All Products
Search

This Product

    Compute Nest:Change network configurations

    Document Center

    Compute Nest:Change network configurations

    Last Updated:Jun 18, 2025

    Compute Nest allows customers to change the private network access configurations of fully managed service instances based on their business requirements. After a customer creates a service instance, the customer can add, modify, or remove a private connection for the service instance. This topic describes how to change private network access configurations.

    Important

    Customers can change the network configurations only for fully-managed service instances.

    Usage notes

    Compute Nest supports two connection modes: PrivateLink and virtual private cloud (VPC) peering connection. Service providers can choose a connection mode based on their business requirements.

    • VPC peering connection

      • This mode is applicable only if the deployment of a service instance involves creating a VPC. Service providers must define the parameters for creating a VPC in the deployment template. When a customer creates a service instance, the customer needs to only specify the VPC that the customer wants to connect to the VPC specified in the deployment template by using a peering connection.

      • VPC peering connections can be added, removed, or modified.

    • PrivateLink

      • This mode supports private network interconnection within a zone. The exchanged data is not transmitted over the Internet to ensure higher data security and better network quality. For more information, see What is PrivateLink?

      • PrivateLink connections can be added, removed, or modified.

    Billing

    Compute Nest is free of charge. However, service providers are charged for the cloud resources used to deploy services, such as VPC peering connections, Server Load Balancer (SLB) instances, and Elastic Compute Service (ECS) instances. For more information, see Billing.

    Change the configurations of a VPC peering connection

    This section describes how to enable VPC peering connection configuration change for a service and change the VPC peering connection configurations of a service instance as a service provider.

    Create a fully managed service

    In this example, only the steps to enable private network access configuration change are shown. For more information about how to create a fully managed service, see Create a fully managed service.

    1. In the Service Deployment section of the Create Service page, select Resource Orchestration Service (ROS) as the deployment method and specify the parameters required for creating a VPC in the Template Content field.

      • The Resources section of the template must contain a resource of the ALIYUN::ECS::VPC type. Sample code:

        Resources:
  EcsVpc:
    Type: ALIYUN::ECS::VPC
    Properties:
      CidrBlock:
        Ref: VpcCidrBlock

      • The Parameters section of the template must contain a CIDR block parameter whose value of AssociationProperty is ALIYUN::VPC::VPC::CIDRBLOCK. Sample code:

        Parameters:
  VpcCidrBlock:
    Type: String
    AssociationProperty: ALIYUN::VPC::VSwitch::CidrBlock
    AllowedValues:
      - 192.168.0.0/16
      - 172.16.0.0/12
      - 10.0.0.0/8
    Description:
      en: The IP address range of the VPC in the CIDR block form.
      zh-cn: 专有网络的网段,可选值:192.168.0.0/16,172.16.0.0/12,10.0.0.0/8。  
    Default: 192.168.0.0/16

      • The following sample code is the complete sample code for a quick test on the private network access configuration change feature.

        Template for creating an ECS-hosted MySQL database that supports VPC peering connection

