and route entries are used to define how network traffic is routed so that the network traffic can be scrubbed.

Step 4: Add route entries to VPC instances

Add route entries to VPC1, 2, and 3 to direct their traffic to the Enterprise Edition transit router. The network traffic is distributed by the Enterprise Edition transit routers for scrubbing.

  1. Log on to the VPC console.

  2. In the top navigation bar, select the region to which the route table belongs.

  3. Add custom route entries to VPC2 and VPC3.

    Add a route entry to the system route table of VPC2 and VPC3. Set the destination CIDR block to 0.0.0.0/0 and the next hop to the transit router. This ensures that the traffic from VPC2 and VPC3 is forwarded to the Enterprise Edition transit router.

    1. In the left-side navigation pane, click Route Tables.

    2. On the Route Tables page, click the ID of the route table that you want to manage.

      In this example, the system route table of VPC2 is used.

    3. On the Route Entry List tab, click the Custom Route tab, and then click Add Route Entry.

    4. In the Add Route Entry panel, configure the following information, and then click OK:

      • Name: Enter a name for the custom route entry.

      • Destination CIDR Block: In this example, enter 0.0.0.0/0.

      • Next Hop Type: In this example, select Transit Router.

      • Transit Router: In this example, select the transit router instance associated with VPC2.

    5. Repeat the previous step and configure the following parameters to add a route entry to the system route table of VPC3:

      • Destination CIDR Block: In this example, enter 0.0.0.0/0.

      • Next Hop Type: In this example, Transit Router is selected.

      • Transit Router: In this example, the transit router associated with VPC3 is selected.

  4. Create three custom route tables named routetable1, routetable2, and routetable3 for VPC1. For more information, see Create a custom route table.

  5. Associate the vSwitches with the custom route tables. For more information, see Associate vSwitches with route tables.

    In this example, associate vSwitch 1 of VPC1 with routetable1, vSwitch 2 with routetable2, and vSwitch 3 with routetable3.

  6. Add route entries to the custom route tables of VPC1.

    1. On the Route Tables page, click the ID of a route table that you created.

      In this example, select routetable1 is associated with vSwitch 1.

    2. On the Route Entry List tab, click the Custom Route tab, and then click Add Route Entry.

    3. In the Add Route Entry panel, configure the following parameters, and then click OK:

      • Name: Enter a name for the custom route entry.

      • Resource Group: In this example, All is selected

      • Destination CIDR Block: In this example, enter 0.0.0.0/0.

      • Next Hop Type: In this example, ECS Instance is selected.

      • ECS Instance: In this example, the ECS instance that provides security services in vSwitch 3 of VPC1 is selected.

    4. Repeat the previous steps and add the same route entry to the custom route table routetable2 of vSwitch 2.

    5. Repeat the previous steps and add a route entry to routetable3 of vSwitch 3. Configure the following parameters for the route entry:

      • Destination CIDR Block: In this example, enter 0.0.0.0/0.

      • Next Hop Type: In this example, select Transit Router.

      • Transit Router: In this example, the transit router associated with VPC1 is selected.

    The following table describes the information about the newly added route entries in each VPC1.

    NetworkInstance

    Route table

    vSwitch

    Route entry

    Next hop

    VPC1

    routetable1

    vSwitch 1

    0.0.0.0/0

    Transit router associated with VPC1

    routetable2

    vSwitch 2

    0.0.0.0/0

    An ECS instance in vSwitch 3

    routetable3

    vSwitch 3

    0.0.0.0/0

    ECS instance in vSwitch 1

    VPC2

    System route table

    • vSwitch 1

    • vSwitch 2

    • vSwitch 3

    0.0.0.0/0

    Transit router associated with VPC2

    VPC3

    System route table

    • vSwitch 1

    • vSwitch 2

    • vSwitch 3

    0.0.0.0/0

    Transit router associated with VPC3

Step 5: Configure routes in the transit router

After the VPC traffic enters the Enterprise Edition transit router, customize connectivity by creating route tables and adding route entries. This directs traffic from VPC2 and VPC3 into VPC1 and routes the filtered traffic from VPC1 to the destination.

  1. Log on to the CEN console.

  2. On the Instances page, click the ID of the CEN instance.

  3. Go to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.

  4. Under the Route Table tab, create two custom route tables for the Enterprise Edition transit router, named TR_routetable1 and TR_routetable2. For more information, see custom route tables.

