Access cross-region OSS from ECS via Transit Router - Cloud Enterprise Network

This topic describes how to use an Enterprise Edition transit router to enable ECS instances in a Virtual Private Cloud (VPC) to privately access OSS across regions.

Note

The sample code in this tutorial can be run with a single click: one-click run.

Scenario

In this scenario, an enterprise has deployed applications on ECS instances in VPC1, a VPC in the China (Shanghai) region. The enterprise also uses an OSS service in the China (Hangzhou) region. The goal is to allow these ECS instances to privately access the OSS service and retrieve resources.

OSS is a regional service and does not reside in any VPC. However, a VPC in the same region can access the OSS service through its internal endpoint. Therefore, you must create a VPC, VPC2, in the China (Hangzhou) region, where the OSS service is available, to serve as a transit network. Then, connect VPC1 and VPC2 to the Enterprise Edition transit routers in their respective regions and create an inter-region connection between the two transit routers. You must also manually add routes to the internal CIDR block of OSS in VPC1 and on the transit router in the China (Hangzhou) region. After you complete the configuration, data from an ECS instance in VPC1 flows to OSS as follows: ECS instance → transit router in China (Shanghai) → inter-region connection → transit router in China (Hangzhou) → VPC2 → OSS internal endpoint.

Note

In this solution, VPC2 serves only as a transit network, providing a path for inter-region traffic to the OSS internal endpoint. If you already have a VPC in the China (Hangzhou) region, you can connect it directly to the Enterprise Edition transit router to serve as the transit network. You do not need to create VPC2.

Network planning

Important

Ensure that the CIDR blocks of interconnected VPCs do not overlap.

Resource

VPC region

CIDR and IP

VPC1

China (Shanghai)

Primary CIDR block: 192.168.0.0/16

CIDR block for VSwitch 1: 192.168.0.0/24 (in availability zone M).
CIDR block for VSwitch 2: 192.168.20.0/24 (in availability zone N).
ECS IP address: 192.168.0.1 (for an instance in VSwitch 1).

VPC2

China (Hangzhou)

Primary CIDR block: 172.16.0.0/16

CIDR block for VSwitch 1: 172.16.1.0/24 (in availability zone J).
CIDR block for VSwitch 2: 172.16.2.0/24 (in availability zone K).

Steps

This topic describes two configuration methods: console and Terraform.

Console

Before you begin

Before you begin, ensure you have completed the following preparations. For information about the CIDR blocks of each resource, see the Network planning section above.

In the China (Shanghai) region: Create a VPC named VPC1 with the primary CIDR block 192.168.0.0/16. In VPC1, vSwitches are created in two separate availability zones. Each vSwitch has at least one available IP address, and an ECS instance is deployed in one of the vSwitches. For more information, see Create an IPv4 VPC.
In the China (Hangzhou) region: Deploy an OSS service by creating an OSS bucket. For instructions, see Quick start.
Configure the security group rules for VPC1 to allow the required traffic. For more information, see Query security group rules and Add security group rules.

Step 1: Create a transit VPC

In the China (Hangzhou) region, create a VPC named VPC2 with the primary CIDR block 172.16.0.0/16. Then, create vSwitches in two separate availability zones, ensuring that each vSwitch has at least one available IP address. In this solution, VPC2 serves as the transit network for accessing the OSS service. If you already have a VPC instance in the China (Hangzhou) region, you can skip this step and select the existing VPC in Step 2. For more information, see Create and manage a VPC.

After you create VPC2, make sure that its security group rules allow the required traffic and do not block cross-region traffic from VPC1. For more information, see Query security group rules and Add security group rules.

Step 2: Use the scenario-based networking tool

Use the scenario-based networking tool of CEN to automatically create a CEN instance, Enterprise Edition transit routers, VPC connections, and an inter-region connection, and configure their routes.

