Enable Private Cross-Region VPC Access to MaxCompute - MaxCompute

Use cases

In a multi-region data architecture, an application server in one region often needs to access and process data in a MaxCompute project in another region. Common scenarios include:

Inter-region data migration: For example, using Spark with the open storage pattern
Remote data analytics: Running analytics jobs against a MaxCompute project in a different region
Unified data mid-end: Building a centralized data platform that spans multiple regions

Routing this traffic over the public internet introduces high network latency and security risks. A VPC peering connection resolves both issues by establishing a private, inter-region communication channel.

How it works

This solution combines two components:

A VPC peering connection connects two VPCs in different regions, creating a private network path between them.
A VPC endpoint for MaxCompute in the destination region exposes the MaxCompute service on a private domain name and IP address, making it reachable from within the peered VPC.

The following diagram shows the data link for an inter-region setup between Singapore and Germany. The storage API is accessed through the VPC endpoint in Singapore at service.ap-southeast-1-vpc.maxcompute.aliyun-inc.com.

The setup involves four stages:

Establish an inter-region connection: Create a VPC peering connection instance between the source VPC (Region A) and the destination VPC (Region B).
Configure bidirectional routing: In the route tables of both VPCs, add a route entry pointing to the peer VPC's CIDR block, with the next hop set to the VPC peering connection instance.
Expose the private service: In the destination VPC (Region B), create a VPC endpoint for MaxCompute. This generates a private domain name and IP address for the service.
Enable private network access: An ECS instance in the source VPC (Region A) reaches the MaxCompute VPC endpoint in the destination VPC (Region B) through the peering connection.

Prerequisites

Before you begin, make sure that:

The CIDR blocks of the requester VPC and the accepter VPC are not the same. For example, they cannot both be 192.168.0.0/16.

Procedure

The following steps use Singapore (requester) and Germany/Frankfurt (accepter) as an example.

Step 1: Create a VPC peering connection

Log on to the Virtual Private Cloud (VPC) console.the Virtual Private Cloud (VPC) console
In the left navigation pane, choose VPC Peering Connection. In the upper-left corner, select the requester region. For this example, select Singapore.
Click Create VPC Peering Connection.

Configure the connection parameters as described in the following table.

If you select Add route to peer VPC CIDR and a route with the same CIDR block already exists in a VPC's system route table, the automatic route addition fails. After creating the connection, check the Route Entry List tab to confirm the route was added successfully.

Parameter	Required	Description
Name	Optional	A custom name for the connection, such as `test-vpc-connect`.
Resource group	Optional	Select an existing resource group.
Requester VPC	Required	Select the VPC in the requester region.
Accepter account type	Optional	Select Same Account or Cross-Account. For cross-account connections, enter the UID of the accepter's Alibaba Cloud account.
Accepter region type	Optional	Select Intra-Region or Inter-Region. Inter-region connections incur inter-region data transfer fees. For fee details, see Inter-region traffic.
Link Type	Required	Select Gold or Platinum.
Accepter Region	Required	For this example, select Germany (Frankfurt).
Accepter VPC	Required	Select the VPC in the accepter region.
Add route to peer VPC CIDR	Optional	If selected, the system automatically adds a route to the main IPv4 CIDR block of the peer VPC in the system route tables of both VPCs. Routes for additional CIDR blocks must be configured separately after creation.
Tag Key	Optional	A custom tag key.
Tag Value	Optional	A custom tag value.

Step 2: Configure peering connection route entries

Both VPCs need a route entry pointing to the other VPC's CIDR block. The following table shows the required bidirectional route structure, using placeholders for your actual values:

Route table	Destination CIDR block	Next hop
Singapore VPC route table	`<Germany VPC CIDR>`	VPC peering connection instance
Germany VPC route table	`<Singapore VPC CIDR>`	VPC peering connection instance

To configure the routes:

In the left navigation pane, choose VPC Peering Connection. The peering connection you created appears in the list.

Determine the IP address of the MaxCompute VPC endpoint by running an nslookup query from your ECS instance or any host in the source VPC. The following commands cover the three endpoint types:

# MaxCompute source VPC endpoint
nslookup service.ap-southeast-1-vpc.maxcompute.aliyun-inc.com

# MaxCompute source VPC tunnel endpoint
nslookup dt.ap-southeast-1-vpc.maxcompute.aliyun-inc.com

# MaxCompute dedicated VPC tunnel endpoint
nslookup dt-exclusive.ap-southeast-1-vpc.maxcompute.aliyun-inc.com

Note the returned IP address. You will use it as the destination CIDR block in the accepter route entry.

On the VPC Peering Connection page, find the peering connection. In the Actions column of the accepter, click Configure route.

In the dialog box, fill in the following fields:

Parameter	Required	Description
Name	Optional	1 to 128 characters; cannot start with `http://` or `https://`.
Accepter route table	Required	Select an existing route table or create a new one.
Destination CIDR Block	Required	Enter the IP address of the source VPC endpoint that you queried.
Next Hop	Required	Automatically generated.

In the left navigation pane, choose VPC Peering Connection. In the upper-left corner, select a region. Click the name of the peering connection, then click the Route Entry List tab to verify that the route entries are configured correctly.

What's next

For more information about interconnecting VPCs, see VPC Interconnection.