Virtual Private Cloud:Prefix list use cases

Share a prefix list

1. Log on to the VPC console.
2. In the left-side navigation pane, click VPC Prefix List.
3. In the top navigation bar, select the region where the prefix list that you want to share is deployed.
4. On the VPC Prefix List page, find the prefix list that you want to share and click its ID.
5. On the prefix list details page, click the Sharing tab and click Create Resource Share.
6. In the left-side management pane of the Resources I Share page, click Resource Shares and then click Create Resource Share.
7. On the Create Resource Share page, set the following parameters and click OK.

   Parameter	Description
   Resource Share Name	Enter a name for the resource share.
   Select Shared Resource
   Region	Displays the region where you want to create the resource share.
   Resource Type	Select the type of the resources that you want to share. VPC Prefix Lists is selected in this example.
   Resources	Select the prefix list that you want to share and click Add. The selected prefix list is displayed in the Selected Resources section.
   Add Principal
   Principal Scope	Select a sharing scope. All Accounts: The selected resources can be shared with other Alibaba Cloud accounts. This feature is applicable to the following scenarios: An Alibaba Cloud account that is not the management account or a member of a resource directory can share resources with another Alibaba Cloud account that is not the management account or a member of a resource directory. The management account or a member of a resource directory can share resources with an Alibaba Cloud account that is not the management account or a member of the resource directory. The management account or a member of a resource directory can share resources with all members in the resource directory, all members in a specific folder in the resource directory, or a specific member in the resource directory. Note Resource sharing across resource directories is not supported. Objects Within Resource Directory: The selected resources can be shared within a resource directory. In this case, the management account or a member of a resource directory shares resources with all members in the resource directory, all members in a specific folder in the resource directory, or a specific member in the resource directory. Note If a resource share is created by an Alibaba Cloud account that does not belong to a resource directory, the Principal Scope parameter is set to All Accounts by default, and the Principal Type parameter is set to Alibaba Cloud Account. Then, you must enter the ID of the Alibaba Cloud account with which you want to share the selected resources in the Principal ID parameter.
   Add Mode	Select the way in which you want to add a principal. If you create a resource share by using the management account of a resource directory, you must select Add Mode. Add from Resource Directory: Select principals from the resource directory. You can select one of the following objects from the resource directory: Root folder: If you select the Root folder, the selected resources are shared with all members in the resource directory. Specific folder: If you select a folder other than the Root folder, the selected resources are shared with all members in the selected folder. Member: If you select a member, the selected resources are shared only with the member. Add Manually: Select an option from the Principal Type drop-down list, enter an ID in the field that appears, and then click Add. You can select one of the following options from the Principal Type drop-down list: Alibaba Cloud Account: If you select this option, you must enter a member ID in the Principal ID field that appears. In this case, the selected resources are shared only with the member. Resource Directory: If you select this option, the ID of the current resource directory is automatically displayed for the Resource Directory ID parameter that appears. In this case, the selected resources are shared with all members in the resource directory. Folder: If you select this option, you must enter a folder ID in the Folder ID field that appears. In this case, the selected resources are shared with all members in the folder.
   Principle Type	If you create a resource share by using an account other than the management account of a resource directory, select Principle Type. Alibaba Cloud Account: If you select this option, you must enter a member ID in the Principal ID field that appears. In this case, the selected resources are shared only with the member. Resource Directory: If you select this option, the ID of the current resource directory is automatically displayed for the Resource Directory ID parameter that appears. In this case, the selected resources are shared with all members in the resource directory. Folder: If you select this option, you must enter a folder ID in the Folder ID field that appears. In this case, the selected resources are shared with all members in the folder.

8. On the Resources I Share page, find the resource share that you created and click View Details in the Actions column.
   • If you share the prefix list within the resource directory, all the principals automatically accept the prefix list. In the Shared Resources section, if the Status changes to Associated, the prefix list has been shared with the principals. The principals can use the prefix list.
   • If you share the prefix list with an Alibaba Cloud account outside the resource directory, the principal must accept the prefix list in the Resource Management console before the principal can use the prefix list. For more information, see Accept or reject a resource sharing invitation.
     1. Log on to the Resource Management console.
     2. In the left-side navigation pane, select Resource Sharing > Resources Shared To Me.
     3. On the Resources Shared To Me page, find the prefix list to be accepted and click Accept in the Status column.
     4. In the message that appears, click Accept.

        After the prefix list is accepted, the Status changes to Enabled.

