CEN transit routers route traffic to Alibaba Cloud services that use the 100.64.0.0/10 CIDR block — such as Object Storage Service (OSS), Simple Log Service (SLS), and Data Transmission Service (DTS). This guide shows how to enable and disable that access for both Enterprise Edition and Basic Edition transit routers.
How it works
On-premises networks and cross-region VPCs cannot reach cloud services on the 100.64.0.0/10 block by default. To route traffic through CEN, you must:
Connect the on-premises network (via a virtual border router (VBR), IPsec-VPN connection, or Cloud Connect Network (CCN) instance) or the source VPC to a transit router.
Connect a VPC in the cloud service's region to the same transit router.
Add a route entry (Enterprise Edition) or AnyTunnel configuration (Basic Edition) for the cloud service's IP address or CIDR block.
CEN only handles the cloud side of routing. For on-premises networks, also add static routes pointing to the cloud service's CIDR block on your on-premises devices (routers, firewalls). Without these routes, traffic never leaves the on-premises network toward CEN.
The following diagram shows the traffic flow:
Limitations
The following table shows which transit router edition supports each access scenario:
| Access scenario | Enterprise Edition | Basic Edition |
|---|---|---|
| VPC in same region as cloud service | Not required — VPCs access same-region cloud services directly | Not required — VPCs access same-region cloud services directly |
| VPC in a different region than the cloud service | Supported | Not supported |
| On-premises network via IPsec-VPN | Supported | Not supported |
| On-premises network via VBR | Supported | Supported (same region as VBR only) |
| On-premises network via CCN | Supported | Not supported |
Prerequisites
Before you begin, collect the IP address or CIDR block of the cloud service. See the service's documentation for the correct address. For OSS, see Access OSS using bucket domain names.
Depending on your scenario, verify that the following connections exist:
For on-premises network access:
The VBR, IPsec-VPN connection, or CCN instance is connected to the transit router. See Create a VBR connection, Create a VPN connection, or Create a CCN connection
A VPC in the cloud service's region is connected to the transit router. See Create a VPC connection
(Cross-region only) An inter-region connection exists between the transit routers. See Manage inter-region connections
For cross-region VPC access:
The source VPC is connected to a transit router. See Create a VPC connection
A VPC in the cloud service's region is connected to a transit router
An inter-region connection exists between the transit routers. See Manage inter-region connections
Enable access from an Enterprise Edition transit router
Enterprise Edition transit routers use static route entries to forward traffic to cloud services. Add one route entry per IP address or CIDR block used by the cloud service.
Add a route entry
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance.
On the Basic Information > Transit Router tab, click the ID of the transit router in the cloud service's region.
On the transit router details page, click the Route Table tab.
In the left-side list, click the route table ID. In the Route Table Details section, click the Route Entry tab, then click Add Route Entry.
In the Add Route Entry dialog box, set the following parameters and click OK.
Parameter Description Route table The current route table is selected by default. Transit router The current transit router is selected by default. Name A name for the route entry. Destination CIDR The IP address or CIDR block that the cloud service uses. For example, OSS in the China (Hangzhou) region uses 100.118.28.0/24.Blackhole route Select No to forward traffic to a next hop. Select Yes to drop matching traffic. Next hop The VPC connection ID on the transit router. Required when Blackhole route is set to No. Description An optional description for the route entry.
If the cloud service uses more than one IP address or CIDR block, repeat this step for each address.
Delete a route entry
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance.
On the Basic Information > Transit Router tab, click the ID of the transit router in the cloud service's region.
On the transit router details page, click the Route Table tab.
In the left-side list, click the route table. In the Route Table Details section, click the Route Entry tab and find the route to the cloud service.
In the Actions column, click Delete. In the Delete Route Entry message, click OK.
Use the API
Use Alibaba Cloud SDKs (recommended), Alibaba Cloud CLI, Terraform, or Resource Orchestration Service (ROS) to manage route entries programmatically:
CreateTransitRouterRouteEntry — adds a route entry to an Enterprise Edition transit router route table.
DeleteTransitRouterRouteEntry — removes a static route entry from an Enterprise Edition transit router route table.
Enable access from a Basic Edition transit router
Basic Edition transit routers use the AnyTunnel feature to configure cloud service access. The configuration maps a service IP address or CIDR block to a specific VPC and access region.
Configure AnyTunnel
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance.
On the Basic Information > Transit Router tab, click the ID of the transit router in the cloud service's region.
On the transit router details page, click the Cloud Services tab.
Click Configure AnyTunnel.
In the Configure AnyTunnel dialog box, set the following parameters and click OK.
Parameter Description Service IP address The IP address or CIDR block that the cloud service uses, for example, 100.118.28.0/24.Service region The region where the cloud service is deployed. Service VPC The VPC connected to the transit router. Access region The region where the VBR or CCN instance that needs to reach the cloud service is deployed. Description An optional description.
If the cloud service uses more than one IP address or CIDR block, repeat this step for each address.
Remove an AnyTunnel configuration
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance.
On the Basic Information > Transit Router tab, click the ID of the transit router in the cloud service's region.
On the transit router details page, click the Cloud Services tab.
Find the cloud service configuration and click Delete in the Actions column.
In the Delete Route Service message, click OK.
Use the API
Use Alibaba Cloud SDKs (recommended), Alibaba Cloud CLI, Terraform, or Resource Orchestration Service (ROS) to manage AnyTunnel configurations programmatically:
ResolveAndRouteServiceInCen — connects an on-premises network to a cloud service.
DescribeRouteServicesInCen — lists cloud service configurations on a CEN instance.
DeleteRouteServiceInCen — removes a cloud service configuration.
FAQ
After configuring CEN, why can't my on-premises network reach the cloud service?
CEN only handles the cloud side of routing. On your on-premises network devices (routers, firewalls), add static routes that point to the cloud service's CIDR block. Without these routes, traffic never leaves the on-premises network toward CEN.
What's next
Enable ECS instances to access OSS across regions over VPC connections