If your network architecture no longer meets your business requirements due to business development or changes in security policies, you may separate your business into different components and utilize virtual private clouds (VPCs) to isolate them. In this case, some of your Elastic Compute Service (ECS) instances need to be migrated from the current VPC to another, without changing the region and zones of the ECS instances.
Scenarios
You want to re-plan the VPCs of your instances because the original VPCs are unable to meet the growing requirements of your business.
In the early business phase, only one VPC was planned. Different projects and usage environments shared this VPC, which resulted in risks when you operate data. You want to use different VPCs for different projects and environments.
When you implement cross-VPC connection by using Cloud Enterprise Network (CEN) or VPC peering, make sure that the CIDR blocks of instances to be connected do not overlap. For more information, see Overview of VPC connections. If IP address conflicts occur between the instances that communicate with each other, you can replace the VPC of one of the instances.
Limitations
After the VPC is changed, the new vSwitch of the instance must reside within the same zone as the original vSwitch.
For information about how to migrate an ECS instance to another zone in the same region, see Cross-zone migration.
If you want to migrate data from an ECS instance that belongs to an Alibaba Cloud account or region to an ECS instance that belongs to another Alibaba Cloud account or region due to insufficient resource inventory, cost optimization, disaster recovery, and disk capacity scale-down, you can use Server Migration Center (SMC). For more information, see Migrate data between ECS instances that belong to the same Alibaba Cloud account or different Alibaba Cloud accounts.
When you change the VPC of an instance, you must select one to five security groups of the same type for the instance. The security group can be of the basic or advanced type.
The valid values of N vary based on the maximum number of security groups to which an instance can belong. For more information, see the Security group limits section of the "Limits" topic.
To ensure network connectivity, we recommend that you understand the differences in rule configurations between the two security group types before you switch an instance to security groups of a different type. For more information, see Overview.
You can change the VPCs of up to 20 instances at a time.
Impacts
Private IP addresses: After you change the VPC of an ECS instance, the primary private IP address of the instance becomes an IP address within the CIDR block of the destination vSwitch. If your private IP address is used by another service or application, change the private IP address to the new primary private IP address.
NoteThe public IP address of the instance is not affected.
Network connectivity: After you change the VPC of an ECS instance, the instance can no longer communicate with other ECS instances in the original VPC. For information about how to communicate with other instances in the original VPC, see Overview of VPC connections.
Access control: If the original VPC and the destination VPC use different network access control lists (ACLs) and security groups, check for and change configuration differences to make sure that applications can run as expected. For more information, see Access control.
Routing table configuration: The new VPC and the original VPC may have different routing table configurations. For applications that require specific routes, you must reconfigure or add route entries to ensure network connectivity. For more information, see Route tables.
Private DNS resolution: If private DNS resolution is enabled for the ECS instance whose VPC you want to change, domain name resolution may fail when you change the VPC. Make sure that the hostname feature is enabled for the source and destination VPCs. This ensures that the private DNS resolution feature is available. For more information, see the Step 1: Enable the DNS hostname feature in a VPC section of the "ECS private DNS resolution" topic.
Prechecks
Before you change the VPC, check the following items against the ECS instance:
The ECS instance is in the Stopped state. For information about how to stop an ECS instance, see Stop an instance.
NoteThe instance cannot be in the Locked, To Be Released, Expired, Expired and Being Recycled, or Overdue and Being Recycled state. For more information, see Instance lifecycle.
The ECS instance is not associated with a secondary Elastic Network Interface (ENI). If the ECS instance is associated with a secondary ENI, you must disassociate the secondary ENI from the instance.
The primary ENI of an ECS instance can have only a single primary private IPv4 address. If you assigned an IPv6 address and a secondary private IPv4 address to the primary ENI, you must delete the IPv6 address and unassign the secondary private IP address. For more information, see Delete an assigned IPv6 address and Unassign secondary private IP addresses.
The ECS instance is not connected by using the private IP address. For more information about how to release an authorized link, see Error 1: InvalidDependence.GrantAccess in the "Common errors" section of this topic.
The ECS instance is not added as a backend server to the server group of a Server Load Balancer (SLB) instance. For information about how to remove an ECS instance as a backend server from the server group of an SLB instance, see Default server group.
The ECS instance is not in a custom route entry. If an ECS instance is configured in a custom route table, you cannot change the VPC even if the vSwitch to which the instance belongs is not associated with the route table to which the route entry belongs. Remove the ECS instance from the custom route table entry. For more information, see Error 2: InvalidDependence.NextHopOfCustomRouter in the "Common errors" section of this topic.
The ECS instance is not associated with a high-availability virtual IP address (HAVIP). If an HAVIP is associated with an ECS instance, disassociate the ECS instance from the HAVIP. For more information, see the Manage HAVIPs section of the "HAVIP" topic.
The ECS instance is not bound to Global Accelerator (GA) instances as backend service nodes. If you use GA to provide acceleration services for an ECS instance, you must delete the endpoint on which the ECS instance resides. For more information, see Add and manage endpoint groups and endpoints for a basic GA instance.
The instance is not used in other Alibaba Cloud services. For example, the instance cannot be in the process of being migrated or having its VPC changed, or the databases deployed on the instance cannot be managed by Data Transmission Service (DTS).
VPCs, vSwitches, and security groups are created and available for the ECS instance.
If the destination VPC does not have an available vSwitch, create vSwitches in the VPC in the zones where the ECS instance is deployed. For detailed instructions, see Create and manage vSwitches.
