Use routing policies to disable communication between a VPC and a CIDR block - Cloud Enterprise Network

This topic describes how to use routing policies to disable communication between a virtual private cloud (VPC) and a CIDR block.

Prerequisites

Note This feature is supported only by Basic Edition transit routers.

The data center is connected to Alibaba Cloud by using Express Connect circuits. For more information, see Connect a data center to ECS by using an Express Connect circuit.
A Cloud Enterprise Network (CEN) instance is created. The network instances that you want to connect to each other are attached to the CEN instance. For more information, see CEN instances and Manage network instance connections.

Background information

By default, VPCs attached to a CEN instance can communicate with other VPCs, virtual border routers (VBRs), and Cloud Connect Network (CCN) instances that are also attached to the CEN instance. In some scenarios, you may need to disable communication between a VPC and the CIDR block of a VPC, a VBR, or a CCN instance. 限制网段间互通

As shown in the preceding figure, the VPC and VBR are attached to the CEN instance.The VBR learns two routes that point to CIDR Block 1 and CIDR Block 2 from the data center through BGP. By default, the VPC can communicate with CIDR Block 1 and CIDR Block 2. If you do not want the VPC to communicate with CIDR Block 1, you can configure a routing policy to disable communication between them. The VPC can still communicate with CIDR Block 2.

Step 1: Add a routing policy that sets the VPC to reject the VBR route that points to CIDR Block 1

Perform the following steps to add a routing policy that sets the VPC to reject the VBR route that points to CIDR Block 1.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the instance details page, find the region where you want to add a routing policy and click the ID of the transit router deployed in the region.
On the details page of the transit router, click the Route Table tab and click Routing Policies.
On the Routing Policies tab, click Add Routing Policy. Set the following parameters and click OK:
- Routing Policy Priority: Enter a priority value for the routing policy. A smaller value indicates a higher priority. In this example, 20 is entered.
- Region: Select the region to which you want to apply the routing policy. In this example, China (Hangzhou) is entered.
- Policy Direction: Select the direction in which you want to apply the routing policy. In this example, Egress Regional Gateway is selected.
- Match Conditions: Configure match conditions for the routing policy. In this example, the following match conditions are specified:
  - Source Instance ID List: The ID of the VBR is selected.
  - Route Prefix: 192.168.0.0/24 is used. Condition Type is set to Exact Match.
- Action Policy: Select the action that you want to perform on routes that meet the match conditions. In this example, Reject is selected.
After you add the routing policy, you can go to the Network Routes tab to check whether the route that points to 192.168.0.0/24 is deleted from the VPC.

Step 2: Test network connectivity

Perform the following steps to test the connectivity between the VPC and CIDR Block 1.
1. Log on to an ECS instance in the VPC.
2. Run the ping command to ping the IP address of CIDR Block 1.
  The result shows that the ECS instance cannot access the IP address of CIDR Block 1.
Perform the following steps to test the connectivity between the VPC and CIDR Block 2.
1. Log on to an ECS instance in the VPC.
2. Run the ping command to ping the IP address of CIDR Block 2.
  The result shows that the ECS instance can access the IP address of CIDR Block 2.