A transit router CIDR block is a custom IP address range you assign to a transit router—similar to a loopback interface address on a physical router. The system draws from this range to assign IP addresses to IPsec-VPN connections.
How it works
When you create a VPN connection, the system allocates one or more IP addresses from the transit router CIDR block to that connection. The exact allocation depends on the connection type:
Private VPN connection
The system assigns a gateway IP address from the transit router CIDR block to the IPsec-VPN connection. This gateway IP establishes the IPsec-VPN tunnel with your on-premises network.
After you enable route learning between the private VPN connection and a transit router route table:
-
The transit router automatically learns a route entry pointing to the IPsec-VPN connection. The destination is the gateway IP address; the next hop is the VPN connection.
-
The system adds a blackhole route to the route table. The destination CIDR block of this blackhole route is the transit router CIDR block from which the gateway IP was allocated. The blackhole route is advertised only to the route tables of virtual border router (VBR) instances connected to the transit router.
Use thePublishCidrRouteparameter of theCreateTransitRouterCidroperation to control whether the system adds this blackhole route. For details, see CreateTransitRouterCidr.
Public VPN connection
The system allocates public IP addresses from an Alibaba Cloud address pool for the IPsec tunnel itself, and separately allocates IP addresses from the transit router CIDR block for internal health checks. These health-check IPs are internal-only and do not affect your traffic.
| Mode | Public IPs (tunnel) | Transit router CIDR IPs (health check) |
|---|---|---|
| Single-tunnel | 1 | 1 |
| Dual-tunnel | 2 (one per tunnel) | 2 (one per tunnel) |
For details about dual-tunnel mode, see Use an IPsec-VPN connection that is associated with a transit router.
Limits
-
Only Enterprise Edition transit routers support custom CIDR blocks.
-
Each transit router supports a maximum of 5 CIDR blocks.
-
The subnet mask of each CIDR block must be between /16 and /24.
-
The following address ranges cannot be used as transit router CIDR blocks:
-
100.64.0.0/10 -
224.0.0.0/4 -
127.0.0.0/8 -
169.254.0.0/16 -
Any subnet of the above ranges
-
-
Transit router CIDR blocks cannot overlap with the CIDR blocks of network instances that communicate within the same Cloud Enterprise Network (CEN) instance.
-
Each transit router CIDR block must be unique within the same CEN instance.
IP address allocation rules
Understanding how the system carves up your CIDR block helps you size it correctly for the number of VPN connections you need.
Allocation mechanism
When you create the first VPN connection on a transit router, the system reserves 3 /28 subnets from the CIDR block for backend processes. The remaining address space is used to allocate IPs to IPsec-VPN connections.
For each allocation unit:
-
The system carves out a /28 subnet from the remaining address space.
-
Within each /28 subnet, 4 IP addresses are reserved by the system and unavailable.
-
The remaining 12 IP addresses are allocated to IPsec-VPN connections at 1 IP per tunnel.
-
When all 12 IPs are used, the system carves out another /28 subnet.
Capacity planning
Use the following table to estimate how many VPN connections your CIDR block can support.
| CIDR block | Size | Single-tunnel connections | Dual-tunnel connections |
|---|---|---|---|
| 10.0.0.0/24 | 256 addresses | 156 | 78 |
| 192.168.0.0/20 | 4,096 addresses | 3,072 | 1,536 |
| Both combined | — | 3,228 | 1,614 |
Single-tunnel mode uses 1 IP per connection; dual-tunnel mode uses 2 IPs per connection (one per tunnel).
Formulas for custom CIDR sizes:
-
Single-tunnel (first CIDR block, with 3 reserved /28s deducted):
(2^(32-prefix) ÷ 16 - 3) × 12 -
Single-tunnel (subsequent CIDR blocks, no reserved /28s deducted):
(2^(32-prefix) ÷ 16) × 12 -
Dual-tunnel: divide the single-tunnel result by 2
The caret (^) indicates an exponent. For example, 2⁴ = 16. Each /28 subnet contains 16 addresses (2⁴ = 16), with 4 reserved by the system and 12 available for allocation.
