You can connect virtual private clouds (VPCs) to a transit router. After you connect the VPCs to the same transit router, the VPCs can communicate with each other. This topic describes how to connect VPCs to an Enterprise Edition transit router or a Basic Edition transit router.

Use an Enterprise Edition transit router to create VPC connections

Note The following content describes how to use an upgraded Enterprise Edition transit router to create a VPC connection. For more information about how to use an Enterprise Edition transit router that is not upgraded to create a VPC connection, see How do I use an unoptimized Enterprise Edition transit router to a create a VPC connection?.

For more information about how to upgrade an Enterprise Edition transit router, see Announcement: Optimization on VPC-connected Enterprise Edition transit routers.

How a VPC connection works

Enterprise Edition transit routers may be supported in one or more zones. Before you connect an Enterprise Edition transit router to a VPC, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. When you connect the Enterprise Edition transit router to the VPC, the transit router creates an elastic network interface (ENI) on the vSwitch of the VPC. The ENI occupies one IP address on the vSwitch and forwards network traffic between the VPC and the transit router.

Create a VPC connection

For more information about the regions and zones that support Enterprise Edition transit routers, see Transit router editions.

How routes are selected for a VPC connection

After an Enterprise Edition transit router is connected to a VPC, network traffic from the VPC is forwarded over the shortest route to reduce network latency. This section describes how an Enterprise Edition transit router selects routes for a VPC connection.

Route selection is performed three times to send a request from the initiator to the acceptor over a VPC connection.

How routes are selected for a VPC connection
Number Description
The first route.

The system must select a route between the initiator network and the Enterprise Edition transit router. A route is selected based on the following rules:

  1. After the initiator sends the request, the system queries the route table that is associated with the vSwitch of the initiator.
  2. If the route table contains a custom route whose next hop is the ENI of the Enterprise Edition transit router, the request is routed to the ENI and then routed to the Enterprise Edition transit router.
  3. If the route table does not contain a custom route whose next hop is the ENI of the Enterprise Edition transit router, the request is routed to the ENI of the Enterprise Edition transit router that is associated with the initiator network connection.
    • If the initiator network connection is associated with the zone where the initiator resides, the request is routed to the ENI of the Enterprise Edition transit router in the zone and then routed to the Enterprise Edition transit router.
    • If the initiator network connection is not associated with the zone where the initiator resides, the request is routed to the ENI of the Enterprise Edition transit router in the first zone associated with the initiator network connection, and then routed to the Enterprise Edition transit router. The first zone was specified when you created the initiator network connection.
The second route.
The Enterprise Edition transit router must select a route between the Enterprise Edition transit router and the acceptor network. A route is selected based on the following rules:
  1. After the Enterprise Edition transit router receives the request, the Enterprise Edition transit router queries the route table that is associated with the acceptor network connection.
  2. The Enterprise Edition transit router finds the next hop for the request and then routes the request to the ENI of the Enterprise Edition transit router that is associated with the acceptor network connection.
    • If the acceptor network connection is associated with the zone where the Enterprise Edition transit router that accepts the request resides, the request is routed to the ENI of the Enterprise Edition transit router in the zone and then routed to the acceptor network.
    • If the acceptor network connection is not associated with the zone where the Enterprise Edition transit router that accepts the request resides, the request is routed to the ENI of the Enterprise Edition transit router in the first zone associated with the acceptor network connection and then routed to the acceptor network. The first zone was specified when you created the acceptor network connection.
The third route.

The system must select a route between the acceptor network and the acceptor. The system routes the request to the acceptor based on the route table that is associated with the vSwitch that accepts the request.

Prerequisites

  • Before you connect an Enterprise Edition transit router to a VPC, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. For more information about how to create a vSwitch, see Create a vSwitch.
  • An Enterprise Edition transit router is created in the region where the VPC resides. For more information about, see Create a transit router.
  • You can connect VPCs to Enterprise Edition transit routers that belong to the same Alibaba Cloud account or different Alibaba Cloud accounts. If the VPC and the transit router that you want to connect belong to different Alibaba Cloud accounts, the transit router must acquire the required permissions from the Alibaba Cloud account to which the VPC belongs. For more information about, see Grant permissions to another Alibaba Cloud account.

Create a VPC connection

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
  3. On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.
  4. On the Connection with Peer Network Instance page, set the following parameters and click OK.
    Note When you perform this operation, the system automatically creates the service-linked role AliyunServiceRoleForCEN. The service-linked role allows the Enterprise Edition transit router to create an ENI in a vSwitch of the VPC. The ENI is used as the interface for data transfer between the VPC and the transit router. For more information, see AliyunServiceRoleForCEN.
    Parameter Description
    Network Type Select VPC.
    Region Select the region where the network instance is deployed.
    Transit Router The system automatically displays the transit router in the selected region.
    Resource Owner ID Select the Alibaba Cloud account to which the network instance belongs.

