This topic describes how to configure route maps to allow specified virtual private clouds (VPCs) that are attached to a Cloud Enterprise Network (CEN) instance to communicate with each other. This improves the network security. We recommend that you use this method to manage routes in CEN instances.

Prerequisites

Before you configure route maps, make sure that the following requirements are met:

Background information

By default, VPCs that are attached to a CEN instance can communicate with other network instances that are attached to the same CEN instance. These network instances are VPCs, virtual border routers (VBRs), and Cloud Connect Network (CCN) instances. If a large number of VPCs, VBRs, and CCN instances are attached to a CEN instance, the connections are difficult to manage. In this case, we recommend that you configure low-priority route maps to forbid all the attached network instances from communicating with each other. Then, configure high-priority route maps to allow only specified network instances to communicate with each other.Architecture diagram 1.1

The VPCs in the preceding figure are attached to a CEN instance. VPC 1 and VPC 2 are deployed in the China (Hong Kong) region, and VPC 3 is deployed in the Germany (Frankfurt) region. By default, VPC 1, VPC 2, and VPC 3 can communicate with each other. If you want to expand the network, you can use route maps to allow specified VPCs to communicate with each other. This facilitates network management and maintenance. To perform this task, you can configure low-priority route maps to block routes from the transit router in the China (Hong Kong) region and the transit router in the Germany (Frankfurt) region. This forbids VPC 1, VPC 2, and VPC 3 from communicating with each other. Then, configure high-priority route maps to allow VPC 1 and VPC 3 to communicate with each other.

Subnetting

The following table describes the CIDR blocks of VPC 1, VPC 2, and VPC 3.

Network instance Subnetting ECS instance IP address
VPC1

VPC 1: 10.0.0.0/8

vSwitch 1: 10.0.1.0/24

vSwitch 2: 10.0.2.0/24

ECS 1: 10.0.1.95

ECS 2: 10.0.2.120
VPC2

VPC 2: 172.16.0.0/12

vSwitch: 172.16.1.0/24

 ECS: 172.16.1.80
VPC3

VPC 3: 192.168.0.0/16

vSwitch: 192.168.1.0/24

 ECS: 192.168.1.151

Step 1: Configure route maps that set all network instances to block routes from the transit routers.

Perform the following operations to configure route maps to block routes from the transit routers deployed in the China (Hong Kong) and Germany (Frankfurt) regions to VPC 1, VPC 2, and VPC 3:

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the ID of the instance.
  3. On the instance details page, find the region where you want to add a route map and click the ID of the transit router deployed in the region.
  4. On the details page of the transit router, click the Route Table tab and click Route Maps.
  5. On the Route Maps page, click Add Route Map. Configure a route map for the transit router in the Germany (Frankfurt) region based on the following information and click OK:
    • Route Map Priority: Enter a priority value for the route map. A lower value indicates a higher priority In this example, 100 is entered.
    • Description: Enter a description for the route map. This parameter is optional. In this example, VPCs in the Germany (Frankfurt) region deny routes from the transit router is entered.
    • Region: Select the region to which the route map is applied. In this example, Germany (Frankfurt) is selected.
    • Transmit Direction: Select the direction of the route map. In this example, Export from Regional Gateway is selected.
    • Match Conditions: Set the match conditions of routes. In this example, VPC is specified as Destination Instance Type.
    • Action Policy: Select the action that you want to perform on a route if the route meets all match conditions. In this example, Deny is selected.
    Block routes from the regional gateway in the Germany (Frankfurt) region
  6. On the Add Route Map page, set the following parameters and click OK to add a route map for the transit router in the China (Hong Kong) region:
    • Route Map Priority: Enter a priority value for the route map. A lower value indicates a higher priority In this example, 100 is entered.
    • Description: Enter a description for the route map. This parameter is optional. In this example, VPCs in the China (Hong Kong) region deny routes from the transit routers is entered.
    • Region: Select the region to which the route map is applied. In this example, China (Hong Kong) is selected.
    • Transmit Direction: Select the direction of the route map. In this example, Export from Regional Gateway is selected.
    • Match Conditions: Set the match conditions of routes. In this example, VPC is specified as Destination Instance Type.
    • Action Policy: Select the action that you want to perform on a route if the route meets all match conditions. In this example, Deny is selected.
    Block routes from the regional gateway in the China (Hong Kong) region
    After you add the route maps, navigate to the Routing Information tab of the network instances, and check whether VPC 1, VPC 2, and VPC 3 have denied routes from the regional gateways that are deployed in the specified regions. The following figure shows that VPC 1 has denied routes from the regional gateways.View routes of VPC 1

