All Products
Search

This Product

    Cloud Enterprise Network:FAQ

    Document Center

    Cloud Enterprise Network:FAQ

    Last Updated:Aug 29, 2023

    This topic provides answers to some frequently asked questions about Cloud Enterprise Network (CEN).

    Table of contents

    Category

    References

    Basics

    Billing

    What fees am I charged for using a Basic Edition transit router?

    Network instance attachment

    Route learning

    Route conflicts

    Network connectivity

    Cross-account operations

    What are the differences between CEN and Express Connect?

    Both CEN and Express Connect can be used to establish a connection between a virtual private cloud (VPC) and a data center. However, VPC and CEN differ in network connection, route management, and bandwidth management.

    Item

    CEN

    Express Connect

    Network connection

    Point-to-multipoint connection

    Network instances that are attached to the same CEN instance can communicate with each other through a secure, reliable, and high-speed tunnel established by CEN.

    Point-to-point connection

    A VPC or a data center that is connected through an Express Connect circuit can only communicate with the peer VPC.

    Route management

    Dynamic learning

    CEN supports dynamic route learning and route advertisement. This increases route convergence and improves the quality and security of network connections.

    Manual configuration

    You must manually configure routes for data centers or VPCs that are connected through Express Connect circuits.

    Bandwidth management

    Flexible inter-region bandwidth plan

    You can purchase inter-region bandwidth plans for CEN to reduce costs and allocate resources. You can modify the maximum bandwidth and change the peer region after you purchase an inter-region bandwidth plan.

    Region-to-region bandwidth plan

    When you purchase the Express Connect service, you must specify the bandwidth that is used for the connection between the local region and the peer region. After you purchase a bandwidth plan, you can modify the maximum bandwidth but you cannot change the peer region.

    How do I check the latency of inter-region communication when CEN is used?

    Establish an inter-region connection between two regions, and view the monitoring data of the inter-region connection. The monitoring data includes the latency information. For more information, see Manage inter-region connections and View monitoring information about inter-region connections.

    What fees am I charged for using a Basic Edition transit router?

    You must pay for the bandwidth plan that you use to establish inter-region connections on the Basic Edition transit router.

    Note

    Beginning March 31, 2022, CEN no longer provides Basic Edition transit routers. We recommend that you use Enterprise Edition transit routers. Enterprise Edition transit routers support more features. For more information, see Functions and features.

    What do I do if the system prompts an error when I connect a transit router to a virtual border router (VBR)?

    The following figure shows the DEVICE_MODEL_FORBIDDEN error message. This error message indicates that the underlying access device does not allow you to connect VBRs to transit routers. You can Submit a ticket to request Alibaba Cloud to connect your VBR to your transit router. VBR connection error

    How do I use an unoptimized Enterprise Edition transit router to create a VPC connection?

    To use an unoptimized Enterprise Edition transit router to create a VPC connection, you must specify the primary and secondary zones when you connect an Enterprise Edition transit router to a VPC. The VPC must have at least one vSwitch in each zone of the transit router. Each vSwitch occupies at least one IP address. When the VPC is connecting to the Enterprise Edition transit router, an elastic network interface (ENI) is automatically created on each vSwitch of the VPC. Each ENI occupies one IP address of the vSwitch. The ENIs forward network traffic between the VPC and the Enterprise Edition transit router..

    Data transfer from the connected VPC is preferentially forwarded by the ENI in the primary zone to the Enterprise Edition transit router. If the ENI in the primary zone is not working, the ENI in the secondary zone takes over.

    Make sure that the following requirements are met when you specify the primary zone and secondary zone:

    • The primary zone and secondary zone must belong to the same VPC. At least one vSwitch must be deployed in each zone.

    • Take note of the route tables and network access control lists (ACLs) that are associated with the vSwitches in the zones that you specify when you create ENIs. The route tables and network ACLs affect how network traffic from the Enterprise Edition transit router to the VPC is processed in the VPC. If the vSwitches to which the ENIs are attached use different route tables and network ACLs, the vSwitches may process network traffic from the Enterprise Edition transit router to the VPC in different ways. For more information about network ACLs, see Overview of network ACLs.

