This topic describes how to use Enterprise Edition transit routers to enable Elastic Compute Service (ECS) instances that are deployed in virtual private clouds (VPCs) to access Object Storage Service (OSS) across regions over VPC connections.
Scenarios
The following scenario is used as an example. A company deployed VPC1 in the China (Shanghai) region. Services are deployed on the ECS instances in VPC1. The company activated OSS in the China (Hangzhou) region. The company wants to enable the ECS instances in VPC1 to access OSS in the China (Hangzhou) region.
To address this issue, the company can create a VPC (VPC2) in the China (Hangzhou) region, in which OSS is deployed, and connect VPC1 and VPC2 to the Enterprise Edition transit routers in the China (Shanghai) and China (Hangzhou) regions. The Enterprise Edition transit routers allow VPC1 and VPC2 to communicate with each other over inter-region connections. This way, the ECS instances in VPC1 can access OSS in VPC2.
To allow ECS instances in a VPC to access OSS in a different region by using Enterprise Edition transit routers, at least one VPC must be deployed in the region where OSS is activated. In this example, if a VPC exists in the China (Hangzhou) region, the company does not need to create VPC2 and can connect the existing VPC to the Enterprise Edition transit router. The ECS instances in the China (Shanghai) region can access OSS through any VPC in the China (Hangzhou) region.
Network planning
When you assign CIDR blocks, make sure that the CIDR blocks of the VPCs do not overlap.
Resource | VPC region | CIDR block and IP address |
VPC1 | China (Shanghai) | Primary CIDR block: 192.168.0.0/16.
|
VPC2 | China (Hangzhou) | Primary CIDR block: 172.16.0.0/16.
|
Prerequisites
The following prerequisites must be met before you start:
OSS is activated in the China (Hangzhou) region. For more information, see Get started with OSS.
VPC1 is created in the China (Shanghai) region. Services are deployed on the ECS instances in VPC1. For more information, see Create a VPC with an IPv4 CIDR block.
VPC2 is deployed in the China (Hangzhou) region. For more information, see Create and manage a VPC.
Sufficient vSwitches are deployed for each VPC in the zones of the Enterprise Edition transit router. Each vSwitch has at least one idle IP address.
If the Enterprise Edition transit router supports only one zone, for example, China (Nanjing-Local Region), the VPC must have at least one vSwitch in the zone.
If the Enterprise Edition transit router supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.
For more information, see How a VPC connection works.
You have knowledge of the security group rules for VPC1 and VPC2. The security group rules allow the ECS instances in VPC1 to access OSS through VPC2. For more information, see View security group rules and Add a security group rule.
A Cloud Enterprise Network (CEN) instance is created. For more information, see Create a CEN instance.
Enterprise Edition transit routers are deployed in the China (Shanghai) and China (Hangzhou) regions. For more information, see Create a transit router.
When you create Enterprise Edition transit routers, use the default settings.
Procedure
Step 1: Create VPC connections
Connect VPC1 to the Enterprise Edition transit router in the China (Shanghai) region, and connect VPC2 to the Enterprise Edition transit router in the China (Hangzhou) region.
Log on to the CEN console.
On the Instances page, find the CEN instance that you want to manage and click the instance ID.
In this example, the CEN instance mentioned in the Prerequisites section is used.
On the tab, find a transit router and click Create Connection in the Actions column.
On the Connection with Peer Network Instance page, configure the following parameters and click OK:
Configure the parameters based on the following table to connect VPC1 to the Enterprise Edition transit router in the China (Shanghai) region and connect VPC2 to the Enterprise Edition transit router in the China (Hangzhou) region.
Parameter
Description
VPC1
VPC2
Network Type
Select the type of the network instance that you want to connect.
VPC
VPC.
Region
Select the region where the VPC is deployed.
China (Shanghai)
China (Hangzhou)
Transit Router
The system automatically displays the ID of the transit router in the selected region.
Resource Owner ID
Select the Alibaba Cloud account to which the network instance belongs.
Current Account
Current Account
Billing Method
Default value: Pay-As-You-Go.
Attachment Name
Enter a name for the network connection.
In this example, VPC1 Connection is used.
In this example, VPC2 Connection is used.
Network Instance
Select the ID of the network instance.
Select VPC1.
Select VPC2.
VSwitch
Select a vSwitch in a zone of the transit router.
If each zone of the transit router has a vSwitch, you can select multiple zones and select a vSwitch in each of the zones to enable zone-disaster recovery.
Shanghai Zone F: Select vSwitch 1.
Shanghai Zone G: Select vSwitch 2.
Hangzhou Zone H: Select vSwitch 1.
Hangzhou Zone I: Select vSwitch 2.
