Enterprise Edition transit routers support flexible route management features. You can use Enterprise Edition transit routers to route network traffic to an access control server to scrub the traffic. This improves network security because only trusted traffic is transmitted. This topic describes how to use an Enterprise Edition transit router to establish and secure network communication.
Example
Before you begin, make sure that the virtual private cloud (VPC) where the access control server is deployed supports Enterprise Edition transit routers. Otherwise, you cannot establish or secure network communication. For more information about the regions and zones that support Enterprise Edition transit routers, see Regions and zones that support Enterprise Edition transit routers.
The following example shows how to use an Enterprise Edition transit router to establish and secure intra-region network communication. A company deployed three VPCs in the China (Hong Kong) region. Security services are deployed in VPC A. The three VPCs cannot communicate with each other. To accommodate business growth and security requirements, the company wants to establish network communication between VPC B and VPC C, and route network traffic to VPC A for scrubbing.
In this case, the company can connect VPC B and VPC C to an Enterprise Edition transit router and then add custom routing policies to the transit router to establish network communication between VPC B and VPC C.
Prerequisites
Three VPCs (A, B, and C) are created in the China (Hong Kong) region, and Elastic Compute Service (ECS) instances are deployed in each VPC. For more information, see Create a VPC with an IPv4 CIDR block.
Sufficient vSwitches are deployed in each VPC in the zones of the Enterprise Edition transit router. Each vSwitch has at least one idle IP address.
If the Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing - Local Region), the VPC must have at least one vSwitch in the zone.
If the Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.
For example, if you create one VPC in the China (Hong Kong) region, you must create at least one vSwitch in Zone B and one vSwitch in Zone C. Each vSwitch must have at least one idle IP address.
NoteThe Enterprise Edition transit router associates an elastic network interface (ENI) with each vSwitch in the zones. The ENIs function as ingresses that forward network traffic from VPCs to the transit router. Each ENI occupies one IP address.
In this example, VPC A has three vSwitches. vSwitch 1 and vSwitch 2 are used to connect to the Enterprise Edition transit router. vSwitch 3 is used to host the security control service. The following table describes the CIDR blocks allocated to the VPCs. Make sure that the CIDR blocks do not overlap.
VPC
vSwitch
vSwitch zone
CIDR block
ECS IP address
VPC_A
Primary CIDR block: 10.1.0.0/16
vSwitch 1
Zone B
10.1.0.0/24
10.1.2.13
vSwitch 2
Zone C
10.1.1.0/24
vSwitch 3
Zone B
10.1.2.0/24
VPC_B
Primary CIDR block: 10.2.0.0/16
vSwitch 1
Zone B
10.2.0.0/24
10.2.2.48
vSwitch 2
Zone C
10.2.1.0/24
vSwitch 3
Zone C
10.2.2.0/24
VPC_C
Primary CIDR block: 10.3.0.0/16
vSwitch 1
Zone B
10.3.0.0/24
10.3.2.27
vSwitch 2
Zone C
10.3.1.0/24
vSwitch 3
Zone C
10.3.2.0/24
You are familiar with the security group rules of the ECS instances in VPC A, VPC B, and VPC C. The security group rules allow the ECS instances to communicate with each other. For more information, see View security group rules and Add a security group rule.
Procedure
Step 1: Create a CEN instance
CEN is used to create and manage network resources. Before you can use Enterprise Edition transit routers to connect networks, you must create a CEN instance.
Log on to the CEN console.
On the Instances page, click Create CEN Instance.
In the Create CEN Instance dialog box, configure the following parameters and click OK:
Name: Enter a name for the CEN instance.
Description: Enter a description for the CEN instance.
Resource Group: Select a resource group for the CEN instance.
In this example, no resource group is selected. The CEN instance is added to the default resource group.
Tag: Add tags to the CEN instance. In this example, no tag is added to the network instance connection.
Step 2: Create a transit router
Before you can create network instance connections, you must create a transit router in the region where the network instance is deployed.
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance created in Step 1.
Choose and click Create Transit Router.
In the Create Transit Router dialog box, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Value
Region
Select the region where you want to create the transit router.
In this example, China (Hong Kong) is selected.
Edition
The edition of the transit router.
The transit router edition that is supported in the selected region is automatically displayed.
Enable Multicast
Specify whether to enable multicast.
In this example, multicast is disabled. By default, multicast is disabled.
Name
Enter a name for the transit router.
In this example, a custom name is specified for the transit router.
Description
Enter a description for the transit router.
In this example, a custom description is specified for the transit router.
Tag
Add tags to the transit router.
In this example, no tag is added to the transit router.
Transit Router CIDR
Specify a CIDR block for the transit router.
For more information, see Transit router CIDR blocks.
In this example, no CIDR block is specified for the transit router.