     After the principal accepts the prefix list, you can navigate to the Shared Resources tab to view the status of the prefix list. If the Status of the prefix list changes to Associated, the prefix list has been shared with the principal. In this case, the principal can use the prefix list.
   • If the Status of the prefix list in the Shared Resources section is Failed, the prefix list is not shared with the principal.
9. Optional:You can perform the following steps to stop sharing the prefix list:
   1. On the Resources I Share page, find the prefix list that you no longer want to share and click its ID.
   2. In the Shared Resources section, click Edit.
   3. In the Selected Resources section, find the prefix list that you want to remove, click Remove, and then click OK.

   For more information, see Add or remove a shared resource.

Associate a prefix list with a VPC route table

Prefix lists can be associated with VPC route tables.

1. Log on to the VPC console.
2. In the left-side navigation pane, click Route Tables.
3. On the Route Table page, find the route table with which you want to associate a prefix list and click its ID.
4. On the route table details page, choose Route Entry List > Custom Route and click Add Route Entry.
5. In the Add Route Entry panel, set the following parameters and click OK.

   Parameter	Description
   Name	Enter a name for the route.
   Destination CIDR Block	Select a destination CIDR block type and enter a destination CIDR block. VPC Prefix List is selected in this example. Select the prefix list that you want to associate from the drop-down list.
   Next Hop Type	Select a next hop type and configure a next hop.

   After the VPC route table is associated with the prefix list, you can perform the following operations:

   • On the Custom Route tab, view the information about the route that points to the prefix list.
   • On the Association tab of the prefix list details page, view the VPC route table that is associated with the prefix list. For more information, see View a prefix list.
6. Optional:If the VPC route table no longer needs to be associated with the prefix list, you can navigate to the Custom Route tab, find the route that points to the prefix list, and click Delete in the Actions column. In the message that appears, click OK.

Associate a prefix list with a transit router route table

Prefix lists can be associated with route tables of Enterprise Edition transit routers. After the route table of an Enterprise Edition transit router is associated with a prefix list, the system automatically adds the routes that point to the CIDR blocks in the prefix list to the route table of the transit router. The CIDR blocks in the prefix list cannot overlap with the CIDR blocks of routes in the route table of the Enterprise Edition transit router. If the route table of an Enterprise Edition transit router needs to be associated with multiple prefix lists, make sure that the CIDR blocks in the prefix lists do not overlap.

Associate a prefix list with a transit router route table

1. Log on to the CEN console.
2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
3. Choose Basic Settings > Transit Router, find the transit router that you want to manage, and then click the ID of the transit router.
4. On the details page of the transit router, click the Route Table tab.
5. In the left-side section, click the ID of the route table that you want to manage. On the details page of the route table, click the CIDR Block tab and click Associate With Route Prefix.
6. In the Associate With Route Prefix dialog box, set the parameters and click OK.

   Parameter	Description
   Route Prefix ID.	Select a prefix list.
   Blackhole Route?	Select a next hop for the CIDR blocks in the prefix list. Valid values: Yes: specifies that all CIDR blocks in the prefix list are blackhole routes. Packets that are sent to the CIDR blocks in the prefix list are dropped. No: specifies that no CIDR block in the prefix list is a blackhole route. If you select this option, you must select a next hop. All CIDR blocks in a prefix list share the same next hop.
   Next Hop	Select a next hop.

   After you associate the route table of an Enterprise Edition transit router with a prefix list, the system automatically adds routes that point to the CIDR blocks in the prefix list to the route table of the Enterprise Edition transit router. You can view the routes on the Route Entry tab of the route table details page.

Disassociate a prefix list from a transit router route table

1. Log on to the CEN console.
2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
3. Choose Basic Settings > Transit Router, find the transit router that you want to manage, and then click the ID of the transit router.
4. On the details page of the transit router, click the Route Table tab.
5. In the left-side section, click the ID of the route table that you want to manage.
6. On the details page of the route table, click the CIDR Block tab and find the prefix list that you want to manage. Click Delete in the Actions column.
7. In the Delete message, confirm the information and click OK.

References

• GetVpcPrefixListAssociations: queries the network instances that are associated with a prefix list.
• RetryVpcPrefixListAssociation: re-applies a prefix list.
• CreateTransitRouterPrefixListAssociation: associates a prefix list with the route table of an Enterprise Edition transit router.
• ListTransitRouterPrefixListAssociation: queries the prefix lists that are associated with a specified Enterprise Edition transit router.
• DeleteTransitRouterPrefixListAssociation: disassociates a prefix list from the route table of an Enterprise Edition transit router.