Enterprise Edition transit routers offer flexible route management features that allow you to route network traffic through an access control server for scrubbing. This ensures that only trusted traffic is permitted, thus enhancing network security. This topic explains how to use an Enterprise Edition transit router to enable and secure network communication.
You can run the sample code in this example with one click.
Scenario
The following example shows how to use an Enterprise Edition transit router to establish secure intra-region communication. A company has deployed three VPCs that are isolated from one another in the China (Hong Kong) region. Security services are deployed in VPC1. To accommodate business growth and security requirements, the company wants to establish network communication between VPC2 and VPC3, and route network traffic to VPC1 for scrubbing.
In this case, the company can connect VPC2 and VPC3 to an Enterprise Edition transit router and then add custom routing policies to the transit router to establish communication between VPC2 and VPC3.
Prerequisites
Ensure that the region where the security VPC is deployed supports Enterprise Edition transit routers. For more information about the supported regions and zones, see Regions and zones that support Enterprise Edition transit routers.
Three VPCs have been created in the China (Hangzhou) region, with each VPC hosting ECS instances. For more information, see Create a VPC with an IPv4 CIDR block.
Sufficient vSwitches are deployed in each VPC in the zones of the Enterprise Edition transit router. Each vSwitch has at least one idle IP address.
If the Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing - Local Region), the VPC must have at least one vSwitch in the zone.
If the Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.
For example, if you create a VPC in the China (Hangzhou) region, it must have at least one vSwitch in both Zone B and Zone C, with each vSwitch having at least one idle IP address.
NoteThe Enterprise Edition transit router associates an elastic network interface (ENI) with each vSwitch in a zone. The ENIs function as ingresses that forward network traffic from VPCs to the transit router. Each ENI occupies one IP address.
In this example, VPC1 has three vSwitches. vSwitch 1 hosts the access control service, whereas vSwitch 2 and vSwitch 3 are connected to the Enterprise Edition transit router. The following table describes the CIDR blocks allocated to the VPCs. Make sure that the CIDR blocks do not overlap and set the images for three ECS instances as Alibaba Cloud Linux.
VPC
vSwitch
vSwitch Zone
CIDR Block
ECS Address
VPC1
CIDR Block: 10.0.0.0/16
vSwitch 1
Zone I
10.0.0.0/24
ECS1
10.0.0.1
vSwitch 2
Zone J
10.0.1.0/24
vSwitch 3
Zone K
10.0.2.0/24
VPC2
CIDR Block: 10.1.0.0/16
vSwitch 4
Zone I
10.1.0.0/24
ECS2
10.1.0.1
vSwitch 5
Zone J
10.1.1.0/24
vSwitch 6
Zone K
10.1.2.0/24
VPC3
CIDR Block: 10.2.0.0/16
vSwitch 7
Zone I
10.2.0.0/24
ECS3
10.2.0.1
vSwitch 8
Zone J
10.2.1.0/24
vSwitch 9
Zone K
10.2.2.0/24
You are familiar with the security group rules of the ECS instances in VPC1, 2, and 3. The security group rules allow the ECS instances to communicate with each other. For more information, see Query security group rules and Add security group rules.
Start configuration
This topic provides two configuration methods: console and Terraform. Choose the method that best suits your needs.
Console
Step 1: Create a Cloud Enterprise Network (CEN) instance
A CEN instance is the foundational resource for creating and managing an integrated network. Before connecting network instances to an Enterprise Edition transit router, you must first create a CEN instance.
Log on to the CEN console.
On the Instances page, click Create CEN Instance.
In the Create CEN Instance dialog box, configure the following parameters and click OK:
Name: Enter a name for the CEN instance.
Description: Enter a description for the CEN instance.
Resource Group: Select a resource group for the CEN instance.
In this example, no resource group is selected. The CEN instance is added to the default resource group.
Tag: Add tags to the CEN instance. In this example, no tag is added to the network instance connection.
Step 2: Create a transit router instance
Before connecting network instances, you must create a transit router in the region where the network instance is deployed within the CEN instance.
Log on to the CEN console.
On the Instances page, select the CEN instance created in Step 1, and click the CEN instance ID.
On the tab, click Create Transit Router.
In the Create Transit Router dialog box, configure the transit router instance information, and then click OK.
Parameter
Description
Value
Region
Select the region where you want to create the transit router.
In this example, China (Hangzhou) is selected.
Edition
The edition of the transit router instance.