  5. Associate the VPC2 and VPC3 connections with the custom route table of the Enterprise Edition transit router and configure route entries for them.

    1. On the Route Table tab, select TR_routetable1. Click the Route Table Association tab, and then click Create Associate Forwarding.

    2. In the Add Association dialog box, select the network instance connection to associate with this custom route table, and then click OK.

      In this example, associate the VPC2 and VPC3 connections with TR_routetable1.

    3. On the details page of the custom route table, click the Route Entry tab, and then click Create Route Entry.

    4. In the Add Route Entry dialog box, configure the following parameters, and click OK:

      • Destination CIDR: In this example, 0.0.0.0/0 is used.

      • Blackhole Route: If you select Yes, the traffic that is destined for this route is dropped. In this example, No is selected.

      • Next Hop Connection: In this example, the VPC1 connection is selected.

      For more information, see custom route entries for transit routers.

    After you complete these steps, network traffic from VPC2 and VPC3 will be forwarded to VPC1.

  6. Associate a custom route table with VPC1 and configure route entries.

    1. Under the Route Table tab, select TR_routetable2. Click the Route Table Association tab, and then click Create Associate Forwarding.

    2. In the Add Association dialog box, select the network instance connection that you want to associate with the route table, and click OK.

      In this example, VPC1 is associated with TR_routetable2.

    3. On the details page of the custom route table. Click the Route Propagation tab, and then click Enable Route Propagation.

    4. In the Enable Route Propagation dialog box, select the network instance for which you want to enable route propagation, and click OK.

      In this example, TR_routetable2 is propagated to VPC2 and VPC3. After route propagation is enabled, this route table will be able to learn the routes of VPC2 and VPC3. VPC1 communicates with VPC2 and VPC3 by querying this route table.

    After the creation is complete, the route entries of the Enterprise Edition transit router are as follows:

    Name

    Destination CIDR block

    Next hop

    TR_routetable1

    0.0.0.0/0

    VPC1 Connection

    TR_routetable2

    10.1.0.0/16

    VPC2 Connection

    10.2.0.0/16

    VPC3 Connection

Step 6: Test network connectivity

After completing the above steps, VPC1, VPC2, and VPC3 can securely communicate with each other. To test the network connectivity, perform the following steps:

  1. Log on to ECS1 and run the following command to enable data forwarding. For more information about how to log on to an ECS instance, see Connection method overview.

    Note

    If data forwarding is not enabled, connectivity is established between VPC1 and VPC2 and between VPC1 and VPC3. However, VPC2 and VPC3 cannot communicate with each other.

    echo 1 > /proc/sys/net/ipv4/ip_forward   # Enable forwarding. This command takes effect temporarily and will be lost after a restart.
  2. Log on to ECS2 and install the mtr software, which is a diagnostic tool that merges the capabilities of ping and traceroute to analyze network latency and packet loss in real-time. In this example, it assists in the detection of traffic flow.

    yum install -y mtr
  3. To test the connectivity between ECS2 and ECS3, run the mtr command on ECS2:

    mtr 10.2.0.1 -i 5

    -i 5 specifies that a ping request is sent every 5 seconds.

    image

    The results show that messages from ECS2 to ECS3 are being routed through ECS1 (10.0.0.1), which indicates that traffic between VPC2 and VPC3 is now rerouted through ECS1, the security ECS.

Terraform

You can use Terraform to set up the environment for this example. For details on installing and configuring Terraform, see Install Terraform.

The following section uses Terraform v1.9.8 on a Linux host as an example. Ensure you have completed Authentication before proceeding.

Note

Fees may apply for certain resources in this example. Release or unsubscribe from the resources when they are no longer required.