        ROSTemplateFormatVersion: '2015-09-01'
# The parameters.
Parameters:
  # The zone.
  ZoneId:
    Type: String
    AssociationProperty: ALIYUN::ECS::Instance:ZoneId
    Label:
      en: VSwitch Available Zone
      zh-cn: 可用区
  # The password of the root account of the database.
  Password:
    # Specifies whether to encrypt this parameter. In this example, this parameter is encrypted. Only asterisks (*) are output when this parameter is queried.
    NoEcho: true
    Type: String
    Description:
      en: 'Database root and admin account password, 8-32 characters, including uppercase and lowercase letters, numbers and special symbols (including: !@#$%^&*-+=_).'
      zh-cn: 数据库root和admin账户密码,长度8-32个字符,可包含大小字母、数字及特殊符号(包含:!@#$%^&*-+=_)。  
    Label:
      en: root and admin Account Password
      zh-cn: 数据库root和admin账户密码
    ConstraintDescription:
      en: '8-32 characters, including uppercase and lowercase letters, numbers and special symbols (including: !@#$%^&*-+=_).'
      zh-cn: 8-32个字符,可包含大小字母、数字及特殊符号(包含:!@#$%^&*-+=_)。  
    MinLength: '8'
    MaxLength: '32'
    AssociationProperty: ALIYUN::ECS::Instance::Password
  # The IPv4 CIDR block of the VPC.
  VpcCidrBlock:
    Type: String
    Label:
      en: VPC CIDR IPv4 Block
      zh-cn: 专有网络IPv4网段
    Description:
      zh-cn: VPC的ip地址段范围,<br>您可以使用以下的ip地址段或其子网:<br><font color='green'>[10.0.0.0/8]</font><br><font
        color='green'>[172.16.0.0/12]</font><br><font color='green'>[192.168.0.0/16]</font>
      en: 'The ip address range of the VPC in the CidrBlock form; <br>You can use
          the following ip address ranges and their subnets: <br><font color=''green''>[10.0.0.0/8]</font><br><font
          color=''green''>[172.16.0.0/12]</font><br><font color=''green''>[192.168.0.0/16]</font>'
    AssociationProperty: ALIYUN::VPC::VPC::CidrBlock
    Default: 192.168.0.0/16
  # The CIDR block of the vSwitch.
  VSwitchCidrBlock:
    Type: String
    Label:
      en: VSwitch CIDR Block
      zh-cn: 交换机子网网段
    Description:
      zh-cn: 必须属于VPC的子网段。  
      en: Must belong to the subnet segment of VPC.
    AssociationProperty: ALIYUN::VPC::VSwitch::CidrBlock
    AssociationPropertyMetadata:
      VpcCidrBlock: VpcCidrBlock
    Default: 192.168.1.0/24
  # The ECS instance type.
  EcsInstanceType:
    Type: String
    Label:
      en: Instance Type
      zh-cn: Ecs实例类型
    AssociationProperty: ALIYUN::ECS::Instance::InstanceType
    AllowedValues:
      - ecs.c6.large
      - ecs.c6.xlarge
      - ecs.c6.2xlarge
      - ecs.c6.4xlarge
# The resources.
Resources:
  # The WaitCondition and WaitConditionHandle resources that are used to send and receive signals for script execution on the ECS instance
  WaitCondition:
    Type: ALIYUN::ROS::WaitCondition
    Properties:
      Count: 1
      Handle:
        Ref: WaitConditionHandle
      Timeout: 1800
  WaitConditionHandle:
    Type: ALIYUN::ROS::WaitConditionHandle
  EcsSecurityGroup:
    Type: 'ALIYUN::ECS::SecurityGroup'
    Properties:
      VpcId:
        Ref: EcsVpc
      SecurityGroupIngress:
        - Priority: 1
          PortRange: 3306/3306
          NicType: internet
          SourceCidrIp: 0.0.0.0/0
          IpProtocol: tcp
  # The VPC.
  EcsVpc:
    Type: ALIYUN::ECS::VPC
    Properties:
      CidrBlock:
        Ref: VpcCidrBlock
      VpcName:
        Ref: ALIYUN::StackName
  # The vSwitch.
  EcsVSwitch:
    Type: ALIYUN::ECS::VSwitch
    Properties:
      ZoneId:
        Ref: ZoneId
      VpcId:
        Ref: EcsVpc
      CidrBlock:
        Ref: VSwitchCidrBlock
  # The ECS instance.
  EcsInstanceGroup:
    Type: ALIYUN::ECS::InstanceGroup
    Properties:
      # Specifies whether to create an I/O optimized instance.
      IoOptimized: optimized
      ZoneId:
        Ref: ZoneId
      DiskMappings:
        - Category: cloud_essd
          Device: /dev/xvdb
          Size: 200
      SystemDiskSize: 40
      # cloud-init is used to execute user commands.
      # Execution logs are recorded in /var/log/cloud-init.log and /var/log/cloud-init-output.log.
      # The script to be executed is /var/lib/cloud/instance/scripts/part-001. You can execute the script by using Shell for troubleshooting.
      UserData:
        Fn::Sub:
          - |
            #!/bin/sh

