Use CEN to implement cross-VPC access to an OpenSearch Retrieval Engine Edition instance (without a CIDR block conflict between VPCs) - OpenSearch

Scenario example

You have two virtual private clouds (VPCs) named vpc1 and vpc2 in the China (Shanghai) region and a VPC named vpc3 in the China (Qingdao) region. The CIDR blocks of the three VPCs do not conflict with each other. An OpenSearch Retrieval Engine Edition instance is created in vpc1.

Due to business development, you need to access the internal endpoint of the OpenSearch instance from vpc2 in the China (Shanghai) region and vpc3 in the China (Qingdao) region. You can configure transit routers for a Cloud Enterprise Network (CEN) instance to implement the access.

Region	VPC	CIDR block
China (Shanghai)	vpc1	10.0.0.0/10 vSwitch 1 in Zone F vSwitch 2 in Zone G
China (Shanghai)	vpc2	10.0.0.0/8 vSwitch 1 in Zone F vSwitch 2 in Zone G
China (Qingdao)	vpc3	172.16.0.0/12 vSwitch 1 in Zone H vSwitch 2 in Zone I

Obtain the IP address of the OpenSearch Retrieval Engine Edition instance

Go to the details page of the OpenSearch Retrieval Engine Edition instance in the OpenSearch console, copy the endpoint of the instance, and then ping the endpoint to obtain the IP address of the instance. In this example, the IP address 100.103.8.57 is obtained.

Create a CEN instance and connect VPCs

Access from multiple VPCs in the same region

You can use CEN to connect two VPCs to a transit router in the China (Shanghai) region to enable the VPCs to communicate with each other.

Log on to the CEN console and create a CEN instance.
Create a transit router in the desired region. In this example, a transit router is created in the China (Shanghai) region.

Create connections for vpc1 and vpc2 on the transit router.

On the Connection with Peer Network Instance page, configure the following parameters and click OK.

Parameter	Description	vpc1	vpc2
Instance Type	Select the type of the network instance that you want to connect.	Virtual Private Cloud (VPC)	Virtual Private Cloud (VPC)
Region	Select the region of the network instance.	China (Shanghai)	China (Shanghai)
Transit Router	The ID of the transit router in the selected region is automatically displayed.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs.	Current Account	Current Account
Billing Method	Default value: Pay-As-You-Go.
Attachment Name	Enter a name for the network connection.	`Connection_VPC1`	`Connection_VPC2`
Network Instance	Select the network instance that you want to connect to the transit router.	vpc1	vpc2
VSwitch	Select a vSwitch in a zone of the transit router. If each zone of the transit router has a vSwitch, you can select multiple zones and select a vSwitch in each of the zones to enable zone-disaster recovery.	Shanghai Zone F: vSwitch 1 Shanghai Zone G: vSwitch 2	Shanghai Zone F: vSwitch 1 Shanghai Zone G: vSwitch 2
Advanced Settings	Keep the default settings for vpc1 and vpc2. All advanced features are enabled for the VPCs.

vpc5创建配置两个vpc链接.png

Access from multiple VPCs in different regions

Log on to the CEN console and create a CEN instance.
Create transit routers in the desired regions. In this example, a transit router is created in each of the China (Shanghai) and China (Qingdao) regions.

Create connections for VPCs on the transit routers.

Connect vpc1 to the Enterprise Edition transit router in the China (Shanghai) region, and connect vpc3 to the Enterprise Edition transit route in the China (Qingdao) region.

On the Instances page, find the created CEN instance and click its ID. On the Transit Router tab of the instance details page, find the desired transit router and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure the following parameters and click OK.