Step 2: Configure a route map that allows VPC 1 to accept routes from VPC 3

Perform the following operations to allow VPC 1 to accept routes from VPC 3:

  1. In the left-side navigation pane, click Instances.
  2. On the Instances page, find the CEN instance that you want to manage and click the ID of the instance.
  3. On the instance details page, find the region where you want to add a route map and click the ID of the transit router deployed in the region.
  4. On the details page of the transit router, click the Route Table tab and click Route Maps.
  5. On the Route Maps page, click Add Route Map. Set the following parameters and click OK:
    • Route Map Priority: Enter a priority value for the route map. A lower value indicates a higher priority In this example, 50 is entered.
    • Description: Enter a description for the route map. This parameter is optional. In this example, Allow VPC 1 to accept routes from VPC 3 is entered.
    • Region: Select the region to which the route map is applied. In this example, China (Hong Kong) is selected.
    • Transmit Direction: Select the direction of the route map. In this example, Export from Regional Gateway is selected.
    • Match Conditions: Set the match conditions of routes. In this example, the following match conditions are set:
      • Source Region: Select Germany (Frankfurt).
      • Source Instance IDs: Select the ID of VPC 3.
      • Target Instance IDs: Select the ID of VPC 1.
    • Action Policy: Select the action that you want to perform on a route if the route meets all match conditions. In this example, Permit is selected.
    Allow VPC 1 to accept routes from VPC 3
    After you add the route map, navigate to the Routing Information tab of the network instances. You can check whether VPC 1 has accepted routes from VPC 3.VPC 1 accepts routes from VPC 3

Step 3: Configure a route map that allows VPC 3 to accept routes from VPC 1

Perform the following operations to allow VPC 3 to accept routes from VPC 1:

  1. In the left-side navigation pane, click Instances.
  2. On the Instances page, find the CEN instance that you want to manage and click the ID of the instance.
  3. On the instance details page, find the region where you want to add a route map and click the ID of the transit router deployed in the region.
  4. On the details page of the transit router, click the Route Table tab and click Route Maps.
  5. On the Route Maps page, click Add Route Map. Set the following parameters and click OK:
    • Route Map Priority: Enter a priority value for the route map. A lower value indicates a higher priority. In this example, 50 is entered.
    • Description: Enter a description for the route map. This parameter is optional. In this example, Allow VPC 3 to accept routes from VPC 1 is entered.
    • Region: Select the region to which the route map is applied. In this example, Germany (Frankfurt) is selected.
    • Transmit Direction: Select the direction of the route map. In this example, Export from Regional Gateway is selected.
    • Match Conditions: Set the match conditions of routes.
      • Source Region: Select China (Hong Kong).
      • Source Instance IDs: Select the ID of VPC 1.
      • Target Instance IDs: Select the ID of VPC 3.
    • Action Policy: Select the action that you want to perform on a route if the route meets all match conditions. In this example, Permit is selected.
    Allow VPC 3 to accept routes from VPC 1
    After you add the route map, navigate to the Routing Information tab to check whether VPC 3 has accepted routes from VPC 1.VPC 3 accepts routes from VPC 1

Step 4: Test the connectivity

Perform the following operations to test the connectivity between the VPCs:

  1. Log on to ECS 1 in VPC 1.
  2. Run the ping command to ping the IP address of the ECS instance in VPC 3 to test the connectivity.
    The result indicates that VPC 1 can access the ECS instance in VPC 3. This indicates that VPC 1 and VPC 3 can communicate with each other.pingVPC3
  3. Log on to the ECS instance in VPC 2.
  4. Run the ping command to ping the IP address of ECS 1 in VPC 1 to test the connectivity.
    The result indicates that the ECS instance in VPC 2 failed to access VPC 1. This indicates that VPC 1 and VPC 2 cannot communicate with each other.Access VPC 1 from VPC 2
  5. Log on to the ECS instance in VPC 3.
  6. Run the ping command to ping the IP address of the ECS instance in VPC 2 to test the connectivity.
    The result indicates that the ECS instance in VPC 3 failed to access VPC 2. This indicates that VPC 2 and VPC 3 cannot communicate with each other.pingVPC3-2