What are transit router CIDR blocks - Cloud Enterprise Network

A transit router CIDR block is a custom CIDR block that you can specify for a transit router. This CIDR block is similar to that of a router's loopback interface. IP addresses from the transit router CIDR block are allocated to IPsec-VPN connections to establish VPN connections.

Background

When you create a VPN connection, the system allocates an address from the transit router CIDR block to the IPsec-VPN connection:

If you create a private VPN connection, the system automatically allocates a gateway IP address from the transit router CIDR block to the IPsec-VPN connection. This address is used to establish an IPsec-VPN connection with an on-premises network.
After you enable route learning between the private VPN connection and a route table of the transit router, the system automatically adds a blackhole route to the route table. The destination CIDR block of the blackhole route is the transit router CIDR block from which the gateway IP address is allocated to the IPsec-VPN connection. The blackhole route is advertised only to the route tables of virtual border router (VBR) instances that are connected to the transit router.
Note
- You can use the PublishCidrRoute parameter of the CreateTransitRouterCidr operation to control whether to add a blackhole route to the route table of the transit router. The destination of this route is the transit router CIDR block. For more information, see CreateTransitRouterCidr.
- After enabling route learning between a private VPN connection and a route table of the transit router, the transit router automatically learns a route entry that points to the IPsec-VPN connection. The destination CIDR block of the route entry is the gateway IP address of the IPsec-VPN connection, and the next hop is the VPN connection.
  This route entry learns routes from the VPN connection.
If you create a public VPN connection:
- In single-tunnel mode, the system allocates a public IP address from an Alibaba Cloud address pool to the IPsec-VPN connection. The public IP address is used to establish an IPsec-VPN connection with an on-premises network. The system also allocates an IP address from the transit router CIDR block to the IPsec-VPN connection. This IP address is used for internal health checks for the IPsec-VPN connection and does not affect your network.
- In dual-tunnel mode, the system allocates two public IP addresses from an Alibaba Cloud address pool to the IPsec-VPN connection. Each tunnel uses one public IP address to establish a dual-tunnel IPsec-VPN connection with an on-premises network. The system also allocates two IP addresses from the transit router CIDR block to the IPsec-VPN connection. These two IP addresses are used for internal health checks for the IPsec-VPN connection and do not affect your network.
  Note
  For more information about dual-tunnel mode, see Use an IPsec-VPN connection that is associated with a transit router.

For more information about the allocation rules, see Rules for allocating IP addresses from transit router CIDR blocks.

Limits

Only Enterprise Edition transit routers support custom CIDR blocks.
Each transit router supports a maximum of five CIDR blocks. The subnet mask of each transit router CIDR block must be 16 to 24 bits in length.
You cannot specify 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, 169.254.0.0/16, or their subnets as the CIDR blocks of transit routers.
The CIDR blocks of each transit router cannot overlap with the CIDR blocks of instances that communicate with each other within the Cloud Enterprise Network (CEN) instance.
Within the same CEN instance, each transit router CIDR block must be unique.

Rules for allocating IP addresses from transit router CIDR blocks

This section describes the rules for allocating IP addresses from transit router CIDR blocks.

After you add a CIDR block to a transit router, the system automatically reserves three /28 subnets from the CIDR block when you create the first VPN connection on the transit router. These system-reserved subnets are used for backend processes to create VPN connections. The system then allocates IP addresses to IPsec-VPN connections from the remaining address space in the CIDR block.

When allocating an IP address to an IPsec-VPN connection, the system first carves out a /28 subnet from the remaining address space. Within this /28 subnet, four IP addresses are reserved by the system and are not allocated. The system allocates IP addresses to IPsec-VPN connections from the remaining 12 IP addresses, allocating one IP address per tunnel. After all 12 IP addresses are used, the system carves out another /28 subnet from the remaining address space. In each /28 subnet, four IP addresses are always reserved by the system and are not available for allocation.

Example

For example, you configure 10.0.0.0/24 and 192.168.0.0/20 as the CIDR blocks for a transit router. Assume that 10.0.0.0/28, 10.0.0.16/28, and 10.0.0.32/28 are the system-reserved subnets. The system then carves out a /28 subnet, such as 10.0.0.48/28, from the remaining address space to allocate IP addresses to IPsec-VPN connections. Within the 10.0.0.48/28 subnet, four IP addresses are reserved by the system and are not allocated. The remaining 12 IP addresses can be used for IPsec-VPN connections. After these 12 addresses are used, the system carves out another /28 subnet from the remaining address space. In each /28 subnet, four IP addresses are always reserved by the system.

In this case:

Single-tunnel mode

One VPN connection contains one tunnel. Each tunnel occupies one IP address:

Maximum number of VPN connections that can be created from the 10.0.0.0/24 CIDR block: (2⁸ ÷ 2⁴ - 3) × (2⁴ - 4) = 156.
Maximum number of VPN connections that can be created from the 192.168.0.0/20 CIDR block: (2¹² ÷ 2⁴) × (2⁴ - 4) = 3,072.
Maximum number of VPN connections that can be created on the transit router: 156 + 3,072 = 3,228.