            # Pause the execution for a period of time to wait for the network to be ready.
            sleep 10

            # Partition the data disk.

            cat >> /root/InitDataDisk.sh << EOF
            #!/bin/bash
            echo "p
            n
            p



            w
            " |  fdisk -u /dev/vdb
            EOF
            /bin/bash /root/InitDataDisk.sh
            rm -f /root/InitDataDisk.sh
            rm -f InitDataDisk.sh
            # Create a file system for the new partition.
            mkfs.ext4 /dev/vdb1
            # Create a directory in which MySQL will be installed.
            mkdir /data1
            # Mount the file system.
            mount /dev/vdb1 /data1
            # Write the new partition information to the /etc/fstab file.
            echo /dev/vdb1 /data1 ext4 defaults,nodelalloc,noatime 0 2 >> /etc/fstab
            cd /data1/

            # Install MySQL Community Edition.
            wget '{{ computenest::file::MySQL }}' -O mysql-community-release-el6-5.noarch.rpm
            rpm -ivh mysql-community-release-el6-5.noarch.rpm
            yum repolist all | grep mysql
            yum install mysql-community-server -y

            # Start the MySQL server.
            service mysqld start

            # Log on as the superuser, create the admin user, and allow the admin user to remotely log on by using a password.
            mysqladmin -u root password '${Password}'
            echo "create database test character set utf8 collate utf8_bin;" > ./test.sql
            echo "CREATE USER 'admin'@'%' IDENTIFIED BY '${Password}';" >> ./test.sql
            echo "GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' WITH GRANT OPTION;" >> ./test.sql
            mysql -u root -p'${Password}' < ./test.sql

            # Move the MySQL configurations and data path to a data disk.
            systemctl stop mysqld
            rsync -av /var/lib/mysql /data1
            # Modify the configuration file.
            sed -i 's/\/var\/lib/\/data1/g' /etc/my.cnf
            echo -e '\n' >> /etc/my.cnf
            echo '[client]' >> /etc/my.cnf
            echo 'port=3306' >> /etc/my.cnf
            echo 'socket=/data1/mysql/mysql.sock' >> /etc/my.cnf
            # Start the MySQL server.
            systemctl start mysqld

            # The callback is invoked when the script is successfully executed, and WaitCondition no longer needs to wait for sending signals.
            ${CurlCli} -d "{\"Data\" : \"SUCCESS\", \"Status\" : \"SUCCESS\"}"

          # Specify the value of the ${CurlCli} variable. The value is the cURL command generated from the WaitConditionHandle resource.
          - CurlCli:
              Fn::GetAtt:
                - WaitConditionHandle
                - CurlCli
            # The password of the root account of the database.
            Password:
              Ref: Password
      # The billing method. In this example, the pay-as-you-go billing method is used.
      InstanceChargeType: PostPaid
      MaxAmount: 1
      # The system disk type. In this example, the disk type is Enterprise SSD (ESSD).
      SystemDiskCategory: cloud_essd
      # The name of the instance.
      InstanceName:
        Ref: ALIYUN::StackName
      VpcId:
        Ref: EcsVpc
      SecurityGroupId:
        Ref: EcsSecurityGroup
      VSwitchId:
        Ref: EcsVSwitch
      # The image ID. In this example, CentOS 7.9 is used. If the image is changed, the script under the UserData property must be accordingly modified.
      ImageId: "centos_7_9_x64_20G_alibase_20220727.vhd"
      InstanceType:
        Ref: EcsInstanceType
      # The host name.
      HostName:
        Ref: ALIYUN::StackName
      # The logon password of the instance.
      Password:
        Ref: Password
      # Specifies whether to allocate a public IP address to the instance.
      AllocatePublicIP: true
      InternetMaxBandwidthOut: 1
# The output.
Outputs:
  MysqlUserName:
    Label: MySQL logon username
    Value: admin
  PrivateIps:
    Label: private IP address
    Value:
      Fn::Select:
        - 0
        - Fn::GetAtt:
            - EcsInstanceGroup
            - PrivateIps
# The metadata.
Metadata:
  ALIYUN::ROS::Interface:
    # The parameter groups. On the service instance creation page, parameters in the same group are displayed together.
    ParameterGroups:
      - Parameters:
          - EcsInstanceType
        Label:
          en: Instance Type
          zh-cn: 实例规格
      - Parameters:
          - Password
        Label:
          en: Basic Configuration
          zh-cn: 基础配置
      - Parameters:
          - ZoneId
          - VpcCidrBlock
          - VSwitchCidrBlock
        Label:
          en: Network Configuration
          zh-cn: 网络配置

