The Virtual Private Cloud (VPC) sharing feature allows multiple Alibaba Cloud accounts to create cloud resources, such as Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and ApsaraDB RDS instances, in a shared and centrally managed VPC. Shared VPCs adopt the resource sharing mechanism. A VPC owner can share non-default vSwitches in the VPC with one or more Alibaba Cloud accounts.
Feature release and supported regions
Area | Supported region |
---|---|
Asia Pacific | China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong) |
Asia Pacific - Others | Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), and India (Mumbai) |
Europe & Americas | Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia) |
Features
A VPC owner (resource owner) can share non-default vSwitches in the VPC with one or more Alibaba Cloud accounts (participants). The participants can create cloud resources in the shared vSwitches. A resource owner can share resources with Alibaba Cloud accounts in the same or different enterprise organization. For more information about resource sharing, see Resource Sharing overview.
- If the vSwitch is shared with another Alibaba Cloud account, the participant must accept the invitation to use the shared vSwitch.
- If the vSwitch is shared within the same resource directory, the participant can directly use the shared vSwitch. The invitation is accepted by default.
- The participant can create resources only within the shared VPC, and cannot move resources from the shared VPC to another VPC.
- The participant cannot move resources from a non-shared vSwitch to the shared vSwitch.
- By default, instances created by the resource owner and participant in the same VPC can communicate with each other within the VPC.

Permissions of the resource owner and participant
After a resource owner shares a vSwitch with a participant, the resource owner and participant have the following permissions on the shared vSwitch and the resources in the shared vSwitch:
Role | Supported operation | Unsupported operation |
---|---|---|
Resource owner |
| Modify or delete resources created by the participant in the shared vSwitch. |
Participant | If the vSwitch is shared, the participant can create, modify, and delete cloud resources in the shared vSwitch. | If the vSwitch is shared, the participant cannot view, modify, or delete the resources created by other Alibaba Cloud accounts (resource owners and participants) in the shared vSwitch. |
If the vSwitch is no longer shared, the participant can view, use, modify, and delete the resources that are created by the participant in the vSwitch. | If the vSwitch is no longer shared, the participant cannot view the resources associated with the vSwitch, such as VPCs, route tables, and network access control lists (ACLs). In addition, the participant cannot create resources in the vSwitch. |
Network resource | Resource owner | Participant |
---|---|---|
VPC | All permissions. | View the VPC to which the shared vSwitch belongs. |
vSwitches | All permissions (including enabling and disabling the IPv6 feature for the shared vSwitch) Note If the resource owner wants to delete the vSwitch, the vSwitch must not be shared with the participant. In addition, the resources created by the resource owner and participant in the vSwitch must be deleted. |
|
Route tables | All permissions. | View route tables and route entries that are associated with the shared vSwitch. |
Network access control lists (ACLs) | All permissions. | Associate, disassociate, and view network ACLs in a shared vSwitch. |
CIDR block | View the CIDR block of the VPC and CIDR blocks of all vSwitches in the VPC. | View the private CIDR block of the shared vSwitch. |
Flow logs |
| Create flow logs for a specified ENI. The system records traffic information about ENIs that belong to the resource owner. |
NAT gateways | All permissions on Internet NAT gateways and VPC NAT gateways. Note
| No permission. |
VPN gateways | All permissions. Note The resources created by the resource owner and participant in the vSwitch can communicate with external networks through VPN gateways. | No permission. |
Cloud Enterprise Network (CEN) instances | All permissions. Note The resources created by the resource owner and participant in the vSwitch can communicate with external networks through CEN instances. | No permission. |
VPC peering connections | All permissions. Note The resources created by the resource owner and participant in the vSwitch can communicate with external networks through VPC peering connections. | No permission. |
Tags | Resource sharing does not affect the tags added to resources by the resource owner. When the vSwitch is shared, the resource owner and resource user can add tags to their own resources. The resource user cannot view the tags added by the resource owner and the resource owner cannot view the tags added by the resource user. The tags added by the resource owner and resource user do not affect each other. When the vSwitch is not shared, the system deletes the tags added by the participant in the vSwitch. |
Billing
In a shared VPC, participants pay for the instances that they create, such as ECS, SLB, and ApsaraDB RDS instances. However, fees of public bandwidth and gateway resources such as Internet NAT gateways and VPN gateways are paid by the resource owner. For more information about the billing of cloud resources, see relevant topics.
Limits and quotas
Item | Limit | Adjustable |
---|---|---|
Maximum number of principals supported by each VPC | 50 | You can request a quota increase by using one of the following methods:
|
Maximum number of principals supported by each vSwitch in a VPC | 50 | |
Maximum number of vSwitches that can be shared with each principal | 30 | |
Maximum number of IP addresses that each VPC can use | Maximum number of IP addresses that the resource owner and principals can use in each VPC | No |
Types of cloud resources that can be created in a shared vSwitch |
| N/A |
Limits on security groups in a shared VPC |
| |
Types of vSwitches that can be shared | Non-default vSwitches |
Enable VPC sharing
For more information, see Enable VPC sharing.