Step 1: Create resources

  1. Create a directory for the scenario and navigate to it.

    mkdir tf-CenSec && cd tf-CenSec
  2. Create a main.tf file to define the required resources.

    touch main.tf
  3. Open the main.tf file, paste the following code into the file, and save the changes. This file includes all the necessary resources and configurations.

    variable "pname" {
      description = "The prefix name for the resources"
      type        = string
      default     = "tf-CenSec"
    }
    
    variable "default_region" {
      description = "Default region"
      type        = string
      default     = "cn-hangzhou"
    }
    
    variable "az" {
      description = "List of availability zones to use"
      type        = list(string)
      default     = ["cn-hangzhou-i", "cn-hangzhou-j", "cn-hangzhou-k"]
    }
    
    variable "vpc_count" {
      description = "Number of VPCs to create"
      type        = number
      default     = 3
    }
    
    provider "alicloud" {
      region = var.default_region
    }
    
    # vpc
    resource "alicloud_vpc" "main" {
      count      = var.vpc_count
      vpc_name   = "${var.pname}-vpc${count.index + 1}"
      cidr_block = "10.${count.index}.0.0/16"
    }
    
    # vsw
    resource "alicloud_vswitch" "main" {
      count        = var.vpc_count * length(var.az)
      vpc_id       = alicloud_vpc.main[floor(count.index / length(var.az))].id
      cidr_block   = "10.${floor(count.index / length(var.az))}.${count.index % length(var.az)}.0/24"
      zone_id      = var.az[count.index % length(var.az)]
      vswitch_name = "${var.pname}-vsw${count.index + 1}"
    }
    
    # ecs
    resource "alicloud_instance" "main" {
      count                = var.vpc_count
      instance_name        = "${var.pname}-ecs${count.index + 1}"
      instance_type        = "ecs.e-c1m1.large"
      security_groups      = [alicloud_security_group.main[count.index].id]
      vswitch_id           = alicloud_vswitch.main[count.index * length(var.az)].id
      image_id             = "aliyun_3_x64_20G_qboot_alibase_20230727.vhd"
      system_disk_category = "cloud_essd"
      private_ip           = "10.${count.index}.0.1"
      instance_charge_type = "PostPaid"
      user_data = base64encode(<<-EOT
        #!/bin/bash
        ${count.index == 0 ? "echo 1 > /proc/sys/net/ipv4/ip_forward" : ""} 
        yum install -y traceroute
        yum install -y mtr
      EOT
      ) # ecs1 enable ip_forward
    }
    
    # sg
    resource "alicloud_security_group" "main" {
      count  = var.vpc_count
      name   = "${var.pname}-${count.index + 1}"
      vpc_id = alicloud_vpc.main[count.index].id
    }
    
    resource "alicloud_security_group_rule" "allow_inbound_ssh" {
      count             = var.vpc_count
      type              = "ingress"
      ip_protocol       = "tcp"
      nic_type          = "intranet"
      policy            = "accept"
      port_range        = "22/22"
      priority          = 1
      security_group_id = alicloud_security_group.main[count.index].id
      cidr_ip           = "0.0.0.0/0"
    }
    
    resource "alicloud_security_group_rule" "allow_inbound_icmp" {
      count             = var.vpc_count
      type              = "ingress"
      ip_protocol       = "icmp"
      nic_type          = "intranet"
      policy            = "accept"
      port_range        = "-1/-1"
      priority          = 1
      security_group_id = alicloud_security_group.main[count.index].id
      cidr_ip           = "0.0.0.0/0"
    }
    
    resource "alicloud_security_group_rule" "allow_all_outbound" {
      count             = var.vpc_count
      type              = "egress"
      ip_protocol       = "tcp"
      nic_type          = "intranet"
      policy            = "accept"
      port_range        = "1/65535"
      priority          = 1
      security_group_id = alicloud_security_group.main[count.index].id
      cidr_ip           = "0.0.0.0/0"
    }
    
    # cen
    resource "alicloud_cen_instance" "cen1" {
      cen_instance_name = var.pname
    }
    
    # tr
    resource "alicloud_cen_transit_router" "tr1" {
      transit_router_name = var.pname
      cen_id              = alicloud_cen_instance.cen1.id
    }
    
    # attach1  to vsw2 vsw3 in vpc1
    resource "alicloud_cen_transit_router_vpc_attachment" "attach1" {
      cen_id            = alicloud_cen_instance.cen1.id
      transit_router_id = alicloud_cen_transit_router.tr1.transit_router_id
      vpc_id            = alicloud_vpc.main[0].id
      zone_mappings {
        zone_id    = var.az[1]
        vswitch_id = alicloud_vswitch.main[1].id # vsw2, vpc1-2
      }
      zone_mappings {
        zone_id    = var.az[2]
        vswitch_id = alicloud_vswitch.main[2].id # vsw3, vpc1-3
      }
      transit_router_vpc_attachment_name = "attach1"
    }
    
