This topic describes how to create a virtual private cloud (VPC) connection. You can connect a VPC to a transit router that belongs to the same region. After you connect a VPC to a transit router, you can use the transit router to establish private network connections.

Background information

Before you create a VPC connection, take note of the following items:
  • Transit routers provide Basic Edition and Enterprise Edition. Basic Edition and Enterprise Edition provide different features. Enterprise Edition provides all features of Basic Edition and additional features for route management and network communication. For more information, see How transit routers work. For more information about how to check the edition of a transit router, see View the edition of a transit router.
  • If you use an Enterprise Edition transit router to create a VPC connection, make sure that at least two vSwitches that belong to different zones are deployed in the VPC. For more information about the zones that support Enterprise Edition transit routers, see Regions and zones that support Enterprise Edition transit routers.
  • You can connect a transit router to a VPC that belongs to the same or another Alibaba Cloud account. If you want to connect a transit router to a VPC that belongs to another Alibaba Cloud account, you must first acquire the permissions. For more information, see Grant permissions to another Alibaba Cloud account.

Use Enterprise Edition transit routers to create VPC connections

When you use Enterprise Edition transit routers to create VPC connections, you must specify a set of zones. The transit router automatically creates an elastic network interface (ENI) for each of the vSwitches in the zones that you specified. The two ENIs serve as the primary and secondary ENIs to receive network traffic from the VPC to the transit router. When you configure routes in the VPC, set the next hops of the routes to the transit router. The ENIs do not affect the route configuration.

Make sure that the specified zones meet the following requirements:

  • The zones that you specify must belong to the same VPC. At least one vSwitch must be deployed in each zone.
  • Take note of the route tables and network access control lists (ACLs) that are associated with the vSwitches in the zones that you specify when you create ENIs. The route tables and network ACLs affect how network traffic from the transit router to the VPC is handled in the VPC. If the vSwitches to which the ENIs are attached use different route tables or network ACLs, the vSwitches may handle network traffic from the transit router to the VPC in different ways. For more information about network ACLs, see Overview.
  1. Log on to CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click its ID.
  3. On the Cloud Enterprise Network (CEN) details page, you can use one of the following methods to navigate to the Connection with Peer Network Instance page and create a network instance connection.
    • On the Basic Settings tab, click Add next to VPC.
      Note If no transit router is created for the CEN instance, you can use this method to create the first network instance connection.
    • On the Basic Settings > Transit Router tab, find a transit router and click Create Connection in the Actions column.
  4. On the Connection with Peer Network Instance page, set the following parameters and click OK.
    Parameter Description
    Network Type Select VPC.
    Region Select the region where the network instance is created.
    Transit Router Displays transit routers that are created in the selected region.

    If no transit router is found in the selected region, the system automatically creates a transit router.

    Select the primary and secondary zones for the transit router Select the primary and secondary zones for the transit router.

    After you specify the zones, the system creates ENIs in the vSwitches that are deployed in the specified zones.

    Note When you create a network instance connection, the system automatically creates the service-linked role AliyunServiceRoleForCEN. This service-linked role allows the transit router to create ENIs in the vSwitches of the VPC that you want to connect. The ENIs are used to receive network traffic from the VPC to the transit router. For more information about service-linked roles, see AliyunServiceRoleForCEN.
    Resource Owner ID Select the type of the account to which the network instance that you want to connect belongs.

    You can connect a transit router to a VPC that belongs to the same or another Alibaba Cloud account:

    • If the network instance that you want to connect and the CEN instance belong to the same account, select Your Account.
    • If the network instance that you want to connect and the transit router belong to different accounts, select Different Account and enter the ID of the network instance owner.
    Billing Method Pay-As-You-Go is selected by default.

    For more information about the pay-as-you-go billing method, see Billing of Enterprise Edition transit routers.

    Attachment Name Enter a name for the connection.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    Networks Select the ID of the VPC that you want to connect.
    VSwitch Select a vSwitch in the primary zone and the secondary zone.
    Advanced Settings When you create a VPC connection, the system automatically enables the following features in the advanced settings:
    • Associate with Default Route Table of Transit Router

      After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC through the default route table.

    • Propagate System Routes to Default Route Table of Transit Router

      After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the same CEN instance.

    • Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC

      After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the transit router.

    To manually disable the features, clear the check boxes in the advanced settings. After the features are disabled, you can manually associate the VPC with route tables and configure route learning. For more information, see Associated forwarding and Route learning.

Use Basic Edition transit routers to create VPC connections

  1. Log on to CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click its ID.
  3. On the Cloud Enterprise Network (CEN) details page, you can use one of the following methods to navigate to the Connection with Peer Network Instance page and create a network instance connection.
    • On the Basic Settings tab, click Add next to VPC.
      Note If no transit router is created for the CEN instance, you can use this method to create the first network instance connection.
    • On the Basic Settings > Transit Router tab, find a transit router and click Create Connection in the Actions column.
  4. On the Connection with Peer Network Instance page, set the following parameters and click OK.
    Parameter Description
    Network Type Select VPC.
    Region Select the region where the network instance is created.
    Transit Router Displays transit routers that are created in the selected region.

    If no transit router is found in the selected region, the system automatically creates a transit router.

    Resource Owner ID Select the type of the account to which the network instance that you want to connect belongs.

    You can connect a transit router to a VPC that belongs to the same or another Alibaba Cloud account:

    • If the network instance that you want to connect and the CEN instance belong to the same account, select Your Account.
    • If the network instance that you want to connect and the transit router belong to different accounts, select Different Account and enter the ID of the network instance owner.
    Networks Select the ID of the network instance that you want to connect.

References