Log on to the CEN console. On the CEN Instance page, click Create CEN Instance.
In the Create CEN Instance dialog box, select Create Scenario-specific CEN (Recommended). For VPC Interconnection, select VPC Interconnection and click Start scenario-based creation.
On the first region tab, add the networking configurations:
- Region: Select China (Hangzhou).
- Zone: Select Availability Zone J and Availability Zone K.
- VPC: Select VPC2 and its two corresponding vSwitches.
Click + on the right side of the tab to add a new region tab, and then add the networking configurations:
- Region: Select China (Shanghai).
- Zone: Select Availability Zone M and Availability Zone N.
- VPC: Select VPC1 and its two corresponding vSwitches.
Click Next. Generating the configuration overview takes a few minutes. On the Confirm Networking Settings and Fees page, review the resources that will be automatically created and their costs. After you confirm the information, click Start deployment.
The deployment takes about 10 minutes. After the deployment is complete, the following resources are automatically created:
- A CEN instance.
- One Enterprise Edition transit router in the China (Hangzhou) region and one in the China (Shanghai) region.
- VPC connections from VPC1 and VPC2 to the transit routers in their respective regions.
- An inter-region connection between the two transit routers.

Note

Although VPC1 and VPC2 can communicate over a private connection after the scenario-based networking is complete, the ECS instances in VPC1 cannot yet access the OSS service.

Step 3: Configure VPC routes to OSS

After the inter-region connection is created, VPC1 and VPC2 can communicate with each other through the Enterprise Edition transit routers. However, ECS instances in VPC1 still cannot privately access the OSS service through the Enterprise Edition transit router and VPC2. You must add routes to the OSS service in the route table of VPC1 to direct traffic destined for the OSS service to the Enterprise Edition transit router.

Log on to the VPC console.
In the top navigation bar, select the region where the VPC1 instance is deployed.

In this example, China (Shanghai) is selected.
In the navigation pane on the left, click Route Tables.
On the Route Tables page, find the route table of VPC1 and click its ID.

In this example, VPC1 has only one system route table. If your VPC has multiple route tables, select the route table that is associated with the vSwitch where the ECS instance is deployed.
On the Route Entry List tab, click the Custom Route tab, and then click Add Route Entry.

In the Add Route Entry panel, configure the following parameters and click OK.

Add routes to all CIDR blocks of the OSS service in the China (Hangzhou) region to the route table of VPC1.

For a list of all CIDR blocks for the OSS service in the China (Hangzhou) region, see Access OSS by using endpoints and bucket domain names.

Parameter	Description	Route entry 1	Route entry 2	Route entry 3	Route entry 4
Name	Enter a name for the custom route entry.	`OSS CIDR block 1`	`OSS CIDR block 2`	`OSS CIDR block 3`	`OSS CIDR block 4`
Destination CIDR Block	Enter the destination CIDR block.	100.118.28.0/24	100.114.102.0/24	100.98.170.0/24	100.118.31.0/24
Next Hop Type	Select the next hop type for the custom route entry, and then select the next hop.	Select Transit Router, and then select the VPC1 connection.	Select Transit Router, and then select the VPC1 connection.	Select Transit Router, and then select the VPC1 connection.	Select Transit Router, and then select the VPC1 connection.

Step 4: Configure transit router routes to OSS

You must also add routes to the OSS service in the route table of the Enterprise Edition transit router in the China (Hangzhou) region. These routes direct traffic from the ECS instances in VPC1 to VPC2, which enables them to privately access the OSS service.

Log on to the CEN console.
On the Cloud Enterprise Network page, find the target CEN instance and click its ID.
On the Basic Settings > Transit Router tab, find the transit router instance in the China (Hangzhou) region and click its ID.
On the details page of the transit router instance, click the Route Table tab. On the left side of the tab, select the target route table.

By default, the advanced settings for the VPC1 and VPC2 connections associate them with the default route table of the transit router. Therefore, the default route table (system route table) of the transit router is selected in this example.
On the Route Entry tab, click Add Route Entry.

In the Add Route Entry dialog box, configure the following parameters and click OK.

Add routes to all CIDR blocks of the OSS service in the China (Hangzhou) region to the route table of the transit router.