    # attach2 to vsw1 vsw2 in vpc2
    resource "alicloud_cen_transit_router_vpc_attachment" "attach2" {
      cen_id            = alicloud_cen_instance.cen1.id
      transit_router_id = alicloud_cen_transit_router.tr1.transit_router_id
      vpc_id            = alicloud_vpc.main[1].id
      zone_mappings {
        zone_id    = var.az[0]
        vswitch_id = alicloud_vswitch.main[3].id # vsw4, vpc2-1
      }
      zone_mappings {
        zone_id    = var.az[1]
        vswitch_id = alicloud_vswitch.main[4].id # vsw5, vpc2-2
      }
      transit_router_vpc_attachment_name = "attach2"
    }
    
    
    # attach3 to vsw1 vsw2 in vpc3
    resource "alicloud_cen_transit_router_vpc_attachment" "attach3" {
      cen_id            = alicloud_cen_instance.cen1.id
      transit_router_id = alicloud_cen_transit_router.tr1.transit_router_id
      vpc_id            = alicloud_vpc.main[2].id
      zone_mappings {
        zone_id    = var.az[0]
        vswitch_id = alicloud_vswitch.main[6].id # vsw6, vpc3-1
      }
      zone_mappings {
        zone_id    = var.az[1]
        vswitch_id = alicloud_vswitch.main[7].id # vsw7, vpc3-2
      }
      transit_router_vpc_attachment_name = "attach3"
    }
    
    # 3 rt for vpc1
    resource "alicloud_route_table" "rt" {
      count            = 3
      vpc_id           = alicloud_vpc.main[0].id
      route_table_name = "${var.pname}-rt${count.index}"
      associate_type   = "VSwitch"
    }
    
    # 3 rt attach to vsw1 2 3  
    resource "alicloud_route_table_attachment" "rt_attach" {
      count          = 3
      vswitch_id     = alicloud_vswitch.main[count.index].id
      route_table_id = alicloud_route_table.rt[count.index].id
    }
    
    # rt entry, vpc1
    resource "alicloud_route_entry" "rt-entry1" { # nexthop tr
      route_table_id        = alicloud_route_table.rt[0].id
      destination_cidrblock = "0.0.0.0/0"
      nexthop_type          = "Attachment"
      nexthop_id            = alicloud_cen_transit_router_vpc_attachment.attach1.transit_router_attachment_id
    }
    resource "alicloud_route_entry" "rt-entry2" { # nexthop ecs1
      route_table_id        = alicloud_route_table.rt[1].id
      destination_cidrblock = "0.0.0.0/0"
      nexthop_type          = "Instance"
      nexthop_id            = alicloud_instance.main[0].id # ecs1
    }
    resource "alicloud_route_entry" "rt-entry3" { # nexthop ecs1
      route_table_id        = alicloud_route_table.rt[2].id
      destination_cidrblock = "0.0.0.0/0"
      nexthop_type          = "Instance"
      nexthop_id            = alicloud_instance.main[0].id # ecs1
    }
    
    # rt entry, vpc2 vpc3
    resource "alicloud_route_entry" "rt-entry4" {
      route_table_id        = alicloud_vpc.main[1].route_table_id
      destination_cidrblock = "0.0.0.0/0"
      nexthop_type          = "Attachment"
      nexthop_id            = alicloud_cen_transit_router_vpc_attachment.attach2.transit_router_attachment_id
    }
    resource "alicloud_route_entry" "rt-entry5" {
      route_table_id        = alicloud_vpc.main[2].route_table_id
      destination_cidrblock = "0.0.0.0/0"
      nexthop_type          = "Attachment"
      nexthop_id            = alicloud_cen_transit_router_vpc_attachment.attach3.transit_router_attachment_id
    }
    
    # new 2 tr_rt
    resource "alicloud_cen_transit_router_route_table" "tr_rt1" {
      transit_router_id               = alicloud_cen_transit_router.tr1.transit_router_id
      transit_router_route_table_name = "tr_rt1"
    }
    
    resource "alicloud_cen_transit_router_route_table" "tr_rt2" {
      transit_router_id               = alicloud_cen_transit_router.tr1.transit_router_id
      transit_router_route_table_name = "tr_rt2"
    }
    