Advanced Settings
Use the default settings for VPC1 and VPC2. All advanced features are enabled for the VPCs.
Step 2: Create an inter-region connection
The Enterprise Edition transit router of VPC1 and the Enterprise Edition transit router of VPC2 are deployed in different regions. Therefore, VPC1 and VPC2 cannot communicate with each other by default. To allow VPC1 and VPC2 to communicate with each other across regions, you need to create an inter-region connection between the China (Hangzhou) region and the China (Shanghai) region.
Inter-region connections support the Allocate from Bandwidth Plan and Pay-As-You-Go bandwidth allocation modes. In this example, Allocate from Bandwidth Plan is selected.
Purchase a bandwidth plan.
Purchase a bandwidth plan to allocate bandwidth for inter-region communication before you create an inter-region connection.
On the Instances page, find the CEN instance that you want to manage and click its ID.
On the details page of the CEN instance, choose and click Purchase Bandwidth Plan(Subscription).
On the buy page, configure the following parameters, click Buy Now, and then complete the payment.
Parameter
Description
CEN ID
Select the CEN instance for which you want to purchase the bandwidth plan.
After you complete the payment, the bandwidth plan is automatically associated with the CEN instance.
In this example, the CEN instance created in the Preparations section is selected.
Area A
Select one of the areas where you want to enable inter-region communication.
Mainland China is selected in this example.
NoteAfter you purchase a bandwidth plan, you cannot change the areas that you selected for the bandwidth plan.
For more information about the regions and areas that support bandwidth plans, see Work with a bandwidth plan.
Area B
Select the other area where you want to enable inter-region communication.
Mainland China is selected in this example.
Billing method
Displays the billing method of the bandwidth plan. The default billing method is Pay by Bandwidth.
For more information about bandwidth plan billing, see Billing rules.
Bandwidth
Select a bandwidth value based on your business requirements. Unit: Mbit/s.
Bandwidth_package_name
Enter a name for the bandwidth plan.
Order time
Select a subscription duration for the bandwidth plan.
You can select Auto-renewal to allow the system to automatically renew the bandwidth plan.
Create an inter-region connection.
On the Instances page, find the CEN instance that you want to manage and click its ID.
Navigate to the tab and click Set Region Connection.
On the Connection with Peer Network Instance page, set the following parameters and click OK.
Parameter
Description
Network type
Inter-region Connection is selected in this example.
Region
Select the region that you want to connect.
China (Hangzhou) is selected in this example.
Transit Router
The system automatically displays the ID of the transit router in the selected region.
Attachment Name
Enter a name for the inter-region connection.
In this example, Cross-Region-test is used.
Peer Region
Select the other region to be connected.
In this example, China (Shanghai) is selected.
Transit Router
The system automatically displays the ID of the transit router in the selected region.
Bandwidth Allocation Mode
The following modes are supported:
Allocate from Bandwidth Plan: Bandwidth resources are allocated from a purchased bandwidth plan.
Pay-By-Data-Transfer: You are charged for data transfer over the inter-region connection.
In this example, Allocate from Bandwidth Plan is selected.
Bandwidth Plan
Select the bandwidth plan that is associated with the CEN instance.
Bandwidth
Specify a bandwidth value for the inter-region connection. Unit: Mbit/s.
Advanced Settings
By default, all advanced features are enabled. In this example, the default setting is used.
Step 3: Add routes that point to OSS to VPC1
After you create an inter-region connection, VPC1 and VPC2 can communicate with each other by using the Enterprise Edition transit routers. However, the ECS instances in VPC1 cannot access OSS in VPC2. You must add routes that point to OSS to the route table of VPC1 to route network traffic from VPC1 to the Enterprise Edition transit router.
Log on to the VPC console.
In the top navigation bar, select the region where VPC1 resides.
In this example, China (Shanghai) is selected.
In the left-side navigation pane, click Route Tables.
On the Route Tables page, find the route table of VPC1 and click its ID.
In this example, VPC1 has only one system route table. If your VPC has multiple route tables, select the one that is associated with the vSwitch in which the ECS instances are deployed.
On the Route Entry List tab, click the Custom Route tab, and then click Add Route Entry.
In the Add Route Entry panel, configure the following parameters and click OK.
Add routes that point to all CIDR blocks of OSS in the China (Hangzhou) region to the route table of VPC1. The following table describes the parameters.
For more information about the CIDR blocks of OSS in the China (Hangzhou) region, see Internal endpoints of OSS buckets and VIP ranges.
Parameter
Description
Route 1
Route 2
Route 3
Route 4
Name
Enter a name for the custom route.
OSS CIDR Block 1
OSS CIDR Block 2
OSS CIDR Block 3
OSS CIDR Block 4
Destination CIDR block
Enter the destination CIDR block.