Example
For a transit router configured with 10.0.0.0/24 and 192.168.0.0/20:
-
System-reserved subnets (first VPN connection):
10.0.0.0/28,10.0.0.16/28,10.0.0.32/28 -
First allocation subnet:
10.0.0.48/28— provides 12 usable IPs, then the system continues with the next /28
After creating VPN connections, view the system-reserved subnets and per-connection IP allocations in the Address Details panel. See View allocation details.
Add a transit router CIDR block
Add a CIDR block when creating a new transit router, or add one to an existing transit router at any time.
Add a CIDR block during transit router creation
-
Log on to the CEN console.
-
On the Instances page, click the ID of the CEN instance.
-
Go to Basic Information > Transit Router and click Create Transit Router.
-
In the Create Transit Router dialog box, configure the following parameters and click OK.
| Parameter | Description |
|---|---|
| Region | The region where the transit router is created. |
| Edition | Determined automatically by the system based on the region. |
| Enable Multicast | Disabled by default. Enterprise Edition transit routers support multicast in select regions. See Multicast overview. |
| Name | A name for the transit router instance. |
| Description | A description for the transit router instance. |
| Tag | Tags for the transit router instance. Tag Key: up to 64 characters, cannot start with acs: or aliyun, and cannot contain http:// or https://. Tag Value: up to 128 characters, can be blank, cannot start with acs: or aliyun, and cannot contain http:// or https://. See Tags. |
| Transit Router CIDR | The transit router CIDR block. To add multiple CIDR blocks, click |
Add a CIDR block to an existing transit router
-
Log on to the CEN console.
-
On the Instances page, click the ID of the CEN instance.
-
Go to Basic Information > Transit Router and click the ID of the transit router.
-
On the Basic Information tab, find the Transit Router CIDR section and click Modify.
-
In the Modify Transit router CIDR dialog box, enter the CIDR block. To add multiple CIDR blocks, click
Add. -
Click OK, then click OK in the Results dialog box.
View allocation details
-
Log on to the CEN console.
-
On the Instances page, click the ID of the CEN instance.
-
Go to Basic Information > Transit Router and click the ID of the transit router.
-
On the Basic Information tab, find the Transit Router CIDR section and click Address Details.
-
In the Address Details panel, review the allocation details for each CIDR block.
Modify a transit router CIDR block
You cannot modify a CIDR block that has already been used to allocate IP addresses. Delete the VPN connections using those IPs first. See Delete a network instance connection.
-
Log on to the CEN console.
-
On the Instances page, click the ID of the CEN instance.
-
Go to Basic Information > Transit Router and click the ID of the transit router.
-
On the Basic Information tab, find the Transit Router CIDR section and click Modify.
-
In the Modify Transit router CIDR dialog box, make your changes:
-
Add a CIDR block: Click
Add and enter the new CIDR block. -
Modify a CIDR block: Edit the existing entry.
-
Delete a CIDR block: Click the
icon next to the CIDR block.
-
-
Click OK, then review the changes in the Result dialog box and click OK.
Delete a transit router CIDR block
You cannot delete a CIDR block that has already been used to allocate IP addresses. Delete the VPN connections using those IPs first. See Delete a network instance connection.
-
Log on to the CEN console.
-
On the Instances page, click the ID of the CEN instance.
-
Go to Basic Information > Transit Router and click the ID of the transit router.
-
On the Basic Information tab, find the TR CIDR Block section and click Modify.
-
In the Modify Transit router CIDR dialog box, click the
icon next to the target CIDR block. If the icon is not visible, click
Add first to reveal all entries. -
Click OK, then review the changes in the Results dialog box and click OK.
API reference
| Operation | Description |
|---|---|
| CreateTransitRouterCidr | Creates a CIDR block for a transit router. |
| ModifyTransitRouterCidr | Modifies a transit router CIDR block. |
| DeleteTransitRouterCidr | Deletes a transit router CIDR block. |
| ListTransitRouterCidr | Queries CIDR blocks added to a transit router. |
| ListTransitRouterCidrAllocation | Queries the allocation details of a transit router CIDR block. |