Parameter	Description	vpc1	vpc3
Instance Type	Select the type of the network instance that you want to connect.	Virtual Private Cloud (VPC)	Virtual Private Cloud (VPC)
Region	Select the region of the network instance.	China (Shanghai)	China (Qingdao)
Transit Router	The ID of the transit router in the selected region is automatically displayed.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs.	Current Account	Current Account
Billing Method	Default value: Pay-As-You-Go.
Attachment Name	Enter a name for the network connection.	`Connection_VPC1`	`Connection_VPC3`
Network Instance	Select the network instance that you want to connect to the transit router.	vpc1	vpc3
VSwitch	Select a vSwitch in a zone of the transit router. If each zone of the transit router has a vSwitch, you can select multiple zones and select a vSwitch in each of the zones to enable zone-disaster recovery.	Shanghai Zone F: vSwitch 1 Shanghai Zone G: vSwitch 2	Qingdao Zone H: vSwitch 1 Qingdao Zone I: vSwitch 2
Advanced Settings	Keep the default settings for vpc1 and vpc3. All advanced features are enabled for the VPCs.

Create an inter-region connection.

The Enterprise Edition transit router of vpc1 and the Enterprise Edition transit router of vpc3 are deployed in different regions. Therefore, vpc1 and vpc3 cannot communicate with each other by default. To allow vpc1 and vpc3 to communicate with each other across regions, you need to create an inter-region connection between the China (Qingdao) region and the China (Shanghai) region.

On the Instances page, find the CEN instance that you want to manage and click its ID.
On the Basic Information tab of the instance details page, click the Transit Router tab. On this tab, find the transit router that you want to manage and click Create Connection in the Actions column.
On the Connection with Peer Network Instance page, configure the following parameters and click OK.

Parameter	Description
Network Type	Select Inter-region Connection.
Region	Select one of the regions to be connected. In this example, China (Qingdao) is selected.
Peer Region	Select the other region to be connected. In this example, China (Shanghai) is selected.
Bandwidth Allocation Mode	Select the method that is used to allocate bandwidth to the inter-region connection. In this example, Pay-By-Data-Transfer is selected. You are charged based on the amount of data transferred over the inter-region connection.
Bandwidth	Specify a bandwidth value for the inter-region connection. Unit: Mbit/s. If you select Pay-By-Data-Transfer for Bandwidth Allocation Mode, the Bandwidth parameter specifies the maximum bandwidth of the inter-region connection.
Default Line Type	Select a line type for the inter-region connection. In this example, the default value is used. For more information about line types, see Line types.
Advanced Settings	By default, the advanced features are enabled. In this example, the default settings are retained.

Configure routes for the OpenSearch Retrieval Engine Edition instance

Add entries to the route table of vpc1 to route the network traffic for OpenSearch access from vpc2 or vpc3 to the Enterprise Edition transit routers. In this example, configurations for vpc2 are used for intra-region access, and configurations for vpc3 are used for inter-region access.

Log on to the VPC console. In the left-side navigation pane, click Route Tables. On the page that appears, find the system route table of vpc2 (intra-region access) or vpc3 (inter-region access) and click its ID.
On the Custom Route tab of the page that appears, click Add Route Entry. In the Add Route Entry dialog box, configure the parameters and click OK. In this example, set Destination CIDR Block to 100.103.8.57, Next Hop Type to Transit Router, and Transit Router to the transit router of vpc1.
Log on to the CEN console. On the Instances page, find the transit router in the China (Shanghai) region (intra-region access) or in the China (Qingdao) region (inter-region access) and click its ID.
On the page that appears, click the Route Table tab. On this tab, click Add Route Entry. In the Add Route Entry dialog box, configure the parameters and click OK. In this example, set Destination CIDR to 100.103.8.57 and Next Hop to the transit router of vpc1.

Verify the result

In the VPC console, find vpc2 or vpc3 and click + in the Cloud Instance column to create an Elastic Compute Service (ECS) instance in vpc2 or vpc3. In the terminal of the ECS instance, run the following cURL command to verify the effect. Replace {username}, {password}, and {instanceId} with actual values.
```
curl -i -u "{username}:{password}" http://{instanceId}.ha.aliyuncs.com/network/active
```

If the following information is returned, the VPCs are connected.

HTTP/1.1 200 OK
Server: Tengine
Date: Tue, 26 Nov 2024 08:29:34 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=320
X-Request-Id: 037a9080181d0b90b8c99b25af7e****

If the 403 Forbidden error is returned, the VPCs are not connected. In this case, contact Alibaba Cloud technical support.