100.118.28.0/24
100.114.102.0/24
100.98.170.0/24
100.118.31.0/24
Next Hop Type
Select a next hop type and select a next hop for the custom route.
Select Transit Router and then select VPC1 Connection.
Select Transit Router and then select VPC1 Connection.
Select Transit Router and then select VPC1 Connection.
Select Transit Router and then select VPC1 Connection.
Step 4: Add routes that point to OSS to the transit router
You need to add routes that point to OSS to the route table of the Enterprise Edition transit router in the China (Hangzhou) region. When requests from the ECS instances in VPC1 reach the Enterprise Edition transit router, the Enterprise Edition transit router forwards the requests to VPC2 based on the routing policy of OSS. Then, the ECS instances can access OSS through VPC2.
Log on to the CEN console.
On the Instances page, find the CEN instance that you want to manage and click the instance ID.
On the tab, find the transit router in the China (Hangzhou) region and click its ID.
On the details page of the transit router, click the Route Table tab. In the left-side management pane, click the route table that you want to manage.
VPC1 and VPC2 use the default settings and are in associated forwarding relationship with the default tables of the Enterprise Edition transit routers by default. Therefore, the default route table (system route table) of the transit router is selected in this example.
On the Route Entry tab, click Add Route Entry.
In the Add Route Entry dialog box, set the following parameters and click OK.
Add routes that point to the CIDR blocks of OSS in the China (Hangzhou) region to the route table of the Enterprise Edition transit router.
Parameter
Description
Route 1
Route 2
Route 3
Route 4
Name
Enter a name for the route.
OSS CIDR Block 1
OSS CIDR Block 2
OSS CIDR Block 3
OSS CIDR Block 4
Destination CIDR Block
Enter a destination CIDR block for the route.
100.118.28.0/24
100.114.102.0/24
100.98.170.0/24
100.118.31.0/24
Blackhole Route
Specify whether the route is a blackhole route.
Yes: specifies that the route is a blackhole route. All traffic destined for this route is dropped.
No: specifies that the route is not a blackhole route. In this case, you must specify the next hop of the route.
Select No.
Select No.
Select No.
Select No.
Next Hop
Select a next hop.
Select VPC2 Connection.
Select VPC2 Connection.
Select VPC2 Connection.
Select VPC2 Connection.
Step 5: Test the network connectivity
After you complete the preceding steps, the ECS instances in VPC1 can access OSS across regions over VPC connections. In this example, ECS1 is used to download an image from OSS to check whether the ECS instances in VPC1 can access OSS.
Log on to ECS1 in VPC1. For more information, see Connection method overview.
Use ECS1 to download an image named OSStest.jpg from OSS.
NoteBefore you run the test, make sure that the ECS instance is granted read/write permissions on the image file. For more information, see ACL overview.
wget https://zxtXXXXX.oss-cn-hangzhou-internal.aliyuncs.com/OSStest.jpg # zxtXXXXX.oss-cn-hangzhou-internal.aliyuncs.com" is the domain name of OSS. # OSStest.jpg is the name of the image file.For more information about OSS domain names, see OSS domain names.
The following response indicates that ECS1 can access OSS over VPC connections.
Routes
In this topic, the default routing configuration is used to create the VPC and inter-region connections. When the default routing configuration is used, CEN automatically learns and advertises routes to enable VPC1 and VPC2 to communicate with each other. The following sections describe the default routing configuration:
VPC connection
If you use the default routing configuration (with all advanced features enabled) when you create a VPC connection, the system automatically applies the following routing configuration to the VPC:
Associate with Default Route Table of Transit Router
After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.
Automatically Create Route That Points to Transit Router and Adds to All Route Tables of Current VPC
After this feature is enabled, the system automatically adds the following routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the VPC connection.
Inter-region connection
If you use the default routing configuration (with all advanced features enabled) when you create an inter-region connection, the system automatically applies the following routing configuration to the inter-region connection:
Associate with Default Route Table of Transit Router
After this feature is enabled, the inter-region connection is automatically associated with the default route table of the transit router. The transit router uses the default route table to forward network traffic across regions.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the inter-region connection is associated with the default route tables of the transit routers in the connected regions.
Automatically Advertise Routes to Peer Region
After this feature is enabled, the routes in the route table of the transit router in the current region are automatically advertised to the route table of the peer transit router for cross-region communication. The route tables of the transit routers refer to the route tables that are associated with the inter-region connection.
View routes
You can check the routes in the Alibaba Cloud Management Console.
For more information about routes of transit routers, see View routes of an Enterprise Edition transit router.
For more information about routes of VPCs, see Create and manage a route table.