Parameter	Description	Route entry 1	Route entry 2	Route entry 3	Route entry 4
Name	Enter a name for the route entry.	`OSS CIDR block 1`	`OSS CIDR block 2`	`OSS CIDR block 3`	`OSS CIDR block 4`
Destination CIDR	Enter the destination CIDR block for the route entry.	100.118.28.0/24	100.114.102.0/24	100.98.170.0/24	100.118.31.0/24
Blackhole Route	Indicates whether the route is a blackhole route. Yes: The route is a blackhole route. All traffic destined for this route is dropped. No: The route is not a blackhole route. You must specify a next hop for the route.	Select No.	Select No.	Select No.	Select No.
Next Hop	Select the next hop for the route entry.	Select the VPC2 connection.	Select the VPC2 connection.	Select the VPC2 connection.	Select the VPC2 connection.

Step 5: Test the connectivity

After you complete the previous steps, the ECS instances in VPC1 can privately access the cross-region OSS service. This example tests the connectivity by downloading an image from the OSS service to an ECS instance in VPC1.

Log on to the ECS instance in VPC1. For more information, see Connection guide for ECS instances.

From the ECS instance, attempt to download an image named OSStest.jpg from the OSS service.

Note

Before you run the test, make sure that the permissions on the destination file allow access from the ECS instance. For more information, see Overview of permissions and access control.

wget https://zxtXXXXX.oss-cn-hangzhou-internal.aliyuncs.com/OSStest.jpg
# zxtXXXXX.oss-cn-hangzhou-internal.aliyuncs.com is the access domain name of the OSS service.
# OSStest.jpg is the name of the destination file.

For more information about OSS access domain names, see Access OSS over IPv6.

If a response similar to the following one is returned, the ECS instance can privately access the cross-region OSS service.

[root@iZuf6bxxx hblZ ~]# wget https://zxxx2.oss-cn-hangzhou-internal.aliyuncs.com/OSStest.jpg
--2023-01-29 16:54:46--  https://zxtxxx2.oss-cn-hangzhou-internal.aliyuncs.com/OSStest.jpg
Resolving zxtxxx2.oss-cn-hangzhou-internal.aliyuncs.com (zxtxxx2.oss-cn-hangzhou-internal.aliyuncs.com)... 100.xxx.50, 100.xxx.49, 100.
45, ...
Connecting to zxtxxx2.oss-cn-hangzhou-internal.aliyuncs.com (zxxxx s2.oss-cn-hangzhou-internal.aliyuncs.com)|100.xxx.50|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 611894 (598K) [image/jpeg]
Saving to: 'OSStest.jpg.5'
OSStest.jpg.5                 100%[=================================================>] 597.55K     132KB/s    in 4.5s
2023-01-29 16:54:51 (132 KB/s) - 'OSStest.jpg.5' saved [611894/611894]

Terraform

You can use Terraform to build the environment for this example. For information about how to install and configure Terraform, see Install Terraform.

The following steps describe how to run Terraform v1.9.8 on a Linux host. Before you start, make sure that you have configured Authentication.

Note

Some resources in this tutorial may incur costs. To prevent further charges, release the resources when they are no longer needed.

Step 1: Create resources

Create a directory for the scenario and navigate to it.
```
mkdir tf-cen-oss && cd tf-cen-oss
```
Create a main.tf file to define the resource information.
```
touch main.tf
```

Open the main.tf file, and then copy and paste the following code into the file. This file contains the resources and configurations required for this scenario.

