After you connect a virtual border router (VBR) or a Cloud Connect Network (CCN) instance to a transit router, the on-premises network associated with the VBR or CCN instance can access cloud services on Alibaba Cloud by using the transit router.
Background information
Cloud services refer to the Alibaba Cloud services that use the 100.64.0.0/10 CIDR block to provide services. These cloud services include Object Storage Service (OSS), Log Service, and Data Transmission Service (DTS). If your on-premises network needs to access cloud services, you must connect the VBR or CCN instance associated with the on-premises network to a transit router, and connect a virtual private cloud (VPC) in the region where the cloud services are deployed to the transit router. After you connect the VPC to the transit router, your on-premises network can use the transit router to access the VPC in the region where the cloud services are deployed, and access the cloud services through the VPC.
Limits
An on-premises network associated with a VBR can use a transit router to access only the cloud services that are deployed in the same region as the on-premises network.
For example, if cloud services are deployed in the China (Beijing) region, only on-premises networks connected to VBRs in the China (Beijing) region can access the cloud services.
Prerequisites
- A VPC in the region where the cloud services are deployed is connected to a transit router. For more information, see Create a VPC connection.
- The VBR or CCN instance associated with your on-premises network is connected to a transit router. For more information, see Create a VBR connection or Associate a CCN instance with a transit router.
- The IP address or CIDR block of the cloud service is obtained.
For more information about the IP addresses or CIDR blocks used by OSS, see Internal endpoints of OSS buckets and VIP ranges.
Enable access to a cloud service on an Enterprise Edition transit router
Enable access to a cloud service
- Log on to the CEN console.
- On the Instances page, find the CEN instance that you want to manage and click the instance ID.
- On the tab, click the ID of the transit router in the region where the cloud service that you want to access is deployed.
- On the details page of the transit router, click the Route Table tab.
- On the Route Table tab, click the ID of the route table to which you want to add the back-to-origin route, click the Route Entry tab, and then click Add Route Entry.
- In the Add Route Entry dialog box, set the following parameters and click OK.
Parameter Description Route Table By default, the current route table is selected. Transit Router By default, the current transit router is selected. Name Enter a name for the route entry. Destination CIDR Enter the IP address or CIDR block that the cloud service uses to provide services. For example, OSS buckets in the China (Hangzhou) region use the CIDR block 100.118.28.0/24.
Blackhole Route Select whether to specify the route as a blackhole route. Valid values: - Yes: specifies that the route is a blackhole route. All traffic destined for this route is dropped.
- No: specifies that the route is not a blackhole route. In this case, you must specify the next hop of the route.
No is selected in this example.
Next Hop Select the next hop type. Select the ID of the VPC connection on the transit router.
Description Enter a description for the route. Important Typically, a cloud service uses multiple IP addresses or CIDR blocks. Repeat the preceding steps to add all the IP addresses or CIDR blocks of the cloud service.
Disable access to a cloud service
- Log on to the CEN console.
- On the Instances page, find the CEN instance that you want to manage and click the instance ID.
- On the tab, click the ID of the transit router in the region where the cloud service that you want to access is deployed.
- On the details page of the transit router, click the Route Table tab.
- In the left-side section of the Route Table tab, click the route table that you want to manage. In the Route Table Details section, click the Route Entry tab and find the route that points to the cloud service.
- Click Delete in the Actions column. In the Delete Route Entry message, click OK.
Enable access to a cloud service on a Basic Edition transit router
Enable access to a cloud service
- Log on to the CEN console.
- On the Instances page, find the CEN instance that you want to manage and click the instance ID.
- On the tab, click the ID of the transit router in the region where the cloud service that you want to access is deployed.
- On the transit router details page, click the Cloud Services tab.
- On the Cloud Services tab, click Configure AnyTunnel.
- In the Configure AnyTunnel dialog box, set the parameters and click OK.
Parameter Description Service IP Address Enter the IP address or CIDR block that the cloud service uses to provide services, for example, 100.118.28.0/24. Service Region Select the region where the cloud service is deployed. Host VPC Select the VPC that is connected to the transit router. Access Region Select the region where the VBR or CCN instance that needs to access the cloud service is deployed. Description Enter a description for the cloud service. Important Typically, a cloud service uses multiple IP addresses or CIDR blocks. Repeat the preceding steps to add all the IP addresses or CIDR blocks of the cloud service.
Disable access to a cloud service
- Log on to the CEN console.
- On the Instances page, find the CEN instance that you want to manage and click the instance ID.
- On the tab, click the ID of the transit router in the region where the cloud service that you want to access is deployed.
- On the transit router details page, click the Cloud Services tab.
- On the Cloud Services tab, find the cloud service that you want to manage and click Delete in the Actions column.
- In the Delete Route Service message, click OK.