    # ass rt1 attach2 3
    resource "alicloud_cen_transit_router_route_table_association" "ass1" {
      transit_router_route_table_id = alicloud_cen_transit_router_route_table.tr_rt1.transit_router_route_table_id
      transit_router_attachment_id  = alicloud_cen_transit_router_vpc_attachment.attach2.transit_router_attachment_id
    }
    resource "alicloud_cen_transit_router_route_table_association" "ass2" {
      transit_router_route_table_id = alicloud_cen_transit_router_route_table.tr_rt1.transit_router_route_table_id
      transit_router_attachment_id  = alicloud_cen_transit_router_vpc_attachment.attach3.transit_router_attachment_id
    }
    # ass rt2 attach1
    resource "alicloud_cen_transit_router_route_table_association" "ass3" {
      transit_router_route_table_id = alicloud_cen_transit_router_route_table.tr_rt2.transit_router_route_table_id
      transit_router_attachment_id  = alicloud_cen_transit_router_vpc_attachment.attach1.transit_router_attachment_id
    }
    
    # tr_rt_entry
    resource "alicloud_cen_transit_router_route_entry" "tr_rt1_entry1" {
      transit_router_route_table_id                     = alicloud_cen_transit_router_route_table.tr_rt1.transit_router_route_table_id
      transit_router_route_entry_destination_cidr_block = "0.0.0.0/0"
      transit_router_route_entry_next_hop_type          = "Attachment"
      transit_router_route_entry_next_hop_id            = alicloud_cen_transit_router_vpc_attachment.attach1.transit_router_attachment_id
    }
    resource "alicloud_cen_transit_router_route_entry" "tr_rt2_entry1" {
      transit_router_route_table_id                     = alicloud_cen_transit_router_route_table.tr_rt2.transit_router_route_table_id
      transit_router_route_entry_destination_cidr_block = "10.1.0.0/16"
      transit_router_route_entry_next_hop_type          = "Attachment"
      transit_router_route_entry_next_hop_id            = alicloud_cen_transit_router_vpc_attachment.attach2.transit_router_attachment_id
    }
    resource "alicloud_cen_transit_router_route_entry" "tr_rt2_entry2" {
      transit_router_route_table_id                     = alicloud_cen_transit_router_route_table.tr_rt2.transit_router_route_table_id
      transit_router_route_entry_destination_cidr_block = "10.2.0.0/16"
      transit_router_route_entry_next_hop_type          = "Attachment"
      transit_router_route_entry_next_hop_id            = alicloud_cen_transit_router_vpc_attachment.attach3.transit_router_attachment_id
    }
    
    output "ecs1_login_address" {
      value = "https://ecs-workbench.aliyun.com/?from=EcsConsole&instanceType=ecs&regionId=${var.default_region}&instanceId=${alicloud_instance.main[0].id}"
    }
    
    output "ecs2_login_address" {
      value = "https://ecs-workbench.aliyun.com/?from=EcsConsole&instanceType=ecs&regionId=${var.default_region}&instanceId=${alicloud_instance.main[1].id}"
    }
    
    output "ecs3_login_address" {
      value = "https://ecs-workbench.aliyun.com/?from=EcsConsole&instanceType=ecs&regionId=${var.default_region}&instanceId=${alicloud_instance.main[2].id}"
    }
  4. Initialize the directory to complete Terraform setup.

    terraform init
  5. Create resources, Terraform will preview the resources to be created. After verification, enter yes to initiate the creation process.

    terraform apply

Step 2: Test the connectivity

  1. Log on to the ECS2 instance named tf-CenSec-ecs2.

    The logon address for ECS2 is available in Terraform Outputs. Copy the address to a browser and choose Temporary SSH Key-based as the authentication method.

    image

  2. Run the mtr command on ECS2 to test the network path to ECS3:

    mtr 10.2.0.1 -i 5

    -i 5 indicates that ping requests are sent every 5 seconds.

    image

    The results show that packets from ECS2 to ECS3 are being routed through ECS1 (10.0.0.1). This confirms that traffic between VPC2 and VPC3 is directed through ECS1, the security ECS.

Step 3: Release resources

When verification is complete and you no longer need the resources, run the command below to release them and stop billing.

terraform destroy --auto-approve