Dual-tunnel mode

One VPN connection contains two tunnels. Each tunnel occupies one IP address:

Maximum number of VPN connections that can be created from the 10.0.0.0/24 CIDR block: (2⁸ ÷ 2⁴ - 3) × (2⁴ - 4) ÷ 2 = 78.
Maximum number of VPN connections that can be created from the 192.168.0.0/20 CIDR block: (2¹² ÷ 2⁴) × (2⁴ - 4) ÷ 2 = 1,536.
Maximum number of VPN connections that can be created on the transit router: 78 + 1,536 = 1,614.

Note

The caret (^) indicates an exponent. For example, 2⁴ = 16.

After creating a VPN connection, you can view the details of the system-reserved subnets and the IP addresses allocated to IPsec-VPN connections in the Address Details panel. For more information, see View the allocation details.

Add a transit router CIDR block

You can add a CIDR block when you create a transit router, or add a CIDR block to an existing transit router.

Add a CIDR block when you create a transit router

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Information > Transit Router tab and click Create Transit Router.

In the Create Transit Router dialog box, set the transit router instance parameters and click OK.

Configuration Item	Description
Region	Select the region where you want to create the transit router instance.
Edition	The edition of the transit router instance. The system automatically determines and displays the edition of the transit router instance in the current region.
Enable Multicast	Specify whether to enable the multicast feature for the transit router instance. By default, the multicast feature is disabled. Note Multicast is supported by Enterprise Edition transit routers in some regions. For more information, see Multicast overview.
Name	Enter a name for the transit router instance.
Description	Enter a description for the transit router instance.
Tag	Set tags for the transit router instance. Tag Key: The tag key can be up to 64 characters in length. It cannot be an empty string or start with `acs:` or `aliyun` or contain `http://` or `https://`. Tag Value: The tag value can be an empty string with a maximum length of 128 characters. It cannot start with `acs:` or `aliyun` or contain `http://` or `https://`. You can add multiple tags to a transit router instance. For more information, see Tags.
Transit Router CIDR	Enter a transit router CIDR block. To enter multiple CIDR blocks, click Add below the text box.

Add a CIDR block after you create a transit router

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the transit router instance details page, click the Basic Information tab. In the Transit Router CIDR section, click Modify.
In the Modify Transit router CIDR dialog box, enter a CIDR block and click OK.
To enter multiple CIDR blocks, click Add below the text box.
In the Results dialog box, click OK.

View the allocation details

After adding a CIDR block to a transit router, the system allocates IP addresses from that CIDR block to IPsec-VPN connections when you create an IPsec-VPN connection . You can view the allocation details for the CIDR block on the Basic Information tab of the transit router.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the transit router instance details page, click the Basic Information tab. In the Transit Router CIDR section, click Address Details.
In the Address Details panel, you can view the allocation details of the transit router CIDR block.

Modify a transit router CIDR block

You cannot modify a transit router CIDR block from which IP addresses have been allocated.

If you want to modify a transit router CIDR block from which IP addresses have been allocated, you must first delete the VPN connections that use the IP addresses. For more information, see Delete a network instance connection.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the transit router instance details page, click the Basic Information tab. In the Transit Router CIDR section, click Modify.
In the Modify Transit router CIDR dialog box, update the transit router CIDR block and click OK.
You can perform the following operations on the transit router CIDR block:
- Add a transit router CIDR block: Click Add below the text box to add a new transit router CIDR block.
- Modify a transit router CIDR block: Modify an existing CIDR block.
- Delete a transit router CIDR block: Click the icon to the right of the text box to delete the current transit router CIDR block.
In the Result dialog box, verify the changes and click OK.

Delete a transit router CIDR block

You cannot delete a transit router CIDR block from which IP addresses have been allocated.

If you want to delete a transit router CIDR block from which IP addresses have been allocated, you must first delete the VPN connections that use the IP addresses. For more information, see Delete a network instance connection.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the transit router instance details page, click the Basic Information tab. In the TR CIDR Block section, click Modify.
In the Modify Transit router CIDR dialog box, click the icon next to the target CIDR block, and then click OK.
If the icon is not displayed to the right of the target CIDR block, click Add below the text box.
In the Results dialog box, review the changes and click OK.

References

CreateTransitRouterCidr: Creates a CIDR block for a transit router.
ModifyTransitRouterCidr: Modifies a transit router CIDR block.
DeleteTransitRouterCidr: Deletes a transit router CIDR block.
ListTransitRouterCidr: Queries the CIDR blocks that are added to a transit router.
ListTransitRouterCidrAllocation: Queries the allocation details of a transit router CIDR block.