    2. In the Advanced Configuration (Optional) section, enable VPC Access and set the Connection Mode parameter to VPC Peering.

      image

    3. In the Modify Configurations section of the Service O&M (Optional) section, enable Service Instance Configuration Change and click Add Operation. In the Add Operation dialog box, configure the parameters.

      Parameter

      Description

      Select Template

      The template for which you want to enable configuration change.

      Operation Name

      The name of the configuration change operation.

      Operation Description

      The description of the configuration change operation.

      Method

      The method of the configuration change operation.

      Network Change

      The network configuration that can be changed.

      image

    4. Click OK to create and publish the service.

    Create a service instance and change the configurations of the service instance

    1. Create a fully managed service instance.

      For more information, see Create a fully managed service instance.

    2. Change the configurations of the service instance.

      1. On the details page of the created service instance, click Modify Configuration in the upper-right corner. In the dialog box that appears, select Network Change and click Next to go to the Specify Parameters step.

        image

      2. If no VPC peering connection is configured for the service instance, click Add Peering Connection and select or create a VPC.

        Important

        • The CIDR block of the VPC that you select cannot overlap with those of the VPCs for which you already created peering connections or the VPC of the service instance.

        • You can add multiple peering connections. The CIDR blocks of the peering connections cannot overlap.

        image

      3. Click Next to preview and confirm the parameters and then click OK.

      4. After the configurations are changed, the service instance enters the Deployed state. The information about the added peering connection is displayed on the Network Settings tab.

        Page displayed before the configuration change:

        image

        Page displayed after the configuration change:

        image

    Change the configurations of PrivateLink

    This section describes how to enable PrivateLink configuration change for a service and change the PrivateLink configurations of a service instance as a service provider.

    Create a fully managed service

    In this example, only the steps to enable private network access configuration change are shown. For more information about how to create a fully managed service, see Create a fully managed service.

    1. On the Create Service page, configure the service information.

    2. In the Advanced Configuration (Optional) section, enable VPC Access, set the Connection Mode parameter to PrivateLink, and then select the resource to be accessed from the drop-down list.

      Note

      You can select SLB Instance or Endpoint Service from the drop-down list. In this example, SLB Instance is selected. For more information, see Configure VPC access for a service.

      image

    3. In the Modify Configurations section of the Service O&M (Optional) section, enable Service Instance Configuration Change and click Add Operation. In the Add Operation dialog box, configure the parameters.

      Parameter

      Description

      Select Template

      The template for which you want to enable configuration change.

      Operation Name

      The name of the configuration change operation.

      Operation Description

      The description of the configuration change operation.

      Method

      The method of the configuration change operation.

      Network Change

      The network configuration that can be changed. If you have configured a custom domain name, we recommend that you select both Change VPC Access and Change Custom Domain Name.

    4. Click OK to create and publish the service.

    Create a service instance and change the configurations of the service instance

    1. Create a fully managed service instance.

      For more information, see Create a fully managed service instance.

    2. Change the configurations of the service instance.

      1. On the details page of the created service instance, click Modify Configuration in the upper-right corner. In the dialog box that appears, select Network Change and click Next to go to the Specify Parameters step.

      2. In the Specify Parameters step, change the configurations. In this example, a VPC is added and custom domain name is enabled.

        image

      3. Click Next to preview and confirm the parameters and then click OK.

        image

      4. After the configurations are changed, the service instance enters the Deployed state. The information about the added VPC is displayed on the Network Settings tab.

    References