Connect VPCs across accounts - Cloud Enterprise Network - Alibaba Cloud Documentation Center

You can add virtual private clouds (VPCs) from different Alibaba Cloud accounts to the same Cloud Enterprise Network (CEN) instance to enable cross-account VPC-to-VPC connections.

Example scenario

Assume you have two Alibaba Cloud accounts:

Account A: Owns two VPCs (VPC1 and VPC2) and one CEN instance (CEN1).
Account B: Owns one VPC (VPC3).

In this scenario, VPC1 and VPC2 have been attached to the Cloud Enterprise Network (CEN) instance CEN1, and network connectivity is established between them as described in the Connect VPCs in the same region tutorial.

The goal is to add VPC3 to the CEN instance CEN1 to enable communication among all three VPCs.

The following table describes the resource planning for the three VPCs.

Configuration item	VPC1	VPC2	VPC3
Account	Account A	Account A	Account B
Region	China (Hangzhou)	China (Hangzhou)	China (Hangzhou)
IPv4 CIDR block	10.0.0.0/16	172.16.0.0/16	192.168.0.0/16
vSwitch 1	In Zone J, CIDR block 10.0.0.0/24	In Zone J, CIDR block 172.16.0.0/24	In Zone M, CIDR block 192.168.0.0/24
vSwitch 2	In Zone K, CIDR block 10.0.1.0/24	In Zone K, CIDR block 172.16.1.0/24	In Zone N, CIDR block 192.168.1.0/24
ECS instance IP (for connectivity tests)	ECS1: 10.0.0.1	ECS2: 172.16.0.1	ECS3: 192.168.0.1

Important

If you plan your own network resources, consider the following:

The CIDR blocks of the VPCs that you want to connect cannot overlap. If the CIDR blocks overlap, you must modify your network plan and migrate the resources to new VPCs that have non-overlapping CIDR blocks.
To achieve zone-level disaster recovery in a region that supports multiple zones, create at least two vSwitches in two different zones.

Start the configuration

The process involves two steps:

First, log on to Account B and grant authorization to CEN1 to access VPC3.
Then, log on to Account A and add VPC3 to CEN1.

Step 1: Grant authorization from Account B to Account A

Log on to the Alibaba Cloud console with Account B and go to the Virtual Private Cloud page.

Click the instance ID of VPC3 to open its details page. Click the Cross-account Authorization tab, and then click the Cross-account Authorization button on the CEN tab. In the dialog box that appears, set the following parameters:

Peer Account UID : Enter the ID of Alibaba Cloud account A.
How do I find my Alibaba Cloud account ID?
Hover over your profile picture in the upper-right corner of the console:
Peer CEN Instance ID: Enter the instance ID of CEN1, which is the CEN instance that VPC1 and VPC2 are added to in Account A.
Payer: This topic uses the default option, CEN Instance Owner.
- CEN Instance Owner: Account A (the owner of the CEN instance) pays the connection fee and data transfer fee for connecting VPC3 to the TR.
- VPC Users: Account B (the owner of the VPC) pays the connection fee and data transfer fee for connecting VPC3 to the TR.
  Choose the payer carefully. Changing the payer later may affect your services.

Step 2: Add `VPC3` to `CEN1` from Account A

Log on to the Alibaba Cloud console with Account A and go to the CEN Instances page.
Click the instance ID of CEN1 to open its details page. Find the transit router in the China (Hangzhou) region. In the Actions column, click Create Connection.

On the Connection with Peer Network Instance page, set the following parameters:

Instance Type: Select VPC.
Region: Select China (Hangzhou).
Resource Owner ID: Select Different Account and enter the ID of Alibaba Cloud account B (the owner of VPC3).
Attachment Name: Enter attach3.
Network Instance: From the drop-down list, select the instance ID of VPC3.
If the drop-down list is empty, it means that you have not granted cross-account authorization for VPC3 to CEN1 in Account B. Check the cross-account authorization settings from the previous step. Make sure that the Peer Account UID is the ID of Account A and the Peer CEN Instance ID is the instance ID of the current CEN instance, CEN1.
VSwitch: The system automatically selects the two vSwitches in VPC3.
To implement multi-zone disaster recovery, the system automatically selects vSwitches in two zones within the current VPC. If VPC3 has only one vSwitch, you must create at least one more vSwitch. The two vSwitches must be in different zones.
Advanced Settings: Keep the default selections. For more information about these features, see Route description.

Test and verify the connection

Make sure that the security groups of the three ECS instances allow inbound traffic over the ICMP protocol.
Log on to ECS3 and run the ping command to access ECS1:
```
ping 10.0.0.1
```
A response indicates that VPC3 and VPC1 are connected. You can use the same method to run the ping 172.16.0.1 command to access ECS2 and verify the connectivity between VPC3 and VPC2.

Route description

When you create the VPC connection, the system automatically configures the routes based on the three advanced features that are selected by default:

Associate with Default Route Table of Transit Router
When enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards traffic based on the default route table.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. The VPC can then communicate with other network instances that are connected to the transit router.
Automatically Create Route That Points to Transit Router and Add to All Route Tables of Current VPC
After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward IPv4 traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs.
Important
- If the VPC instance requires IPv6 communication, after creating the VPC connection, you must enable the route synchronization feature for the VPC connection or manually add IPv6 route entries pointing to the VPC connection in the VPC. Only then can the IPv6 traffic enter the transit router.

After the configuration is complete, the route tables of the transit router and VPCs are as follows:

Default route table of the transit router

Destination CIDR block	Next hop	Route type
10.0.0.0/24	`attach1`	Automatic learning
10.0.1.0/24	`attach1`	Automatic learning
172.16.0.0/24	`attach2`	Automatic learning
172.16.1.0/24	`attach2`	Automatic learning
192.168.0.0/24	`attach3`	Automatic learning
192.168.1.0/24	`attach3`	Automatic learning

System route table of VPC1

Destination CIDR block	Next hop	Route type
10.0.0.0/24	Local	System
10.0.1.0/24	Local	System
10.0.0.0/8	`attach1`	Custom
172.16.0.0/12	`attach1`	Custom
192.168.0.0/16	`attach1`	Custom

System route table of VPC2

Destination CIDR block	Next hop	Route type
172.16.0.0/24	Local	System
172.16.1.0/24	Local	System
10.0.0.0/8	`attach2`	Custom
172.16.0.0/12	`attach2`	Custom
192.168.0.0/16	`attach2`	Custom

System route table of VPC3

Destination CIDR block	Next hop	Route type
192.168.0.0/24	Local	System
192.168.1.0/24	Local	System
10.0.0.0/8	`attach3`	Custom
172.16.0.0/12	`attach3`	Custom
192.168.0.0/16	`attach3`	Custom

FAQ

How do I connect VPCs that are in different regions and belong to different accounts?

The process is similar to the one described in the Cross-region VPC Communication tutorial. The main difference is that the VPCs belong to different accounts. Before you connect each VPC to the transit router in its region, you must first grant cross-account authorization as described in Step 1 of this topic.