    1. Log on to the CEN console.
    2. On the Instances page, click the ID of the CEN instance that you want to manage.
    3. Navigate to the Basic Settings > Transit Router tab and click the ID of the transit router that you want to manage.

    4. On the Connection with Peer Network Instance page, set the following parameters and click OK.

      The following table lists only some key parameters. For more information about the other parameters, see Connect VPCs.

      Parameter

      Description

      Network Type

      Select VPC.

      Region

      Select the region where the VPC that you want to connect is deployed.

      Transit Router

      The system automatically displays the transit router in the selected region.

      Select the primary and secondary zones for the transit router

      Select the primary and secondary zones for the transit router.

      After you specify the zones, the system creates ENIs in the vSwitches that are deployed in the specified zones.

      Networks

      Select the ID of the VPC that you want to connect.

      VSwitch

      Select a vSwitch in the primary zone and the secondary zone.

    After I connect multiple VBRs to the same CEN instance, why do the VBRs fail to learn routes from each other?

    Possible causes

    After a VBR is connected to a CEN instance, the system automatically adds a routing policy whose direction is RegionOut, priority is 5000, and action is Deny to the route table of the transit router that is associated with the VBR connection. By default, this routing policy does not allow the VBR to communicate with other VBRs. Pay attention that a Basic Edition transit router has only one route table. For more information, see Default routing policy.

    Solutions

    The routing policy created by the system cannot be modified. The priority of a routing policy created by the system is typically higher than 1000. If you do not want the default routing policy to take effect, you must add a custom routing policy that has a higher priority than the default routing policy. For more information, see Work with routing policies.

    After I connect a VBR and a VPC to a CEN instance, why does the VBR fail to learn routes from the VPC?

    Troubleshoot errors based on the edition of the transit router to which the VBR and VPC are connected.

    Enterprise Edition transit router

    If the VBR and VPC are connected to an Enterprise Edition transit router, perform the following operations to troubleshoot errors:

    1. Use the reachability analyzer and the diagnostic feature of transit routers to identify errors. For more information, see Work with the reachability analyzer and Diagnose a transit router.

    2. If the VBR and VPC are deployed in different regions, make sure that an inter-region connection is established between the transit routers to which the VBR and VPC are connected. For more information, see Use an Enterprise Edition transit router to create an inter-region connection.

    3. Make sure that the route table of the transit router to which the VBR is connected contains a route that points to the VPC.

    4. Check the routing policy applied to the route table of the transit router to which the VBR is connected. Make sure that the routing policy allows the VBR to learn routes from the VPC. For more information, see Routing policy overview.

    Basic Edition transit router

    If the VBR and VPC are connected to a Basic Edition transit router, perform the following operations to troubleshoot errors:

    1. If the VBR and VPC are deployed in different regions, make sure that an inter-region connection is established between the transit routers to which the VBR and VPC are connected. For more information, see Use a Basic Edition transit router to create an inter-region connection.

    2. Make sure that the route table of the transit router to which the VBR is connected contains a route that points to the VPC.

      By default, Basic Edition transit routers automatically learn routes from VBRs and system routes from VPCs. If you want a Basic Edition transit router to learn other routes from VPCs, advertise the routes to the transit router. For more information, see Advertise routes to a transit router.

    3. Check the routing policy applied to the route table of the transit router to which the VBR is connected. Make sure that the routing policy allows the VBR to learn routes from the VPC. For more information, see Routing policy overview.

    Why does my VPC fail to learn routes from the CEN instance?

    Troubleshoot errors based on the edition of the transit router to which the VPC is connected.

    Enterprise Edition transit router

    1. By default, VPCs connected to an Enterprise Edition transit router do not automatically learn routes from the transit router. You can associate the VPC connection with a route table of the transit router and enable route synchronization for the VPC. Then, the VPC can automatically learn routes from the route table with which the VPC connection is associated. Make sure that the route table associated with the VPC connection contains routes that have been learned by a network resource.

      For more information about how to associate a VPC connection with a transit router route table and how to enable route synchronization, see Create an associated forwarding correlation and Enable route synchronization.