Step 3: Connect the VPCs to the transit router
Attach the network instances that you want to connect to the Enterprise Edition transit router in the region where each network instance is deployed.
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the tab, find the transit router that you want to manage, and then click Create Connection in the Actions column.
On the Connection with Peer Network Instance page, configure the parameters and click OK. The following table describes the parameters.
The following table describes the settings of each VPC. Connect VPC A, VPC B, and VPC C to an Enterprise Edition transit router.
Parameter
Description
VPC A
VPC B
VPC C
Network Type
Select the type of network instance that you want to connect.
VPC
VPC
VPC
Region
Select the region where the network instance is deployed.
China (Hong Kong)
China (Hong Kong)
China (Hong Kong)
Transit Router
The ID of the transit router in the selected region is displayed.
Resource Owner ID
Select the Alibaba Cloud account to which the network instance belongs.
Current Account
Current Account
Current Account
Billing Method
Default value: Pay-As-You-Go.
Attachment Name
Enter a name for the network connection.
VPC_A_Connection
VPC_B_Connection
VPC_C_Connection
Tag
Add tags to the network instance connection.
In this example, no tag is added to the network instance connection.
In this example, no tag is added to the network instance connection.
In this example, no tag is added to the network instance connection.
Networks
Select the network instance that you want to connect to the transit router.
VPC A
VPC B
VPC C
VSwitch
Select a vSwitch in a zone of the transit router.
If each zone of the transit router has a vSwitch, you can select multiple zones and select a vSwitch in each of the zones to enable zone-disaster recovery.
Hong Kong Zone B: vSwitch 1
Hong Kong Zone C: vSwitch 2
Hong Kong Zone B: vSwitch 1
Hong Kong Zone C: vSwitch 2
Hong Kong Zone B: vSwitch 1
Hong Kong Zone C: vSwitch 2
Advanced Settings
The following advanced features are disabled for VPC A, VPC B, and VPC C:
Associate with Default Route Table of Transit Router
Propagate System Routes to Default Route Table of Transit Router
Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC
NoteIf the advanced features are enabled, VPC A, VPC B, and VPC C can automatically learn routes from each other, but network traffic is not scrubbed. In this example, the advanced features are disabled. In the following steps, custom route tables and route entries are used to define how network traffic is routed so that the network traffic can be scrubbed.
Step 4: Add route entries to the VPCs
Add route entries to VPC A, VPC B, and VPC C to route network traffic to the Enterprise Edition transit routers. Then, the network traffic is distributed by the Enterprise Edition transit routers for scrubbing.
Log on to the VPC console.
In the top navigation bar, select the region to which the route table belongs.
Add route entries to VPC B and VPC C.
Add the destination CIDR block 0.0.0.0/0 to the system route tables of VPC B and VPC C. Set the next hop to the transit routers to route network traffic that is destined for VPC B or VPC C to the transit routers.
In the left-side navigation pane, click Route Tables.
On the Route Tables page, click the ID of the route table that you want to manage.
In this example, the system route table of VPC B is used.
On the Route Entry List tab, click the Custom Route tab and then click Add Route Entry.
In the Add Route Entry panel, configure the following parameters and click OK:
Name: Enter a name for the custom route entry.
Destination CIDR Block: In this example, 0.0.0.0/0 is used.
Next Hop Type: In this example, Transit Router is selected.
Transit Router: In this example, the transit router that is associated with VPC B is selected.
Repeat the preceding step and configure the following parameters to add a route entry to the system route table of VPC C:
Destination CIDR Block: In this example, 0.0.0.0/0 is used.
Next Hop Type: In this example, Transit Router is selected.
Transit Router: In this example, the transit router that is associated with VPC C is selected.
Create three custom route tables named routetable1, routetable2, and routetable3 for VPC A. For more information, see the "Create a custom route table" section in Work with route tables.
Associate the vSwitches with custom route tables. For more information, see Associate a route table with a vSwitch.
In this example, vSwitch 1 of VPC A is associated with routetable1, vSwitch 2 is associated with routetable2, and vSwitch 3 is associated with routetable3.
Add route entries to the custom route table of VPC A.
On the Route Tables page, click the ID of a route table you created.
In this example, routetable1 is associated with vSwitch 1.
On the Route Entry List tab, click the Custom Route tab and then click Add Route Entry.
In the Add Route Entry panel, configure the following parameters and click OK:
Name: Enter a name for the route entry.
Resource Group: In this example, All is selected.
Destination CIDR Block: In this example, 0.0.0.0/0 is used.
Next Hop Type: In this example, ECS Instance is selected.
ECS Instance: In this example, the ECS instance that provides security services is selected. The ECS instance is deployed in vSwitch 3 of VPC A.
Repeat the preceding steps to add the same route entry to routetable2 that is associated with vSwitch 2.
Repeat the preceding steps to add a route entry to routetable3 that is associated with vSwitch 3. Configure the following parameters for the route entry:
Destination CIDR Block: In this example, 0.0.0.0/0 is used.