variable "pname" {
  description = "The prefix name for resources"
  type        = string
  default     = "tf-cen-oss"
}
variable "region_id_hangzhou" {
  description = "The region id of hangzhou"
  type        = string
  default     = "cn-hangzhou"
}
variable "region_id_shanghai" { #
  description = "The region id of shanghai"
  type        = string
  default     = "cn-shanghai"
}
variable "az_hangzhou" {
  description = "List of availability zones to use"
  type        = list(string)
  default     = ["cn-hangzhou-j", "cn-hangzhou-k"]
}
variable "az_shanghai" {
  description = "List of availability zones to use"
  type        = list(string)
  default     = ["cn-shanghai-m", "cn-shanghai-n"]
}
variable "cidr_list" {
  description = "List of VPC CIDR block"
  type        = list(string)
  default     = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
}
# --- provider ---
provider "alicloud" { # default region hangzhou
  region = var.region_id_hangzhou
}
provider "alicloud" {
  alias  = "hangzhou"
  region = var.region_id_hangzhou
}
provider "alicloud" {
  alias  = "shanghai"
  region = var.region_id_shanghai
}
# ---  oss ---
resource "random_uuid" "default" {
}
resource "alicloud_oss_bucket" "bucket1" {
  provider = alicloud.hangzhou
  bucket   = substr("${var.pname}-${replace(random_uuid.default.result, "-", "")}", 0, 32)
}
resource "alicloud_oss_bucket_policy" "default" {
  provider = alicloud.hangzhou
  policy   = jsonencode({ "Version" : "1", "Statement" : [{ "Action" : ["oss:GetObject"], "Effect" : "Allow", "Resource" : ["acs:oss:*:*:${alicloud_oss_bucket.bucket1.bucket}"] }] })
  bucket   = alicloud_oss_bucket.bucket1.bucket
}
resource "alicloud_oss_bucket_object" "obj1" {
  provider = alicloud.hangzhou
  bucket   = alicloud_oss_bucket.bucket1.bucket
  key      = "example.txt"                     # Name of the file in the bucket
  content  = "this is example text content \n" # Content of the file
  acl      = "public-read"
}
# --- vpc ---
resource "alicloud_vpc" "vpc1" {
  provider   = alicloud.shanghai
  vpc_name   = "${var.pname}-1"
  cidr_block = "192.168.0.0/16"
}
resource "alicloud_vpc" "vpc2" {
  provider   = alicloud.hangzhou
  vpc_name   = "${var.pname}-2"
  cidr_block = "172.16.0.0/16"
}
resource "alicloud_vswitch" "vsw1-1" {
  provider     = alicloud.shanghai
  vpc_id       = alicloud_vpc.vpc1.id
  cidr_block   = "192.168.0.0/24"
  zone_id      = var.az_shanghai[0]
  vswitch_name = "${var.pname}-vsw1-1"
}
resource "alicloud_vswitch" "vsw1-2" {
  provider     = alicloud.shanghai
  vpc_id       = alicloud_vpc.vpc1.id
  cidr_block   = "192.168.1.0/24"
  zone_id      = var.az_shanghai[1]
  vswitch_name = "${var.pname}-vsw1-2"
}
resource "alicloud_vswitch" "vsw2-1" {
  provider     = alicloud.hangzhou
  vpc_id       = alicloud_vpc.vpc2.id
  cidr_block   = "172.16.0.0/24"
  zone_id      = var.az_hangzhou[0]
  vswitch_name = "${var.pname}-vsw2-1"
}
resource "alicloud_vswitch" "vsw2-2" {
  provider     = alicloud.hangzhou
  vpc_id       = alicloud_vpc.vpc2.id
  cidr_block   = "172.16.1.0/24"
  zone_id      = var.az_hangzhou[1]
  vswitch_name = "${var.pname}-vsw2-2"
}
# --- cen ---
# cen
resource "alicloud_cen_instance" "cen1" {
  cen_instance_name = "${var.pname}-cen1"
}
# tr
resource "alicloud_cen_transit_router" "tr1" {
  provider            = alicloud.shanghai
  transit_router_name = "${var.pname}-tr1"
  cen_id              = alicloud_cen_instance.cen1.id
}
resource "alicloud_cen_transit_router" "tr2" {
  provider            = alicloud.hangzhou
  transit_router_name = "${var.pname}-tr2"
  cen_id              = alicloud_cen_instance.cen1.id
}
data "alicloud_cen_transit_router_route_tables" "tr1" { # get tr sys table
  transit_router_id               = alicloud_cen_transit_router.tr1.transit_router_id
  transit_router_route_table_type = "System"
}
data "alicloud_cen_transit_router_route_tables" "tr2" {
  transit_router_id               = alicloud_cen_transit_router.tr2.transit_router_id
