All Products
Search

This Product

    :Resolve overlapping vSwitch CIDR blocks in CEN

    Document Center

    :Resolve overlapping vSwitch CIDR blocks in CEN

    Last Updated:Feb 28, 2026

    When multiple virtual private clouds (VPCs) attached to the same Cloud Enterprise Network (CEN) instance have overlapping vSwitch CIDR blocks, Elastic Compute Service (ECS) instances in those VPCs cannot communicate with each other through CEN.

    Symptom

    After you attach multiple VPCs to a CEN instance, cross-VPC communication fails. ECS instances in one VPC cannot reach ECS instances in another VPC, even though both VPCs are attached to the same CEN instance.

    Cause

    CEN uses a transit router to forward traffic between attached VPCs. Each VPC advertises its vSwitch CIDR blocks as routes to the transit router. When two or more VPCs contain vSwitches with overlapping CIDR blocks, the transit router cannot determine which VPC is the correct destination for a given packet. This routing ambiguity causes cross-VPC communication to fail.

    Solutions

    Choose the solution that best fits your situation.

    NAT gatewayReplace the vSwitch
    ApproachAdd a NAT gateway to translate addresses between overlapping VPCsDelete the overlapping vSwitch and create a new one with a non-overlapping CIDR block
    DowntimeNo downtime requiredRequires ECS instance shutdown during migration
    Ongoing costNAT gateway instance and CU feesNone
    Best forProduction environments where downtime is not acceptablePermanent fix when a maintenance window is available

    Solution 1: Use a NAT gateway

    Deploy a NAT gateway to enable communication between VPCs with overlapping CIDR blocks without changing the existing network topology. The NAT gateway translates source and destination IP addresses so that traffic is routed correctly through the transit router.

    For the full procedure, see Allow VPCs with overlapping CIDR blocks to access each other by using NAT gateways.

    Solution 2: Replace the vSwitch with a non-overlapping CIDR block

    Replace the overlapping vSwitch with a new vSwitch that uses a unique CIDR block. This permanently resolves the routing conflict but requires migrating all resources and stopping ECS instances.

    Step 1: Identify the overlapping vSwitch

    1. Log on to the CEN console.

    2. On the Instances page, click the CEN instance that you want to manage.

    3. Navigate to Basic Information > Transit Router tab, and click the ID of the transit router on which the VPC connection is created.

    4. On the transit router details page, click the Network Routes tab and identify the overlapping CIDR blocks.

    5. Log on to the VPC console, click the VPC, and find the vSwitch with the overlapping CIDR block.

    Step 2: Create a replacement vSwitch

    1. Create a new vSwitch in the same VPC. The new vSwitch must meet the following requirements: For detailed instructions, see Create and manage a vSwitch.

      • Located in the same zone as the vSwitch to be deleted.

      • Uses a CIDR block that does not overlap with any CIDR block in the CEN instance.

      Note

      Plan your CIDR blocks carefully to avoid future overlaps. For guidance, see Plan networks.

    2. Apply the same configuration to the new vSwitch as the vSwitch to be deleted.

    3. If the vSwitch to be deleted is associated with a custom route table, associate the new vSwitch with the same custom route table.

    Step 3: Migrate resources to the new vSwitch

    1. Migrate ECS instances: Change the vSwitch of each ECS instance by changing its private IP address. For instructions, see Change a private IP address.

      Important

      You can change the private IP address of an ECS instance only if the target vSwitch is in the same VPC and zone. The ECS instance must be stopped before the change. To change the VPC of an ECS instance, see Change the VPC of an ECS instance.

    2. Migrate database instances: If ApsaraDB RDS instances are deployed in the vSwitch, change their VPC and vSwitch. For instructions, see Change the VPC and vSwitch for an ApsaraDB RDS for MySQL instance.

    3. Migrate any other resources deployed in the vSwitch to the new vSwitch.

    Step 4: Delete the old vSwitch

    Before you delete the vSwitch, make sure the following conditions are met:

    • All resources are removed. Delete or migrate all resources deployed in the vSwitch, including: ECS, Classic Load Balancer (CLB), ApsaraDB RDS, ApsaraDB for MongoDB, PolarDB, Elasticsearch, Time Series Database (TSDB), ApsaraDB for HBase, ApsaraDB for ClickHouse, Tablestore, Container Registry, Elastic High Performance Computing (E-HPC), Data Disaster Recovery, and File Storage NAS (NAS).

    • All associations are removed. Disassociate the vSwitch from any of the following resources if applicable: SNAT entries, high-availability virtual IP addresses (HAVIPs), custom route tables, and network ACLs. For more information, see VPC documentation.

    After all resources and associations are removed, delete the vSwitch from the VPC console.

    Prevention

    To avoid overlapping CIDR block issues in the future:

    • Plan your network topology before attaching VPCs to CEN. Assign unique, non-overlapping CIDR blocks to each VPC and vSwitch. For guidance, see Plan networks.

    • Use a structured IP address allocation scheme. Reserve distinct CIDR ranges for each VPC, region, and environment (production, staging, development) to prevent accidental overlaps as your network grows.

    • Check for CIDR conflicts before creating new vSwitches. Review the existing routes on the transit router Network Routes tab in the CEN console to verify that the new CIDR block does not conflict with any existing routes.

    Applicable scope

    • Cloud Enterprise Network (CEN)