The transit router edition supported in the selected region is automatically displayed.
Enable Multicast
Specify whether to enable multicast.
The default value is maintained, with multicast not activated.
Name
Enter the name of the transit router instance.
In this example, a custom name is specified for the transit router.
Description
Enter a description for the transit router instance.
Specify a custom description for the transit router instance.
Tag
Add tags to the transit router.
In this example, no tag is added.
Transit Router CIDR
Enter a CIDR block for the transit router.
For more information, see Transit router CIDR block.
In this example, no CIDR block is specified for the transit router.
Step 3: Connect VPCs to the transit router
Attach the network instances that you want to connect to the Enterprise Edition transit router in the region where each network instance is deployed.
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the tab, find the transit router that you want to manage, and then click Create Connection in the Actions column.
On the Connection with Peer Network Instance page, configure the following information, and then click OK:
The following table describes the settings of each VPC. Connect VPC1, 2, and 3 to an Enterprise Edition transit router:
Parameter
Description
VPC1
VPC2
VPC3
Instance Type
Select the type of network instance to connect.
Virtual Private Cloud (VPC)
Virtual Private Cloud (VPC)
Virtual Private Cloud (VPC)
Region
Select the region where the network instance is deployed.
China (Hangzhou)
China (Hangzhou)
China (Hangzhou)
Transit Router
The ID of the transit router in the selected region is displayed.
Resource Owner ID
Select the Alibaba Cloud account to which the network instance belongs.
Current Account
Current Account
Current Account
Billing Method
The default value is Pay-As-You-Go.
Attachment Name
Enter a name for the network connection.
VPC1 Connection
VPC2 Connection
VPC3 Connection
Tag
Add tags to the network instance connection.
In this example, no tag is added.
In this example, no tag is added.
In this example, no tag is added.
Network Instance
Select the network instance to connect.
VPC1
VPC2
VPC3
VSwitch
Select a vSwitch in a zone of the transit router.
If each zone of the transit router has a vSwitch, you can select multiple zones and select a vSwitch in each of the zones to enable zone-disaster recovery.
China (Hangzhou) Zone J: vSwitch 2
China (Hangzhou) Zone K: vSwitch 3
China (Hangzhou) Zone J: vSwitch 2
China (Hangzhou) Zone K: vSwitch 3
China (Hangzhou) Zone I: vSwitch 4
China (Hangzhou) Zone J: vSwitch 8
Advanced Settings
The following advanced features are disabled for VPC1, 2, and 3:
Associate with Default Route Table of Transit Router
Propagate System Routes to Default Route Table of Transit Router
Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC
NoteIf the advanced features are enabled, VPC1, 2, and 3 can automatically learn routes from one another, but the traffic is not scrubbed. In this example, the advanced features are disabled. In the following steps, custom route tables and route entries are used to define how network traffic is routed so that the network traffic can be scrubbed.
Step 4: Add route entries to VPC instances
Add route entries to VPC1, 2, and 3 to direct their traffic to the Enterprise Edition transit router. The network traffic is distributed by the Enterprise Edition transit routers for scrubbing.
Log on to the VPC console.
In the top navigation bar, select the region to which the route table belongs.
Add custom route entries to VPC2 and VPC3.
Add a route entry to the system route table of VPC2 and VPC3. Set the destination CIDR block to 0.0.0.0/0 and the next hop to the transit router. This ensures that the traffic from VPC2 and VPC3 is forwarded to the Enterprise Edition transit router.
In the left-side navigation pane, click Route Tables.
On the Route Tables page, click the ID of the route table that you want to manage.
In this example, the system route table of VPC2 is used.
On the Route Entry List tab, click the Custom Route tab, and then click Add Route Entry.
In the Add Route Entry panel, configure the following information, and then click OK:
Name: Enter a name for the custom route entry.
Destination CIDR Block: In this example, enter 0.0.0.0/0.
Next Hop Type: In this example, select Transit Router.
Transit Router: In this example, select the transit router instance associated with VPC2.
Repeat the previous step and configure the following parameters to add a route entry to the system route table of VPC3:
Destination CIDR Block: In this example, enter 0.0.0.0/0.
Next Hop Type: In this example, Transit Router is selected.
Transit Router: In this example, the transit router associated with VPC3 is selected.
Create three custom route tables named routetable1, routetable2, and routetable3 for VPC1. For more information, see Create a custom route table.