  transit_router_route_table_type = "System"
}
# tr-peer
resource "alicloud_cen_transit_router_peer_attachment" "peer" {
  provider                      = alicloud.shanghai
  cen_id                        = alicloud_cen_instance.cen1.id
  transit_router_id             = alicloud_cen_transit_router.tr1.transit_router_id
  peer_transit_router_region_id = var.region_id_hangzhou
  peer_transit_router_id        = alicloud_cen_transit_router.tr2.transit_router_id
  bandwidth_type                = "DataTransfer"
  bandwidth                     = 1
  auto_publish_route_enabled    = true # default is false
}
resource "alicloud_cen_transit_router_route_table_association" "ass_peer1" {
  transit_router_route_table_id = data.alicloud_cen_transit_router_route_tables.tr1.tables[0].id
  transit_router_attachment_id  = alicloud_cen_transit_router_peer_attachment.peer.transit_router_attachment_id
}
resource "alicloud_cen_transit_router_route_table_propagation" "propa_peer1" {
  transit_router_route_table_id = data.alicloud_cen_transit_router_route_tables.tr1.tables[0].id
  transit_router_attachment_id  = alicloud_cen_transit_router_peer_attachment.peer.transit_router_attachment_id
}
resource "alicloud_cen_transit_router_route_table_association" "ass_peer2" {
  transit_router_route_table_id = data.alicloud_cen_transit_router_route_tables.tr2.tables[0].id
  transit_router_attachment_id  = alicloud_cen_transit_router_peer_attachment.peer.transit_router_attachment_id
}
resource "alicloud_cen_transit_router_route_table_propagation" "propa_peer2" {
  transit_router_route_table_id = data.alicloud_cen_transit_router_route_tables.tr2.tables[0].id
  transit_router_attachment_id  = alicloud_cen_transit_router_peer_attachment.peer.transit_router_attachment_id
}
# attach1  
resource "alicloud_cen_transit_router_vpc_attachment" "attach1" {
  provider          = alicloud.shanghai
  cen_id            = alicloud_cen_instance.cen1.id
  transit_router_id = alicloud_cen_transit_router.tr1.transit_router_id
  vpc_id            = alicloud_vpc.vpc1.id
  zone_mappings {
    zone_id    = var.az_shanghai[0]
    vswitch_id = alicloud_vswitch.vsw1-1.id
  }
  zone_mappings {
    zone_id    = var.az_shanghai[1]
    vswitch_id = alicloud_vswitch.vsw1-2.id
  }
  transit_router_vpc_attachment_name = "attach1"
}
resource "alicloud_cen_transit_router_route_table_association" "ass1" {
  transit_router_route_table_id = data.alicloud_cen_transit_router_route_tables.tr1.tables[0].id
  transit_router_attachment_id  = alicloud_cen_transit_router_vpc_attachment.attach1.transit_router_attachment_id
}
resource "alicloud_cen_transit_router_route_table_propagation" "propa1" {
  transit_router_route_table_id = data.alicloud_cen_transit_router_route_tables.tr1.tables[0].id
  transit_router_attachment_id  = alicloud_cen_transit_router_vpc_attachment.attach1.transit_router_attachment_id
}
resource "alicloud_route_entry" "vpc1_to_tr1" {
  provider              = alicloud.shanghai
  count                 = 3
  route_table_id        = alicloud_vpc.vpc1.route_table_id
  destination_cidrblock = var.cidr_list[count.index]
  nexthop_type          = "Attachment"
  nexthop_id            = alicloud_cen_transit_router_vpc_attachment.attach1.transit_router_attachment_id
}
# attach2
resource "alicloud_cen_transit_router_vpc_attachment" "attach2" {
  provider          = alicloud.hangzhou
  cen_id            = alicloud_cen_instance.cen1.id
  transit_router_id = alicloud_cen_transit_router.tr2.transit_router_id
  vpc_id            = alicloud_vpc.vpc2.id
  zone_mappings {
    zone_id    = var.az_hangzhou[0]
    vswitch_id = alicloud_vswitch.vsw2-1.id
  }
  zone_mappings {
    zone_id    = var.az_hangzhou[1]
    vswitch_id = alicloud_vswitch.vsw2-2.id
  }
  transit_router_vpc_attachment_name = "attach2"
}
resource "alicloud_cen_transit_router_route_table_association" "ass2" {