    2. Check whether a route table of the transit router contains a route that conflicts with a route in the route table of the VPC.

    3. Check the routing policy applied to the route table of the transit router. Make sure that the routing policy allows the VPC to learn routes from the route table of the transit router. For more information, see Routing policy overview.

    Basic Edition transit router

    By default, VPCs connected to a Basic Edition transit router automatically learn routes from the transit router. Perform the following operations to troubleshoot errors:

    1. Make sure that the route table of the transit router contains routes that have been learned by a network resource.

    2. Check whether the route table of the transit router contains a route that conflicts with a route in the route table of the VPC.

    3. Check the routing policy applied to the route table of the transit router. Make sure that the routing policy allows the VPC to learn routes from the route table of the transit router. For more information, see Routing policy overview.

    Why does my VPC or CEN instance prompt the Route Conflict error?

    For more information, see Troubleshooting and solutions for the prompt "route conflict" in VPC routing table or Cloud Enterprise Network.

    What do I do if the CIDR blocks of the vSwitches in a VPC overlap with each other?

    For more information, see What do I do if the CIDR blocks of the vSwitches in a VPC overlap with each other?

    After I attach network instances that are in different regions to the same CEN instance, why do requests fail to reach the services but ping packets can?

    After a Smart Access Gateway (SAG) instance is attached to an Enterprise Edition transit router, why do requests from the SAG instance fail to access another cloud service?

    1. Make sure that the region in which the cloud service is deployed has a VPC attached to the Enterprise Edition transit router. For more information, see Use an Enterprise Edition transit router to connect VPCs.

    2. Make sure that an inter-region connection is established between the Enterprise Edition transit router to which the VPC is connected and the transit router to which the Cloud Connect Network (CCN) instance is attached. For more information, see Use an Enterprise Edition transit router to create an inter-region connection.

    3. Make sure that a route that points to the cloud service is added to the route table of the Enterprise Edition transit router. Set the next hop of the route to the VPC connection. For more information, see Enable access to a cloud service from an Enterprise Edition transit router.

    4. Make sure that a route whose source CIDR block falls into the CIDR block of the SAG instance is added to the route table of the transit router to which the CCN instance is connected.

    5. Check the routing policies applied to the route table of the transit router to which the CCN instance is connected and the route table of the Enterprise Edition transit router. Make sure that these routing policies allow the CIDR block of the SAG to communicate with the CIDR block of the cloud service. For more information, see Routing policy overview.

    6. Check whether the route table of the VPC contains a route that points to the SAG instance. If not, add one and set the next hop to the VPC connection on the transit router. For more information, see Add and delete routes.

    7. Check whether the routes in the route table of the transit router to which the CCN instance is connected, the routes in the route table of the Enterprise Edition transit router, and the routes in the route table of the VPC conflict with each other.

    8. Check the ACL.

      • Check whether an ACL is configured for the SAG instance. If yes, make sure that the ACL allows the SAG instance to access the cloud service. For more information, see ACL overview.

      • Check whether an ACL is configured for the VPC. If yes, make sure that the ACL allows the SAG instance to access the cloud service. For more information about ACLs, see Overview of network ACLs.

    9. Check whether the services and cloud resources associated with the SAG instance are running as expected.

    After I attach two VPCs to a CEN instance, why do the ECS instances in the VPCs fail to communicate?

    Troubleshoot errors based on the edition of the transit routers to which the VPCs are connected.

    Enterprise Edition transit router

    If one of the VPCs is attached to an Enterprise Edition transit router, perform the following operations to troubleshoot:

    1. Check whether the VPCs are attached to the same CEN instance.

      The VPCs in which the ECS instances are deployed must be attached to the same CEN instance. For more information, see Connect VPCs.

    2. Use the reachability analyzer and the diagnostic feature of transit routers to identify errors. For more information, see Work with the reachability analyzer and Diagnose a transit router.

    3. If the VPCs are in different regions, make sure that an inter-region connection is established between the transit routers to which the VPCs are connected. For more information, see Use an Enterprise Edition transit router to create an inter-region connection.

