A peering connection connects two virtual private clouds (VPCs). You can create VPC peering connections to enable communication between multiple VPCs. VPC peering connections can also work with Cloud Enterprise Network (CEN) transit routers to enable communication among VPCs. This topic provides examples on how to use VPC peering connections.
Sample scenarios
You can use VPC peering connections in the following scenarios:
Use VPC peering connections to enable communication among multiple VPCs
You can create VPC peering connections to connect two or more VPCs. You can also create a VPC peering connection between VPCs within different Alibaba Cloud accounts. This way, VPCs can communicate with each other and share resources.
Procedure
Create VPCs that you want to connect. For more information, see Create a VPC and vSwitches.
Create a VPC peering connection. For more information, see Create and manage a VPC peering connection.
Configure routes. For more information, see Configure routes.
Communication between two VPCs
As shown in the following figure, a peering connection pcc-aaabbb is created between VPC A and VPC B. The two VPCs can communicate with each other and share resources.
When both VPC A and VPC B are assigned an IPv6 CIDR block, you can add IPv4 or IPv6 routes of the peer VPC to the route table of each VPC. You can select IPv4 or IPv6 based on your business requirements.
Route table | Destination address | Next hop |
VPC A | 172.16.0.0/16 | pcc-aaabbb |
2408:4006:121b:3f00::/56 | pcc-aaabbb | |
VPC B | 192.168.0.0/16 | pcc-aaabbb |
2408:4006:121b:4000::/56 | pcc-aaabbb |
If VPC A and VPC B use the same CIDR block, but the CIDR blocks of the vSwitches in VPC A and VPC B do not overlap, you can add vSwitch CIDR blocks of the peer VPC as the destination address to create peering connections.
Route table | Destination address | Next hop |
VPC A | 10.2.1.0/24 | pcc-aaabbb |
VPC B | 10.2.0.0/24 | pcc-aaabbb |
Communication among three VPCs
As shown in the following figure, peering connections are established between VPC A and VPC B, between VPC B and VPC C, and between VPC A and VPC C. Each VPC can communicate with the other two VPCs and share resources.
If both VPC A and VPC B are assigned an IPv6 CIDR block, but VPC C is not assigned an IPv6 CIDR, the route tables of the VPCs are configured as described in the following table. VPC A and VPC B can communicate with each other over a peering connection in an IPv6 environment. VPC C cannot communicate with VPC A or VPC B over IPv6.
Route table | Destination address | Next hop |
VPC A | 172.16.0.0/16 | pcc-aaabbb |
2408:4006:121b:3f00::/56 | pcc-aaabbb | |
10.1.0.0/16 | pcc-aaaccc | |
VPC B | 192.168.0.0/16 | pcc-aaabbb |
2408:4006:121b:4000::/56 | pcc-aaabbb | |
10.1.0.0/16 | pcc-bbbccc | |
VPC C | 192.168.0.0/16 | pcc-aaaccc |
172.16.0.0/16 | pcc-bbbccc |
Communication among more than three VPCs
As shown in the following figure, peering connections are established among VPC A, VPC B, VPC C, VPC D, and VPC E. Each VPC can communicate with the other VPCs and share resources. In this scenario, five VPCs need to communicate with each other.
As shown in the preceding figure, a peering connection is established between each two of the five VPCs. The number of VPC peering connections is N × (N-1)/2. When N is 5, a total of 10 peering connections are established. Routes that point to each VPC peering connection are configured for each VPC. This way, each VPC can communicate with the other VPCs. Each VPC is assigned an IPv6 CIDR block. The following table describes how routes are configured.
Route table | Destination address | Next hop |
VPC A | 172.16.0.0/16 | pcc-aaabbb |
2408:4006:121b:3f00::/56 | pcc-aaabbb | |
10.1.0.0/16 | pcc-aaaccc | |
2408:4006:121b:5b00::/56 | pcc-aaaccc | |
172.17.0.0/16 | pcc-aaaddd | |
2408:4006:121b:5d00::/56 | pcc-aaaddd | |
10.2.0.0/16 | pcc-aaaeee | |
2408:4006:121b:5c00::/56 | pcc-aaaeee | |
VPC B | 192.168.0.0/16 | pcc-aaabbb |
2408:4006:121b:4000::/56 | pcc-aaabbb | |
10.1.0.0/16 | pcc-bbbccc | |
2408:4006:121b:5b00::/56 | pcc-bbbccc | |
172.17.0.0/16 | pcc-bbbddd | |
2408:4006:121b:5d00::/56 | pcc-bbbddd | |
10.2.0.0/16 | pcc-bbbeee | |
2408:4006:121b:5c00::/56 | pcc-bbbeee | |
VPC C | 192.168.0.0/16 | pcc-aaaccc |
2408:4006:121b:4000::/56 | pcc-aaaccc | |
172.16.0.0/16 | pcc-bbbccc | |
2408:4006:121b:3f00::/56 | pcc-bbbccc | |
172.17.0.0/16 | pcc-cccddd | |
2408:4006:121b:5d00::/56 | pcc-cccddd | |
10.2.0.0/16 | pcc-ccceee | |
2408:4006:121b:5c00::/56 | pcc-ccceee | |
VPC D | 192.168.0.0/16 | pcc-aaaddd |
2408:4006:121b:4000::/56 | pcc-aaaddd | |
172.16.0.0/16 | pcc-bbbddd | |
2408:4006:121b:3f00::/56 | pcc-bbbddd | |
10.1.0.0/16 | pcc-cccddd | |
2408:4006:121b:5b00::/56 | pcc-cccddd | |
10.2.0.0/16 | pcc-dddeee | |
2408:4006:121b:5c00::/56 | pcc-dddeee | |
VPC E | 192.168.0.0/16 | pcc-aaaeee |
2408:4006:121b:4000::/56 | pcc-aaaeee | |
172.16.0.0/16 | pcc-bbbeee | |
2408:4006:121b:3f00::/56 | pcc-bbbeee | |
10.1.0.0/16 | pcc-ccceee | |
2408:4006:121b:5b00::/56 | pcc-ccceee | |
172.17.0.0/16 | pcc-dddeee | |
2408:4006:121b:5d00::/56 | pcc-dddeee |
The number of VPC peering connections and the number of route entries vary based on the number of VPCs. For example, if you want to connect every two of 10 VPCs, you must create 45 VPC peering connections and configure routes to the other 9 VPCs for each VPC. In this case, the configuration becomes complex. We recommend that you create VPC peering connections for no more than 10 VPCs.