  transit_router_route_table_id = data.alicloud_cen_transit_router_route_tables.tr2.tables[0].id
  transit_router_attachment_id  = alicloud_cen_transit_router_vpc_attachment.attach2.transit_router_attachment_id
}
resource "alicloud_cen_transit_router_route_table_propagation" "propa2" {
  transit_router_route_table_id = data.alicloud_cen_transit_router_route_tables.tr2.tables[0].id
  transit_router_attachment_id  = alicloud_cen_transit_router_vpc_attachment.attach2.transit_router_attachment_id
}
resource "alicloud_route_entry" "vpc2_to_tr2" {
  provider              = alicloud.hangzhou
  count                 = 3
  route_table_id        = alicloud_vpc.vpc2.route_table_id
  destination_cidrblock = var.cidr_list[count.index]
  nexthop_type          = "Attachment"
  nexthop_id            = alicloud_cen_transit_router_vpc_attachment.attach2.transit_router_attachment_id
}
# oss_cidr
variable "oss_cidr" {
  description = "The OSS CIDR block"
  type        = list(string)
  default     = ["100.118.28.0/24", "100.114.102.0/24", "100.98.170.0/24", "100.118.31.0/24"]
}
# vpc entry
resource "alicloud_route_entry" "entry" {
  provider              = alicloud.shanghai
  count                 = 4
  route_table_id        = alicloud_vpc.vpc1.route_table_id
  destination_cidrblock = var.oss_cidr[count.index]
  nexthop_type          = "Attachment"
  nexthop_id            = alicloud_cen_transit_router_vpc_attachment.attach1.transit_router_attachment_id
}
# tr entry 
resource "alicloud_cen_transit_router_route_entry" "tr2_rt1_entry1" {
  count                                             = 4
  transit_router_route_table_id                     = data.alicloud_cen_transit_router_route_tables.tr2.tables[0].id
  transit_router_route_entry_destination_cidr_block = var.oss_cidr[count.index]
  transit_router_route_entry_next_hop_type          = "Attachment"
  transit_router_route_entry_next_hop_id            = alicloud_cen_transit_router_vpc_attachment.attach2.transit_router_attachment_id
}
# --- ecs ---
resource "alicloud_instance" "main" {
  provider             = alicloud.shanghai
  depends_on           = [alicloud_cen_transit_router_route_entry.tr2_rt1_entry1]
  instance_name        = "${var.pname}-ecs"
  instance_type        = "ecs.e-c1m1.large"
  security_groups      = [alicloud_security_group.default.id]
  vswitch_id           = alicloud_vswitch.vsw1-1.id
  image_id             = "aliyun_3_x64_20G_qboot_alibase_20230727.vhd"
  system_disk_category = "cloud_essd"
  private_ip           = "192.168.0.1"
  instance_charge_type = "PostPaid"
  user_data = base64encode(<<-EOT
    #!/bin/bash
    curl  https://${alicloud_oss_bucket.bucket1.bucket}.${alicloud_oss_bucket.bucket1.intranet_endpoint}/${alicloud_oss_bucket_object.obj1.key}  > /root/curl.txt
  EOT
  )
}
# sg
resource "alicloud_security_group" "default" {
  provider = alicloud.shanghai
  name     = var.pname
  vpc_id   = alicloud_vpc.vpc1.id
}
resource "alicloud_security_group_rule" "allow_inbound_ssh" {
  provider          = alicloud.shanghai
  type              = "ingress"
  ip_protocol       = "tcp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "22/22"
  priority          = 1
  security_group_id = alicloud_security_group.default.id
  cidr_ip           = "0.0.0.0/0"
}
resource "alicloud_security_group_rule" "allow_inbound_icmp" {
  provider          = alicloud.shanghai
  type              = "ingress"
  ip_protocol       = "icmp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "-1/-1"
  priority          = 1
  security_group_id = alicloud_security_group.default.id
  cidr_ip           = "0.0.0.0/0"
}
# --- output ---
output "ecs_login_address" {
  value = "https://ecs-workbench.aliyun.com/?from=EcsConsole&instanceType=ecs&regionId=${var.region_id_shanghai}&instanceId=${alicloud_instance.main.id}"
}
output "test_command" {
  value = "curl ${alicloud_oss_bucket.bucket1.bucket}.${alicloud_oss_bucket.bucket1.intranet_endpoint}/${alicloud_oss_bucket_object.obj1.key}"
}