    You can connect a transit router to a VPC that belongs to the same or another Alibaba Cloud account:

    • If the network instance and the transit router that you want to connect belong to the same account, select Your Account.
    • If the network instance and the transit router that you want to connect belong to different Alibaba Cloud accounts, select Different Account, and enter the ID of the Alibaba Cloud account to which the network instance belongs.
    Billing Method By default, transit routers use the Pay-As-You-Go billing method.

    For more information about the billing rules, see Billing.

    Attachment Name Enter a name for the network connection.
    Networks Select the VPC.
    VSwitch Select a vSwitch in a zone that supports transit routers.

    If vSwitches are deployed in multiple zones that support transit routers, you can select multiple zones and select a vSwitch in each zone.

    Advanced Settings When you create a VPC connection, the system enables the following features in the advanced settings by default:
    • Associate with Default Route Table of Transit Router

      After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.

    • Propagate System Routes to Default Route Table of Transit Router

      After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.

    • Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC

      After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the VPC connection.

    You can disable the preceding feature based on business requirements. You can also configure associated forwarding and route learning to customize network connections. For more information, see Associated forwarding and Route learning.

    After the VPC connection is created, you can view the details about the connection on the Intra-region Connections tab. For more information, see View network instance connections.

Change the zone and vSwitch for a VPC connection

After you create a VPC connection, you can change the zone and vSwitch for the VPC connection. Before you begin, make sure that no routes of the VPC point to the ENI of an Enterprise Edition transit router. For more information about, see Add and delete route entries.

Warning If you change the vSwitch for a VPC connection, the connection may be interrupted for up to 15 seconds. Proceed with caution.
  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
  3. Choose Basic Settings > Transit Router, find the transit router that you want to manage, and then click the ID of the transit router.
  4. On the Intra-region Connections tab, find the VPC connection that you want to manage and click the ID.
  5. In the Attachment Details panel, click Change Zone/Subnet in the Associated Instances section.
  6. In the Change Zone/Subnet dialog box, select another zone and a vSwitch in the Select Zone/Subnet section and click OK.
    When you change the zone and vSwitch, the zone and vSwitch that you select are associated with the VPC connection.

    For example, the VPC connection is associated with Zone A and vSwitch A1, which is deployed in Zone A. The following rules apply when you change the zone and vSwitch in the Change Zone/Subnet dialog box:

    • If you select Zone A and vSwitch A2, which is deployed in Zone A, the VPC connection is associated with Zone A and vSwitch A2 after you click OK.

      The VPC connection is automatically disassociated from vSwitch A1.

    • If you select Zone B, vSwitch B1 (deployed in Zone B), Zone C, and vSwitch C1 (deployed in Zone C), the VPC connection is associated with Zone B, vSwitch B1, Zone C, and vSwitch C1 after you click OK.

      The VPC connection is automatically disassociated from Zone A and vSwitch A1.

    • If you select Zone A, vSwitch A1 (deployed in Zone A), Zone C, and vSwitch C1 (deployed in Zone C), the VPC connection is associated with Zone A, vSwitch A1, Zone C, and vSwitch C1 after you click OK.

      The VPC is automatically associated with Zone C and vSwitch C1.

    Note After a VPC connection is associated with another vSwitch, the ENI of the previous vSwitch is automatically deleted.

Use a Basic Edition transit router to create VPC connections

You can connect a Basic Edition transit router to a VPC that belongs to the same or a different Alibaba Cloud account. If the VPC and the transit router that you want to connect belong to different Alibaba Cloud accounts, the transit router must acquire the required permissions from the Alibaba Cloud account to which the VPC belongs. For more information about, see Grant permissions to another Alibaba Cloud account.

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
  3. On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.
  4. On the Connection with Peer Network Instance page, set the following parameters and click OK.
    Parameter Description
    Network Type Select VPC.
    Region Select the region where the network instance is deployed.
    Transit Router The system automatically displays the transit router in the selected region.
    Resource Owner ID Select the Alibaba Cloud account to which the network instance belongs.

    You can connect a transit router to a VPC that belongs to the same or another Alibaba Cloud account:

    • If the network instance and the transit router that you want to connect belong to the same account, select Your Account.
    • If the network instance and the transit router that you want to connect belong to different Alibaba Cloud accounts, select Different Account, and enter the ID of the Alibaba Cloud account to which the network instance belongs.
    Networks Select the ID of the network instance.
    After you create the VPC connection, you can view it on the Intra-region Connections tab on the details page of the transit router. For more information, see View network instance connections.

References