Associate the vSwitches with the custom route tables. For more information, see Associate vSwitches with route tables.
In this example, associate vSwitch 1 of VPC1 with routetable1, vSwitch 2 with routetable2, and vSwitch 3 with routetable3.
Add route entries to the custom route tables of VPC1.
On the Route Tables page, click the ID of a route table that you created.
In this example, select routetable1 is associated with vSwitch 1.
On the Route Entry List tab, click the Custom Route tab, and then click Add Route Entry.
In the Add Route Entry panel, configure the following parameters, and then click OK:
Name: Enter a name for the custom route entry.
Resource Group: In this example, All is selected
Destination CIDR Block: In this example, enter 0.0.0.0/0.
Next Hop Type: In this example, ECS Instance is selected.
ECS Instance: In this example, the ECS instance that provides security services in vSwitch 3 of VPC1 is selected.
Repeat the previous steps and add the same route entry to the custom route table routetable2 of vSwitch 2.
Repeat the previous steps and add a route entry to routetable3 of vSwitch 3. Configure the following parameters for the route entry:
Destination CIDR Block: In this example, enter 0.0.0.0/0.
Next Hop Type: In this example, select Transit Router.
Transit Router: In this example, the transit router associated with VPC1 is selected.
The following table describes the information about the newly added route entries in each VPC1.
NetworkInstance
Route table
vSwitch
Route entry
Next hop
VPC1
routetable1
vSwitch 1
0.0.0.0/0
Transit router associated with VPC1
routetable2
vSwitch 2
0.0.0.0/0
An ECS instance in vSwitch 3
routetable3
vSwitch 3
0.0.0.0/0
ECS instance in vSwitch 1
VPC2
System route table
vSwitch 1
vSwitch 2
vSwitch 3
0.0.0.0/0
Transit router associated with VPC2
VPC3
System route table
vSwitch 1
vSwitch 2
vSwitch 3
0.0.0.0/0
Transit router associated with VPC3
Step 5: Configure routes in the transit router
After the VPC traffic enters the Enterprise Edition transit router, customize connectivity by creating route tables and adding route entries. This directs traffic from VPC2 and VPC3 into VPC1 and routes the filtered traffic from VPC1 to the destination.
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance.
Go to the tab and click the ID of the transit router that you want to manage.
Under the Route Table tab, create two custom route tables for the Enterprise Edition transit router, named TR_routetable1 and TR_routetable2. For more information, see custom route tables.
Associate the VPC2 and VPC3 connections with the custom route table of the Enterprise Edition transit router and configure route entries for them.
On the Route Table tab, select TR_routetable1. Click the Route Table Association tab, and then click Create Associate Forwarding.
In the Add Association dialog box, select the network instance connection to associate with this custom route table, and then click OK.
In this example, associate the VPC2 and VPC3 connections with TR_routetable1.
On the details page of the custom route table, click the Route Entry tab, and then click Create Route Entry.
In the Add Route Entry dialog box, configure the following parameters, and click OK:
Destination CIDR: In this example, 0.0.0.0/0 is used.
Blackhole Route: If you select Yes, the traffic that is destined for this route is dropped. In this example, No is selected.
Next Hop Connection: In this example, the VPC1 connection is selected.
For more information, see custom route entries for transit routers.
After you complete these steps, network traffic from VPC2 and VPC3 will be forwarded to VPC1.
Associate a custom route table with VPC1 and configure route entries.
Under the Route Table tab, select TR_routetable2. Click the Route Table Association tab, and then click Create Associate Forwarding.
In the Add Association dialog box, select the network instance connection that you want to associate with the route table, and click OK.
In this example, VPC1 is associated with TR_routetable2.
On the details page of the custom route table. Click the Route Propagation tab, and then click Enable Route Propagation.
In the Enable Route Propagation dialog box, select the network instance for which you want to enable route propagation, and click OK.
In this example, TR_routetable2 is propagated to VPC2 and VPC3. After route propagation is enabled, this route table will be able to learn the routes of VPC2 and VPC3. VPC1 communicates with VPC2 and VPC3 by querying this route table.
After the creation is complete, the route entries of the Enterprise Edition transit router are as follows:
Name
Destination CIDR block
Next hop
TR_routetable1
0.0.0.0/0
VPC1 Connection
TR_routetable2
10.1.0.0/16
VPC2 Connection
10.2.0.0/16
VPC3 Connection
Step 6: Test network connectivity
After completing the above steps, VPC1, VPC2, and VPC3 can securely communicate with each other. To test the network connectivity, perform the following steps:
Log on to ECS1 and run the following command to enable data forwarding. For more information about how to log on to an ECS instance, see Connection method overview.
