Overview of VPC sharing - Multi-account Management| Alibaba Cloud Documentation Center

The Virtual Private Cloud (VPC) sharing feature allows multiple Alibaba Cloud accounts to create cloud resources, such as Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and ApsaraDB RDS instances, in a shared and centrally managed VPC. Shared VPCs adopt the resource sharing mechanism. A VPC owner can share non-default vSwitches with other Alibaba Cloud accounts in the same organization.

Feature release and supported regions


Area	Supported region
Asia Pacific	China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), and South Korea (Seoul), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai)
Europe & Americas	Germany (Frankfurt), UK (London), US (Silicon Valley), US (Virginia)
Middle East & India	UAE (Dubai)

Description

A VPC owner (resource owner) can share non-default vSwitches with other Alibaba Cloud accounts (participants). The resource owner and participants must belong to the same resource directory. A resource directory allows you to create a hierarchical map of relations among resources and facilitates resource management. For more information, see Resource Sharing overview.

After a vSwitch is shared, participants can use the vSwitch without confirmation by default. By default, instances created by the resource owner and participants in the same VPC can communicate with each other within the VPC. By default, instances created by the resource owner and participants in the same VPC can communicate with each other within the VPC. Diagram

Permissions of the resource owner and participants

After a resource owner shares a vSwitch with a participant, the resource owner and participant have the following permissions on the shared vSwitch and the resources in the shared vSwitch:


Role	Supported operation	Unsupported operation
Resource owner	Create, view, modify, and delete resources that belong to the resource owner in the shared vSwitch. View the following attributes of resources created by the participant in the shared vSwitch: Instance IDs. Private IP addresses. The owner account of resources.	Modify or delete resources created by the participant in the shared vSwitch.
Participant	If the vSwitch is shared, the participant can create, modify, and delete cloud resources in the shared vSwitch.	If the vSwitch is shared, the participant cannot view, modify, or delete the resources created by other Alibaba Cloud accounts (resource owners and participants) in the shared vSwitch.
Participant	If the vSwitch is no longer shared, the participant can view, use, modify, and delete the resources that are created by the participant in the vSwitch.	If the vSwitch is no longer shared, the participant cannot view the resources associated with the vSwitch, such as VPCs, route tables, and network access control lists (ACLs). In addition, the participant cannot create resources in the vSwitch.

The resource owner and participant have the following permissions on other network resources:


Network resource	Resource owner	Participant operation
VPC	All permissions.	View the VPC to which the shared vSwitch belongs.
vSwitches	All permissions. Note If the resource owner wants to delete the vSwitch, the vSwitch must not be shared with the participant. In addition, the resources created by the resource owner and participant in the vSwitch must be deleted.	View the shared vSwitch. Create, modify, and delete cloud resources in the shared vSwitch.
Route tables	All permissions.	View route tables and route entries that are associated with the shared vSwitch.
Network ACLs	All permissions.	View network ACLs that are associated with the shared vSwitch.
Private CIDR blocks	View private CIDR blocks of the VPC and all vSwitches that belong to the VPC.	View the private CIDR block of the shared vSwitch.
Flow log	Create flow logs for a specified VPC or vSwitch. The system records traffic information about elastic network interfaces (ENIs) of the vSwitch that belongs to the participant. Create flow logs for a specified ENI. The system records traffic information about ENIs that belong to the resource owner.	No permission.
NAT gateways	All permissions on Internet NAT gateways and VPC NAT gateways. Note The resources created by the resource owner and participant in the vSwitch can communicate with the Internet through Internet NAT gateways. Internet NAT gateways can be associated with only the elastic IP addresses (EIPs) that belong to the resource owner.	No permission.
VPN gateways	All permissions. Note The resources created by the resource owner and participant in the vSwitch can communicate with external networks through VPN gateways.	No permission.
Cloud Enterprise Network (CEN) instances	All permissions. Note The resources created by the resource owner and participant in the vSwitch can communicate with external networks through CEN instances.	No permission.
VPC peering connections	All permissions. Note The resources created by the resource owner and participant in the vSwitch can communicate with external networks through VPC peering connections.	No permission.
Tags	Resource sharing does not affect the tags added to resources by the resource owner. When the vSwitch is shared, the resource owner and resource user can add tags to their own resources. The resource user cannot view the tags added by the resource owner and the resource owner cannot view the tags added by the resource user. The tags added by the resource owner and resource user do not affect each other. When the vSwitch is not shared, the system deletes the tags added by the participant in the vSwitch.

Billing

In a shared VPC, participants pay for the instances that they create, such as ECS, SLB, and ApsaraDB RDS instances. However, fees of public bandwidth and gateway resources such as Internet NAT gateways and VPN gateways are paid by the resource owner. For more information about the billing of cloud resources, see relevant topics.

Limits


Item	Limit	Adjustable
Number of participants supported by each VPC	20	N/A
Number of participants supported by each vSwitch in a VPC	20
Number of vSwitches that can be shared with each participant	10
Number of IP addresses that each VPC can use	Number of IP addresses that each shared VPC can use
Cloud resources that can be created in a shared vSwitch	ECS instances SLB instances ApsaraDB RDS instances Terway components ApsaraDB for MongoDB instances ApsaraDB for Redis instances Message Queue for Apache Kafka instances Elastic Search Container Registry instances PolarDB for MySQL clusters	N/A
Limits on security groups in a shared VPC	A resource participant cannot create resources in security groups that belong to other resource participants or the resource owner. The security groups include the default security group. The resource owner cannot create resources in security groups that belong to resource participants.
Types of vSwitches that can be shared	Non-default vSwitches

Note Shared VPCs also follow the usage and quota limits of standard VPCs. The quota limits on a shared VPC are not affected by the number of participants.

Enable VPC sharing

For more information, see Enable VPC sharing.