You can connect virtual private clouds (VPCs) to a transit router. After you connect the VPCs to the same transit router, the VPCs can communicate with each other. This topic describes how to connect VPCs to an Enterprise Edition transit router or a Basic Edition transit router.
Use an Enterprise Edition transit router to connect VPCs
For more information about how to upgrade an Enterprise Edition transit router, see Announcement: Optimization on VPC-connected Enterprise Edition transit routers.
How a VPC connection works
An Enterprise Edition transit router supports one or more zones in a region. For more information, see Regions and zones that support Enterprise Edition transit routers.
- If an Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing-Local Region), make sure that the VPC has at least one vSwitch in the zone before you create a VPC connection on the Enterprise Edition transit router. The vSwitch must have at least one idle IP address. When you connect the Enterprise Edition transit router to the VPC, the transit router creates an elastic network interface (ENI) on the vSwitch of the VPC. The ENI occupies one IP address on the vSwitch and forwards network traffic between the VPC and the transit router.
- If an Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), make sure that the VPC has at least two vSwitches in the zones before you create a VPC connection on the Enterprise Edition transit router. The vSwitches must be deployed in different zones and each vSwitch must have at least one idle IP address. When you connect the Enterprise Edition transit router to the VPC, the transit router creates an ENI in each of the vSwitches. Each ENI occupies one IP address in the vSwitch and forwards network traffic between the VPC and the transit router. The two vSwitches support zone-disaster recovery to ensure uninterrupted data transmission between the VPC and the transit router. Note If your Enterprise Edition transit router supports multiple zones, we recommend that you create a vSwitch in each of the zones and make sure that each vSwitch has at least one idle IP address for creating VPC connections. This way, the network latency is reduced and the network performance is improved due to shorter data transmission distance. For more information, see How routes are selected for a VPC connection.
How routes are selected for a VPC connection
After an Enterprise Edition transit router is connected to a VPC, network traffic from the VPC is forwarded over the shortest route to reduce network latency. This section describes how an Enterprise Edition transit router selects routes for a VPC connection.
Route selection is performed three times to send a request from the initiator to the acceptor over a VPC connection.
| No. | Description |
|---|---|
| ① | The first route. The system must select a route between the initiator network and the Enterprise Edition transit router. A route is selected based on the following rules:
|
| ② | The second route. The Enterprise Edition transit router must select a route between the Enterprise Edition transit router and the acceptor network. A route is selected based on the following rules:
|
| ③ | The third route. The system must select a route between the acceptor network and the acceptor. The system routes the request to the acceptor based on the route table that is associated with the vSwitch that accepts the request. |
Prerequisites
- The VPC in a zone supported by the Enterprise Edition transit router has sufficient vSwitches. Each vSwitch has at least one idle IP address. For more information about how to create a vSwitch, see Create a vSwitch.
- If the Enterprise Edition transit router supports only one zone, for example, China (Nanjing-Local Region), the VPC must have at least one vSwitch in the zone.
- If the Enterprise Edition transit router supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.
- An Enterprise Edition transit router is created in the region where the VPC resides. For more information, see Create a transit router.
- You can connect an Enterprise Edition transit router to a VPC that belongs to the same or a different Alibaba Cloud account. If the VPC and the transit router that you want to connect belong to different Alibaba Cloud accounts, the transit router must acquire the required permissions from the Alibaba Cloud account to which the VPC belongs. For more information, see Grant permissions on a network instance that belongs to another account.
Create a VPC connection
- Log on to the CEN console.
- On the Instances page, find the CEN instance that you want to manage and click the instance ID.
- On the tab, find the transit router that you want to manage and click Create Connection in the Actions column.
- On the Connection with Peer Network Instance page, set the following parameters and click OK. Note When you perform this operation, the system automatically creates the service-linked role AliyunServiceRoleForCEN. The service-linked role allows the Enterprise Edition transit router to create an ENI in a vSwitch of the VPC. The ENI is used to forward data between the VPC and the transit router. For more information about service-linked roles, see AliyunServiceRoleForCEN.
Parameter Description Instance Type Select VPC. Region Select the region where the network instance is deployed. Transit Router The transit router in the selected region is displayed. Resource Owner ID Select the Alibaba Cloud account to which the network instance belongs. You can connect a transit router to a VPC that belongs to the same or another Alibaba Cloud account:
- If the network instance and the transit router that you want to connect belong to the same Alibaba Cloud account, select Your Account.
- If the network instance and the transit router that you want to connect belong to different Alibaba Cloud accounts, select Different Account, and enter the ID of the Alibaba Cloud account to which the network instance belongs.
Billing Method By default, transit routers use the Pay-As-You-Go billing method. For more information about the billing rules, see Billing rules.
Attachment Name Enter a name for the VPC connection. Network Instance Select the VPC. VSwitch Select the vSwitches that are deployed in the zones of the transit router. - If the Enterprise Edition transit router supports only one zone, select a vSwitch in the zone.
- If the Enterprise Edition transit router supports multiple zones, select at least two vSwitches. The two vSwitches must be in different zones. The two vSwitches support zone-disaster recovery to ensure uninterrupted data transmission between the VPC and the transit router.