NoteIf data forwarding is not enabled, connectivity is established between VPC1 and VPC2 and between VPC1 and VPC3. However, VPC2 and VPC3 cannot communicate with each other.
echo 1 > /proc/sys/net/ipv4/ip_forward # Enable forwarding. This command takes effect temporarily and will be lost after a restart.
Log on to ECS2 and install the mtr software, which is a diagnostic tool that merges the capabilities of ping and traceroute to analyze network latency and packet loss in real-time. In this example, it assists in the detection of traffic flow.
yum install -y mtr
To test the connectivity between ECS2 and ECS3, run the mtr command on ECS2:
mtr 10.2.0.1 -i 5
-i 5
specifies that a ping request is sent every 5 seconds.The results show that messages from ECS2 to ECS3 are being routed through ECS1 (10.0.0.1), which indicates that traffic between VPC2 and VPC3 is now rerouted through ECS1, the security ECS.
Terraform
You can use Terraform to set up the environment for this example. For details on installing and configuring Terraform, see Install Terraform.
The following section uses Terraform v1.9.8 on a Linux host as an example. Ensure you have completed Authentication before proceeding.
Fees may apply for certain resources in this example. Release or unsubscribe from the resources when they are no longer required.
Step 1: Create resources
Create a directory for the scenario and navigate to it.
mkdir tf-CenSec && cd tf-CenSec
Create a
main.tf
file to define the required resources.touch main.tf
Open the
main.tf
file, paste the following code into the file, and save the changes. This file includes all the necessary resources and configurations.variable "pname" { description = "The prefix name for the resources" type = string default = "tf-CenSec" } variable "default_region" { description = "Default region" type = string default = "cn-hangzhou" } variable "az" { description = "List of availability zones to use" type = list(string) default = ["cn-hangzhou-i", "cn-hangzhou-j", "cn-hangzhou-k"] } variable "vpc_count" { description = "Number of VPCs to create" type = number default = 3 } provider "alicloud" { region = var.default_region } # vpc resource "alicloud_vpc" "main" { count = var.vpc_count vpc_name = "${var.pname}-vpc${count.index + 1}" cidr_block = "10.${count.index}.0.0/16" } # vsw resource "alicloud_vswitch" "main" { count = var.vpc_count * length(var.az) vpc_id = alicloud_vpc.main[floor(count.index / length(var.az))].id cidr_block = "10.${floor(count.index / length(var.az))}.${count.index % length(var.az)}.0/24" zone_id = var.az[count.index % length(var.az)] vswitch_name = "${var.pname}-vsw${count.index + 1}" } # ecs resource "alicloud_instance" "main" { count = var.vpc_count instance_name = "${var.pname}-ecs${count.index + 1}" instance_type = "ecs.e-c1m1.large" security_groups = [alicloud_security_group.main[count.index].id] vswitch_id = alicloud_vswitch.main[count.index * length(var.az)].id image_id = "aliyun_3_x64_20G_qboot_alibase_20230727.vhd" system_disk_category = "cloud_essd" private_ip = "10.${count.index}.0.1" instance_charge_type = "PostPaid" user_data = base64encode(<<-EOT #!/bin/bash ${count.index == 0 ? "echo 1 > /proc/sys/net/ipv4/ip_forward" : ""} yum install -y traceroute yum install -y mtr EOT ) # ecs1 enable ip_forward } # sg resource "alicloud_security_group" "main" { count = var.vpc_count name = "${var.pname}-${count.index + 1}" vpc_id = alicloud_vpc.main[count.index].id } resource "alicloud_security_group_rule" "allow_inbound_ssh" { count = var.vpc_count type = "ingress" ip_protocol = "tcp" nic_type = "intranet" policy = "accept" port_range = "22/22" priority = 1 security_group_id = alicloud_security_group.main[count.index].id cidr_ip = "0.0.0.0/0" } resource "alicloud_security_group_rule" "allow_inbound_icmp" { count = var.vpc_count type = "ingress" ip_protocol = "icmp" nic_type = "intranet" policy = "accept" port_range = "-1/-1" priority = 1 security_group_id = alicloud_security_group.main[count.index].id cidr_ip = "0.0.0.0/0" } resource "alicloud_security_group_rule" "allow_all_outbound" { count = var.vpc_count type = "egress" ip_protocol = "tcp" nic_type = "intranet" policy = "accept" port_range = "1/65535" priority = 1 security_group_id = alicloud_security_group.main[count.index].id cidr_ip = "0.0.0.0/0" } # cen resource "alicloud_cen_instance" "cen1" { cen_instance_name = var.pname } # tr resource "alicloud_cen_transit_router" "tr1" { transit_router_name = var.pname cen_id = alicloud_cen_instance.cen1.id } # attach1 to vsw2 vsw3 in vpc1 resource "alicloud_cen_transit_router_vpc_attachment" "attach1" { cen_id = alicloud_cen_instance.cen1.id transit_router_id = alicloud_cen_transit_router.tr1.transit_router_id vpc_id = alicloud_vpc.main[0].id zone_mappings { zone_id = var.az[1] vswitch_id = alicloud_vswitch.main[1].id # vsw2, vpc1-2 } zone_mappings { zone_id = var.az[2] vswitch_id = alicloud_vswitch.main[2].id # vsw3, vpc1-3 } transit_router_vpc_attachment_name = "attach1" } # attach2 to vsw1 vsw2 in vpc2 resource "alicloud_cen_transit_router_vpc_attachment" "attach2" { cen_id = alicloud_cen_instance.cen1.id transit_router_id = alicloud_cen_transit_router.tr1.transit_router_id vpc_id = alicloud_vpc.main[1].id zone_mappings { zone_id = var.az[0] vswitch_id = alicloud_vswitch.main[3].id # vsw4, vpc2-1 } zone_mappings { zone_id = var.az[1] vswitch_id = alicloud_vswitch.main[4].id # vsw5, vpc2-2 } transit_router_vpc_attachment_name = "attach2" } # attach3 to vsw1 vsw2 in vpc3 resource "alicloud_cen_transit_router_vpc_attachment" "attach3" { cen_id = alicloud_cen_instance.cen1.id transit_router_id = alicloud_cen_transit_router.tr1.transit_router_id vpc_id = alicloud_vpc.main[2].id zone_mappings { zone_id = var.az[0] vswitch_id = alicloud_vswitch.main[6].id # vsw6, vpc3-1 } zone_mappings { zone_id = var.az[1] vswitch_id = alicloud_vswitch.main[7].id # vsw7, vpc3-2 } transit_router_vpc_attachment_name = "attach3" } # 3 rt for vpc1 resource "alicloud_route_table" "rt" { count = 3 vpc_id = alicloud_vpc.main[0].id route_table_name = "${var.pname}-rt${count.index}" associate_type = "VSwitch" } # 3 rt attach to vsw1 2 3 resource "alicloud_route_table_attachment" "rt_attach" { count = 3 vswitch_id = alicloud_vswitch.main[count.index].id route_table_id = alicloud_route_table.rt[count.index].id } # rt entry, vpc1 resource "alicloud_route_entry" "rt-entry1" { # nexthop tr route_table_id = alicloud_route_table.rt[0].id destination_cidrblock = "0.0.0.0/0" nexthop_type = "Attachment" nexthop_id = alicloud_cen_transit_router_vpc_attachment.attach1.transit_router_attachment_id } resource "alicloud_route_entry" "rt-entry2" { # nexthop ecs1 route_table_id = alicloud_route_table.rt[1].id destination_cidrblock = "0.0.0.0/0" nexthop_type = "Instance" nexthop_id = alicloud_instance.main[0].id # ecs1 } resource "alicloud_route_entry" "rt-entry3" { # nexthop ecs1 route_table_id = alicloud_route_table.rt[2].id destination_cidrblock = "0.0.0.0/0" nexthop_type = "Instance" nexthop_id = alicloud_instance.main[0].id # ecs1 } # rt entry, vpc2 vpc3 resource "alicloud_route_entry" "rt-entry4" { route_table_id = alicloud_vpc.main[1].route_table_id destination_cidrblock = "0.0.0.0/0" nexthop_type = "Attachment" nexthop_id = alicloud_cen_transit_router_vpc_attachment.attach2.transit_router_attachment_id } resource "alicloud_route_entry" "rt-entry5" { route_table_id = alicloud_vpc.main[2].route_table_id destination_cidrblock = "0.0.0.0/0" nexthop_type = "Attachment" nexthop_id = alicloud_cen_transit_router_vpc_attachment.attach3.transit_router_attachment_id } # new 2 tr_rt resource "alicloud_cen_transit_router_route_table" "tr_rt1" { transit_router_id = alicloud_cen_transit_router.tr1.transit_router_id transit_router_route_table_name = "tr_rt1" } resource "alicloud_cen_transit_router_route_table" "tr_rt2" { transit_router_id = alicloud_cen_transit_router.tr1.transit_router_id transit_router_route_table_name = "tr_rt2" } # ass rt1 attach2 3 resource "alicloud_cen_transit_router_route_table_association" "ass1" { transit_router_route_table_id = alicloud_cen_transit_router_route_table.tr_rt1.transit_router_route_table_id transit_router_attachment_id = alicloud_cen_transit_router_vpc_attachment.attach2.transit_router_attachment_id } resource "alicloud_cen_transit_router_route_table_association" "ass2" { transit_router_route_table_id = alicloud_cen_transit_router_route_table.tr_rt1.transit_router_route_table_id transit_router_attachment_id = alicloud_cen_transit_router_vpc_attachment.attach3.transit_router_attachment_id } # ass rt2 attach1 resource "alicloud_cen_transit_router_route_table_association" "ass3" { transit_router_route_table_id = alicloud_cen_transit_router_route_table.tr_rt2.transit_router_route_table_id transit_router_attachment_id = alicloud_cen_transit_router_vpc_attachment.attach1.transit_router_attachment_id } # tr_rt_entry resource "alicloud_cen_transit_router_route_entry" "tr_rt1_entry1" { transit_router_route_table_id = alicloud_cen_transit_router_route_table.tr_rt1.transit_router_route_table_id transit_router_route_entry_destination_cidr_block = "0.0.0.0/0" transit_router_route_entry_next_hop_type = "Attachment" transit_router_route_entry_next_hop_id = alicloud_cen_transit_router_vpc_attachment.attach1.transit_router_attachment_id } resource "alicloud_cen_transit_router_route_entry" "tr_rt2_entry1" { transit_router_route_table_id = alicloud_cen_transit_router_route_table.tr_rt2.transit_router_route_table_id transit_router_route_entry_destination_cidr_block = "10.1.0.0/16" transit_router_route_entry_next_hop_type = "Attachment" transit_router_route_entry_next_hop_id = alicloud_cen_transit_router_vpc_attachment.attach2.transit_router_attachment_id } resource "alicloud_cen_transit_router_route_entry" "tr_rt2_entry2" { transit_router_route_table_id = alicloud_cen_transit_router_route_table.tr_rt2.transit_router_route_table_id transit_router_route_entry_destination_cidr_block = "10.2.0.0/16" transit_router_route_entry_next_hop_type = "Attachment" transit_router_route_entry_next_hop_id = alicloud_cen_transit_router_vpc_attachment.attach3.transit_router_attachment_id } output "ecs1_login_address" { value = "https://ecs-workbench.aliyun.com/?from=EcsConsole&instanceType=ecs®ionId=${var.default_region}&instanceId=${alicloud_instance.main[0].id}" } output "ecs2_login_address" { value = "https://ecs-workbench.aliyun.com/?from=EcsConsole&instanceType=ecs®ionId=${var.default_region}&instanceId=${alicloud_instance.main[1].id}" } output "ecs3_login_address" { value = "https://ecs-workbench.aliyun.com/?from=EcsConsole&instanceType=ecs®ionId=${var.default_region}&instanceId=${alicloud_instance.main[2].id}" }
Initialize the directory to complete Terraform setup.
terraform init
Create resources, Terraform will preview the resources to be created. After verification, enter
yes
to initiate the creation process.terraform apply
Step 2: Test the connectivity
Log on to the ECS2 instance named
tf-CenSec-ecs2
.The logon address for ECS2 is available in Terraform Outputs. Copy the address to a browser and choose Temporary SSH Key-based as the authentication method.
Run the
mtr
command on ECS2 to test the network path to ECS3:mtr 10.2.0.1 -i 5
-i 5
indicates that ping requests are sent every 5 seconds.The results show that packets from ECS2 to ECS3 are being routed through ECS1 (10.0.0.1). This confirms that traffic between VPC2 and VPC3 is directed through ECS1, the security ECS.
Step 3: Release resources
When verification is complete and you no longer need the resources, run the command below to release them and stop billing.
terraform destroy --auto-approve