Next Hop Type: In this example, Transit Router is selected.
Transit Router: In this example, the transit router that is associated with VPC A is selected.
The following table describes the information about the route entries added in the preceding steps.
Network instance
Route table
vSwitch
Route entry
Next hop
VPC_A
routetable1
vSwitch 1
0.0.0.0/0
An ECS instance in vSwitch 3
routetable2
vSwitch 2
0.0.0.0/0
An ECS instance in vSwitch 3
routetable3
vSwitch 3
0.0.0.0/0
The transit router associated with VPC A
VPC_B
The system route table
vSwitch 1
vSwitch 2
vSwitch 3
0.0.0.0/0
The transit router associated with VPC B
VPC_C
The system route table
vSwitch 1
vSwitch 2
vSwitch 3
0.0.0.0/0
The transit router associated with VPC C
Step 5: Configure routes on the transit router
The Enterprise Edition transit router can route the network traffic from VPC B and VPC C to VPC A based on the route tables and route entries configured on the transit router. After network traffic is scrubbed in VPC A, the network traffic is routed to the destination.
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the tab and click the ID of the transit router that you want to manage.
On the Route Table tab, create two custom route tables named TR_routetable1 and TR_routetable2. For more information, see the "Create a custom route table" section in Work with route tables.
Associate VPC B and VPC C with the custom route table of the Enterprise Edition transit router and add route entries to the route table.
On the Route Table tab, select TR_routetable1, click the Route Table Association tab, and then click Create Association.
In the Add Association dialog box, select the network instance connection that you want to associate with the route table and click OK.
In this example, VPC B and VPC C are associated with TR_routetable1.
On the details page of the custom route table, click the Route Entry tab, and then click Add Route Entry.
In the Add Route Entry dialog box, configure the following parameters and click OK:
Destination CIDR: In this example, 0.0.0.0/0 is used.
Blackhole Route: If you select Yes, traffic that is destined for this route is dropped. In this example, No is selected.
Next Hop: In this example, VPC_A_Connection is selected.
For more information, see Manage custom routes of a transit router.
After you complete the preceding steps, network traffic destined for VPC B or VPC C is routed to VPC A before being routed to VPC B or VPC C.
Associate the other custom route table with VPC A and configure routes for the route table.
On the Route Table tab, select TR_routetable2, click the Route Table Association tab, and then click Create Association.
In the Add Association dialog box, select the network instance connection that you want to associate with the route table and click OK.
In this example, VPC A is associated with TR_routetable2.
On the details page of the custom route table, click the Route Propagation tab, and then click Enable Route Propagation.
In the Enable Route Propagation dialog box, select the network instance for which you want to enable route propagation and click OK.
In this example, TR_routetable2 is propagated to VPC B and VPC C. After route propagation is enabled, the routes of VPC B and VPC C can be advertised to the route table TR_routetable2. Then, network communication between VPC A and VPC B and between VPC A and VPC C can be established by using TR_routetable2.
The following table describes the information about the route entries added to the route tables of the Enterprise Edition transit router.
Route table
Destination CIDR block
Next hop
TR_routetable1
0.0.0.0/0
VPC_A_Connection
TR_routetable2
10.2.0.0/24
VPC_B_Connection
10.2.1.0/24
VPC_B_Connection
10.2.2.0/24
VPC_B_Connection
10.3.0.0/24
VPC_C_Connection
10.3.1.0/24
VPC_C_Connection
10.3.2.0/24
VPC_C_Connection
Step 6: Test network connectivity
After you complete the preceding steps, you can test the network connectivity among VPC A, VPC B, and VPC C. To test the network connectivity, perform the following steps:
Log on to an ECS instance deployed in VPC A. Run the following command to enable data forwarding. For more information about how to log on to an ECS instance, see Connection method overview.
NoteIf data forwarding is disabled, VPC A and VPC B can communicate with each other, and VPC A and VPC C can communicate with each other. However, VPC B and VPC C cannot communicate with each other.
echo 1 > /proc/sys/net/ipv4/ip_forward #Enable data forwarding. This command temporarily enables data forwarding. If the ECS instance is restarted, data forwarding is disabled.Log on to an ECS instance deployed in VPC B. Run the ping command to test the connectivity between VPC B and VPC A, and between VPC B and VPC C.
If you receive an echo reply packet, it indicates that network communication is established between VPC B and VPC A, and between VPC B and VPC C.
ping <The IP address of the ECS instance in the destination network>Log on to an ECS instance deployed in VPC C. Run the ping command to test the connectivity between VPC C and VPC A, and between VPC C and VPC B.
If you receive an echo reply packet, it indicates that network communication is established between VPC C and VPC A, and between VPC C and VPC B.
ping <The IP address of the ECS instance in the destination network>