    4. Check whether ACLs are configured for the VPCs. If yes, make sure that the ACLs allow the ECS instances to communicate with each other. For more information about ACLs, see Overview of network ACLs.

    5. Check the security group rules applied to the VPCs. Make sure that the security group rules allow the ECS instances to communicate with each other. For more information, see View security group rules and Add a security group rule.

    6. Check whether the CIDR blocks of the VPCs that need to communicate with each other are advertised to the transit routers. For more information, see Advertise routes to a transit router.

    7. Check whether routing policies are applied to the route tables of the transit routers to which the VPCs are connected. Make sure that the routing policies allow the CIDR blocks to communicate with each other.

    8. Check whether routes in the route tables of the transit routers to which the VPCs are connected conflict with the routes in the route tables of the VPCs.

    9. If the problem persists, send ping packets from an ECS instance in a VPC to test whether the packets can reach the destination ECS instance in the other VPC.

    Basic Edition transit router

    If both of the VPCs are connected to Basic Edition transit routers, perform the following operations to troubleshoot:

    1. Check whether the VPCs are attached to the same CEN instance.

      The VPCs in which the ECS instances are deployed must be attached to the same CEN instance. For more information, see Connect VPCs.

    2. If the VPCs are in different regions, make sure that an inter-region connection is established between the transit routers to which the VPCs are connected. For more information, see Use a Basic Edition transit router to create an inter-region connection.

    3. Check whether ACLs are configured for the VPCs. If yes, make sure that the ACLs allow the ECS instances to communicate with each other. For more information about ACLs, see Overview of network ACLs.

    4. Check the security group rules applied to the VPCs. Make sure that the security group rules allow the ECS instances to communicate with each other.For more information, see View security group rules and Add a security group rule.

    5. Check whether the CIDR blocks of the VPCs that need to communicate with each other are advertised to the transit routers.

      By default, Basic Edition transit routers automatically learn system routes from VPCs. If you want a Basic Edition transit router to learn other routes from VPCs, advertise the routes to the transit router. For more information, see Advertise routes to a transit router.

    6. Check whether routing policies are applied to the route tables of the transit routers to which the VPCs are connected. Make sure that the routing policies allow the CIDR blocks to communicate with each other.

    7. Check whether routes in the route tables of the transit routers to which the VPCs are connected conflict with the routes in the route tables of the VPCs.

    8. If the problem persists, send ping packets from an ECS instance in a VPC to test whether the packets can reach the destination ECS instance in the other VPC.

    After I attach two VPCs to the same CEN instance, why do ping packets can reach the VPCs but the Telnet ports of the VPCs are inaccessible?

    For more information, see After I attach two VPCs to the same CEN instance, why do ping packets can reach the VPCs but the Telnet ports of the VPCs are inaccessible?

    After I deploy an Express Connect circuit, why are the IP address of the Express Connect circuit and the IP address of the data center are inaccessible?

    For more information, see After I attach two VPCs to the same CEN instance, why do ping packets can reach the VPCs but the Telnet ports of the VPCs are inaccessible?

    After I create a CEN instance and grant permissions on cross-account networking, why do networks fail to communicate with each other?

    For more information, see After I grant permissions on cross-account networking, why do networks fail to communicate with each other?

    When I create a VPC firewall for my CEN instance, why does the system prompt the following error: It is not allowed to be created because of the existing unauthorized network instance?

    For more information, see When I create a VPC firewall for my CEN instance, why does the system prompt the following error: It is not allowed to be created because of the existing unauthorized network instance?

    Why do I fail to attach a VPC that belongs to another Alibaba Cloud account to my CEN instance?

    Perform the following operations to troubleshoot errors:

    1. Check whether the accounts to which the VPC and CEN instance belong are of the same type.

      If the VPC belongs to an Alibaba Cloud account on the China site but the CEN instance belongs to an Alibaba Cloud account on the International site, the VPC cannot be attached to the CEN instance. Only VPCs that belong to Alibaba Cloud accounts on the China site can be attached to the CEN instance.

    2. Check the required permissions on the VPC are granted to the CEN instance. For more information, see Grant Account B permissions on the VPC.