Initialize your Terraform configuration.
```
terraform init
```
Create the resources. Terraform previews the resources to be created. After you confirm, enteryes to start the creation process.
```
terraform apply
```

Step 2: Test connectivity

Log on to the ECS instance named tf-cen-oss-ecs.

In the Terraform Outputs, find the logon address for the ECS instance. Open this address in a browser. When logging in, select Temporary SSH Key-based as the authentication method.
```
Outputs:
ecs_login_address = "https://ecs-workbench.aliyun.com/?from=EcsConsole&instanceType=ecs&regionId=cn-shanghai&instanceId=i-uf6xxx"
test_command = "curl xxx"
```

In the Outputs, copy the command that starts with curl:

Outputs:
ecs_login_address = "https://ecs-workbench.aliyun.com/?from=EcsConsole&instanceType=ecs&regionId=cn-shanghai"
test_command = "curl tf-cen-oss-xxx.oss-cn-hangzhou-internal.aliyuncs.com/example.txt"

On the ECS instance, run the curl command:

curl tf-cen-oss-xxxxxx.oss-cn-hangzhou-internal.aliyuncs.com/example.txt

[root@iZuf6xxx          ~]# curl tf-cen-oss-2821xxx xxx.oss-cn-hangzhou-internal.aliyuncs.com/example.txt
this is example text content
[root@iZuf6xxx          ~]#

If the command returns the expected text content, the connection is successful.

Step 3: Release resources

When you are finished, run the following command to release the resources and prevent further charges.

terraform destroy --auto-approve

Routing

In this topic, the VPC connections and inter-region connection are created automatically by using a scenario-based networking tool, which applies a default routing configuration. With this configuration, CEN automatically advertises and learns routes to enable communication between VPC1 and VPC2. The default routing configuration is as follows:

VPC

When you create a VPC connection using the default routing configuration (with all advanced settings enabled), the system automatically applies the following routing configurations to the VPC:

Associate with Default Route Table of Transit Router

When this feature is enabled, the system automatically associates the VPC connection with the default route table of the transit router. The transit router then forwards traffic from the VPC based on this route table.
Propagate system routes to transit router route table

When this feature is enabled, the VPC propagates its system routes to the default route table of the transit router, enabling communication between network instances.
Auto-add transit router routes to all VPC route tables

When this feature is enabled, the system automatically adds three route entries to all route tables of the VPC instance: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hop of these route entries is the VPC connection.

Inter-region connection

When you create an inter-region connection using the default routing configuration (with all advanced settings enabled), the system automatically applies the following routing configurations:

Associate with Default Route Table of Transit Router

Associates the inter-region connection with the default route tables of the transit routers in both regions. Inter-region traffic is forwarded based on these default route tables.
Propagate system routes to transit router route table

Establishes a route learning relationship between the inter-region connection and the default route tables of the transit routers in both regions.
Automatically Advertise Routes to Peer Region

Advertises routes from the local transit router's route table to the peer transit router's route table, enabling inter-region connectivity for network instances.

View route entries

You can view the route entries for each instance in the Alibaba Cloud Management Console:

To view route entries for an Enterprise Edition transit router, see View route entries of an Enterprise Edition transit router.
To view route entries for a VPC instance, see Create and manage a route table.