If the destination VPC does not have a security group, you can clone the security group that is associated with the ECS instance in the original VPC to create a security group. For more information, see Clone a security group.
If the destination VPC is shared by another Alibaba Cloud account, the security group must be created by your account in the shared VPC.
Procedure
If you change the VPC, the ECS instance becomes temporarily unavailable. Take note of factors, such as business continuity and customer experience, and select a suitable time to operate.
We recommend that you select off-peak hours and create ECS snapshots and backups before you change the VPC.
Use the ECS console
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Click the ID of the ECS instance that you want to manage. On the instance details page, in the upper-right corner, click All Actions and choose Network and Security Group > Change VPC.
In the Change VPC dialog box, follow the instructions to change the VPCs of the instances.
In the Make Preparations step, check the network information and precautions and click Next.
In the Select VPC step, select a new VPC, a new vSwitch, and security groups from the Destination VPC, Destination vSwitch, and Destination Security Group drop-down lists and click Next.
If the destination VPC does not have an available vSwitch, create vSwitches in the VPC in the zones where the ECS instance is deployed. For detailed instructions, see Create and manage vSwitches.
If the destination VPC does not have a security group, you can clone the security group that is associated with the ECS instance in the original VPC to create a security group. For more information, see Clone a security group.
(Optional) In the Configure Primary Private IP Address step, specify a new primary private IP address for each ECS instance.
The primary private IP address must be within the CIDR block of the destination vSwitch.
If you do not manually specify the primary private IP address, the system automatically assigns a primary private IP address.
Click OK.
View the result.
After you perform the preceding operations to change the VPC of the ECS instance, click the instance ID. In the Configurations section of the Instance Details page, view the new VPC and vSwitch of the instance.
If you configured event notifications for VPC changes of ECS instances in EventBridge or CloudMonitor, you will receive a vSwitch change event notification.
For information about how to configure event notifications, see Subscribe to ECS system event notifications.
For information about EventBridge, see ECS events.
For information about vSwitch event notifications, see vSwitch event notifications.
Call API operations
You can call the ModifyInstanceVpcAttribute operation to change the VPC, vSwitch, and security group of an ECS instance.
After the modification, you can call the DescribeInstances operation to view the new VPC, vSwitch, and security group information of the instance based on the return values of the VpcId, VSwitchId, and SecurityGroupId parameters.
Common errors
If the following errors occur when you change the VPC of an instance, read the Prechecks section and handle the errors based on the actual error message and the corresponding solutions:
Error 1:
InvalidDependence.GrantAccess
Cause: When you change the VPC, the instance cannot be used in other cloud services. An error is reported indicating that the ECS instance may be associated with other services, such as Database Backup (DBS), DTS, Data Management (DMS), or Workbench.
Solution: Release the corresponding reverse access links to prevent the ECS instance from being used in other Alibaba Cloud services. Then, change the VPC again.
If your instance generates a reverse access link by using Workbench, perform the following steps to release the reverse access link:
Log on to the Workbench console and check whether a reverse access link exists on the ECS instance. If a reverse access link exists on the ECS instance, click Release Link in the Actions column to release the link.
In the message that appears, click OK. After the reverse access links are released, change the VPC of the instance again. If the issue persists, submit a ticket to Alibaba Cloud technical support.
Error 2:
InvalidDependence.NextHopOfCustomRouter
Cause: When you change the VPC, the instance cannot be included in the custom route entry. An error is reported even if the vSwitch to which the instance belongs is not associated with the route table to which the route entry belongs. An error is reported indicating that the ECS instance is the next in a custom route table entry.
Solution: Delete the route entry of the instance. Perform the following steps:
Log on to the Route Tables page in the VPC console.
In the top navigation bar, select the region of the VPC to which the vSwitch belongs.
On the Route Tables page, find the route entry of the instance whose VPC you want to change.
Click Delete in the Action column. Then, change the VPC of the instance again.
Error 3:
InvalidDependence.SLB
Cause: When you change the VPC, the ECS instance cannot be associated with the SLB instance. An error is reported when the instance is added to the backend server group even if the ECS instance is not attached to a backend real server (RS) by the SLB instance.
Solution: Check for the backend server group of the SLB instance to which the ECS instance is added and remove the ECS instance from the server group. For more information, see Default server group. Then, change the VPC of the instance again.
Error 4:
EnterpriseGroupLimited.MutliGroupType
Cause: If you select one to five security groups in the destination VPC when you change the VPC, all security groups must be basic or advanced security groups. An error message is reported, which indicates that a security group type is inconsistent with the security groups that you selected.
Solution: Select security groups of the same type.
Error 5:
Invalidinstance.AttachedEni
Cause: The ECS instance cannot be bound to a secondary ENI when you change the VPC.
Solution: Unbind the secondary ENI from the ECS instance. For more information, see Unbind an ENI.
Error 6:
PrimaryEniHasSubIp
Cause: The ECS instance cannot have multiple IP addresses when you change the VPC. The error message indicates that the primary ENI attached to the ECS instance is assigned multiple secondary private IP addresses.
Solution: Reclaim the secondary private IP addresses that are assigned to the ECS instance. For more information, see Unassign secondary private IP addresses.
Reference
If you want to connect ECS instances that belong to different Alibaba Cloud accounts or different VPCs over an internal network, you can use PrivateLink. For more information, see Access services in a VPC that belongs to another account by using PrivateLink.