This topic describes how to use routing policies to disable communication among virtual private clouds (VPCs) that are attached to a Cloud Enterprise Network (CEN).

Prerequisites

Note This feature is supported only by Basic Edition transit routers.

Background information

By default, a VPC attached to a CEN instance can communicate with VPCs, virtual border routers (VBRs), and cloud connect network (CCN) instances that are also attached to the CEN instance. However, you may want to disable communication among the network instances in some cases. Disable intercommunication among VPCs

As shown in the preceding figure, VPC1, VPC2, and VPC3 are attached to the CEN instance. By default, VPC1, VPC2, and VPC3 can communicate with each other. If you do not want VPC1 and VPC2 to communicate with each other, you can use a routing policy to disable the communication between them. After you add the routing policy, VPC1 and VPC2 can still communicate with VPC3.

Step 1: Configure a routing policy that enables VPC2 to reject requests from VPC1

Perform the following operations to configure a routing policy that enables VPC2 to reject requests from VPC1:

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click its ID.
  3. On the instance details page, find the region where you want to add a routing policy and click the ID of the transit router deployed in the region.
  4. On the details page of the transit router, click the Route Table tab and click Route Maps.
  5. On the Route Maps page, click Add Route Map. Set the following parameters and click OK:
    • Route Map Priority: Enter a priority value for the routing policy. A smaller value indicates a higher priority. In this example, 20 is entered.
    • Region: Select the region to which the routing policy is applied. In this example, China (Hangzhou) is entered.
    • Transmit Direction: Select the direction of the routing policy. In this example, Import to Regional Gateway is selected.
    • Match Conditions: Enter match conditions for matching routes against the routing policy. In this example, the source instance ID is set to the ID of VPC2 and the destination instance ID is set to the ID of VPC1.
    • Action Policy: Select the action that you want to perform on a route when the route meets the match conditions. In this example, Deny is selected.
    After you add the routing policy, navigate to the Routes tab, and select VPC1. Then, you can find that the route can no longer forward network traffic from VPC1 to VPC2. Disable intercommunication among VPCs - routing policy 1

Step 2: Configure a routing policy that enables VPC1 to reject requests from VPC2

Perform the following operations to configure a routing policy that enables VPC1 to reject requests from VPC2:

  1. In the left-side navigation pane, click Instances.
  2. On the Instances page, find the CEN instance that you want to manage and click the ID of the instance.
  3. On the instance details page, find the region where you want to add a routing policy and click the ID of the transit router deployed in the region.
  4. On the details page of the transit router, click the Route Table tab and click Route Maps.
  5. On the Route Maps page, click Add Route Map. Set the following parameters and click OK:
    • Route Map Priority: Enter a priority value for the routing policy. A smaller value indicates a higher priority. In this example, 50 is entered.
    • Region: Select the region to which the routing policy is applied. In this example, China (Hangzhou) is entered.
    • Transmit Direction: Select the direction of the routing policy. In this example, Import to Regional Gateway is selected.
    • Match Conditions: Enter match conditions for matching routes against the routing policy. In this example, the source instance ID is set to the ID of VPC1 and the destination instance ID is set to the ID of VPC2.
    • Action Policy: Select the action that you want to perform on a route when the route meets the match conditions. In this example, Deny is selected.
    After you add the routing policy, navigate to the Routes tab, and select a network instance in VPC2. Then, you can find that the route can no longer forward network traffic from VPC2 to VPC1. Disable intercommunication among VPCs - routing policy 2

Step 3: Test the connectivity

Perform the following operations to test the connectivity between VPC1 and VPC2:

  1. Log on to ECS1 in VPC1.
  2. Run the ping command to ping the IP address of ECS2 in VPC2 to test the connectivity.
    The result shows that ECS1 cannot access ECS2. ECS1 to ECS2
  3. Log on to ECS2 in VPC2.
  4. Run the ping command to ping the IP address of ECS1 in VPC1 to test the connectivity.
    The result shows that ECS2 cannot access ECS1. ECS2 to ECS1

Perform the following operations to test the connectivity between VPC1 and VPC3:

  1. Log on to ECS1 in VPC1.
  2. Run the ping command to ping the IP address of ECS3 instance in VPC3 to test the connectivity.
    The result shows that ECS1 can access ECS3. ECS2 to ECS3
  3. Log on to ECS3 in VPC3.
  4. Run the ping command to ping the IP address of ECS1 in VPC1 to test the connectivity.
    The result shows that ECS3 can access ECS1. ECS3 can access ECS1

Perform the following operations to test the connectivity between VPC2 and VPC3:

  1. Log on to ECS2 in VPC2.
  2. Run the ping command to ping the IP address of ECS3 instance in VPC3 to test the connectivity.
    The result shows that ECS2 can access ECS3. ECS2 to ECS3
  3. Log on to ECS3 in VPC3.
  4. Run the ping command to ping the IP address of ECS2 in VPC2 to test the connectivity.
    The result shows that ECS3 can access ECS2. ECS3 can access ECS2