We recommend that you select a vSwitch in each zone to reduce network latency and improve network performance because data can be transmitted over a shorter distance.
Advanced Settings When you create a VPC connection, the system enables the following features in the advanced settings by default: - Associate with Default Route Table of Transit Router
After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.
- Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.
- Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC
After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs.
You can disable these advanced features by clearing the check boxes. If you want to enable the VBR to communicate with other network instances, you can configure associated forwarding and route learning on the transit router. For more information, see Manage routes.
After the VPC connection is created, you can view the details about the connection on the Intra-region Connections tab. For more information, see View network instance connections.
Change the zone and vSwitch of a VPC connection
After you create a VPC connection, you can change the zone and vSwitch of the VPC connection. Before you begin, make sure that no routes of the VPC point to the ENI of an Enterprise Edition transit router. For more information, see Add and delete routes.
- Log on to the CEN console.
- On the Instances page, find the CEN instance that you want to manage and click the instance ID.
- Choose , find the transit router that you want to manage, and then click the ID of the transit router.
- On the Intra-region Connections tab, find the VPC connection that you want to manage and click the ID.
- In the Attachment Details panel, click Change Zone/Subnet in the Associated Instances section.
- In the Change Zone/Subnet dialog box, select another zone and a vSwitch in the Select Zone/Subnet section and click OK. When you change the zone and vSwitch, the zone and vSwitch that you select are associated with the VPC connection.
For example, the VPC connection is associated with Zone A and vSwitch A1, which is deployed in Zone A. The following rules apply when you change the zone and vSwitch in the Change Zone/Subnet dialog box:
- If you select Zone A and vSwitch A2, which is deployed in Zone A, the VPC connection is associated with Zone A and vSwitch A2 after you click OK.
The VPC connection is automatically disassociated from vSwitch A1.
- If you select Zone B, vSwitch B1 (deployed in Zone B), Zone C, and vSwitch C1 (deployed in Zone C), the VPC connection is associated with Zone B, vSwitch B1, Zone C, and vSwitch C1 after you click OK.
The VPC connection is automatically disassociated from Zone A and vSwitch A1.
- If you select Zone A, vSwitch A1 (deployed in Zone A), Zone C, and vSwitch C1 (deployed in Zone C), the VPC connection is associated with Zone A, vSwitch A1, Zone C, and vSwitch C1 after you click OK.
The VPC is automatically associated with Zone C and vSwitch C1.
Note After a VPC connection is associated with another vSwitch, the ENI of the previous vSwitch is automatically deleted. - If you select Zone A and vSwitch A2, which is deployed in Zone A, the VPC connection is associated with Zone A and vSwitch A2 after you click OK.
Modify the transit router route table associated with the VPC connection
After you create a VPC connection, you can modify the transit router route table that is associated with the VPC connection.
- Log on to the CEN console.
- On the Instances page, find the CEN instance that you want to manage and click the instance ID.
- On the tab, click the ID of the transit router that you want to manage.
- On the Intra-region Connections tab, find the VPC connection that you want to manage and click the ID.
- In the Attachment Details panel, find the Basic Information section and click Modify next to Associated Route Table.
- In the Modify Route Table dialog box, select a route table and click OK.
Use a Basic Edition transit router to connect VPCs
You can connect a Basic Edition transit router to a VPC that belongs to the same or a different Alibaba Cloud account. If the VPC and the transit router that you want to connect belong to different Alibaba Cloud accounts, the transit router must acquire the required permissions from the Alibaba Cloud account to which the VPC belongs. For more information, see Grant permissions on a network instance that belongs to another account.
- Log on to the CEN console.
- On the Instances page, find the CEN instance that you want to manage and click the instance ID.
- On the tab, find the transit router that you want to manage and click Create Connection in the Actions column.
- On the Connection with Peer Network Instance page, set the following parameters and click OK.
Parameter Description Network Type Select VPC. Region Select the region where the network instance is deployed. Transit Router The transit router in the selected region is displayed. Resource Owner ID Select the Alibaba Cloud account to which the network instance belongs. You can connect a transit router to a VPC that belongs to the same or another Alibaba Cloud account:
- If the network instance and the transit router that you want to connect belong to the same Alibaba Cloud account, select Your Account.
- If the network instance and the transit router that you want to connect belong to different Alibaba Cloud accounts, select Different Account, and enter the ID of the Alibaba Cloud account to which the network instance belongs.
Network Instance Select the ID of the network instance. After you create the VPC connection, you can view it on the Intra-region Connections tab on the details page of the transit router. For more information, see View network instance connections.
References
- CreateTransitRouterVpcAttachment: creates a VPC connection on an Enterprise Edition transit router.
- UpdateTransitRouterVpcAttachmentAttribute: modifies the name and description of a VPC connection on an Enterprise Edition transit router.
- UpdateTransitRouterVpcAttachmentZones: changes the zone and vSwitch of a VPC connection on an Enterprise Edition transit router.
- ListTransitRouterVpcAttachments: queries the information about VPC connections on an Enterprise Edition transit router.
- AttachCenChildInstance: creates a VPC connection by using a Basic Edition transit router.