Use VPC peering connections to enable communication between multiple VPCs and a central VPC
When you deploy your services, you must assign separate VPCs to different services or branches to ensure service security. These VPCs must be connected to the central-service VPC or central-branch VPC to share resources. For example:
An enterprise creates different VPCs for different departments. The enterprise wants the departments to be independent of each other but be able to access common services that are deployed in the central VPC, such as file sharing services and middleware services.
An enterprise provides services for multiple users, and the services are deployed in a separate service VPC. The enterprise wants the VPCs of different users to be independent of each other but be able to communicate with the separate service VPC.
Procedure
Create VPCs that you want to connect. For more information, see Create a VPC and vSwitches.
Create a VPC peering connection. For more information, see Create and manage a VPC peering connection.
Configure routes. For more information, see Configure routes.
The preceding figure shows that an enterprise has four branches and one central department, and services are deployed in the central department. The enterprise wants to allow each branch to access the services in the central department but to be independent of each other. You can create VPC peering connections and configure routes that point to the VPC peering connections for the branch VPCs, as shown in the preceding figure. This way, each branch can access the services in the central department but cannot communicate with each other. The following table describes how routes are configured.
Route table | Destination address | Next hop |
VPC A | 172.16.0.0/16 | pcc-aaabbb |
2408:4006:121b:3f00::/56 | pcc-aaabbb | |
10.1.0.0/16 | pcc-aaaccc | |
2408:4006:121b:5b00::/56 | pcc-aaaccc | |
172.17.0.0/16 | pcc-aaaddd | |
2408:4006:121b:5d00::/56 | pcc-aaaddd | |
10.2.0.0/16 | pcc-aaaeee | |
2408:4006:121b:5c00::/56 | pcc-aaaeee | |
VPC B | 192.168.0.0/16 | pcc-aaabbb |
2408:4006:121b:4000::/56 | pcc-aaabbb | |
VPC C | 192.168.0.0/16 | pcc-aaaccc |
2408:4006:121b:4000::/56 | pcc-aaaccc | |
VPC D | 192.168.0.0/16 | pcc-aaaddd |
2408:4006:121b:4000::/56 | pcc-aaaddd | |
VPC E | 192.168.0.0/16 | pcc-aaaeee |
2408:4006:121b:4000::/56 | pcc-aaaeee |
Use VPC peering connections and transit routers to enable communication among multiple VPCs
The following table describes the differences between VPC peering connections and transit routers.
Item | VPC peering connection | Transit router |
Connection method | Full mesh, which allows VPCs to communicate with each other over VPC peering connections. | Hub-spoke, which allows VPCs to connect to transit routers over VPC connections. |
Route advertisement | Unsupported | Supported |
Configuration complexity | The configuration is complex. You must create VPC peering connections and configure routes that point to each VPC peering connection for each peer VPC. | The configuration is simple. You need to only connect VPCs to a transit router and configure routes that route network traffic from the VPCs to the transit router. |
Maximum number of supported VPCs | 10 | 1,000 |
Network latency | The network latency is low. | The network latency is high because network traffic must pass through a transit router, which adds an additional hop. |
Billing rules | Intra-region peering connections are free of charge. If you create a VPC peering connection between VPCs that reside in different regions, you are charged for outbound traffic of the VPCs. | You are charged for transit routers and traffic processing. You are also charged for outbound data transfer over inter-region connections. |
If you want to create VPC peering connections for a large number of VPCs, the configuration becomes more complex because of the connection mode of VPC peering connections and the requirements for point-to-point route configuration. VPC peering connections are not suitable for scenarios in which a large number of VPCs must be fully connected. However, VPC peering connections support low latency and are free of charge if the requester and accepter VPCs are in the same region.
The hub-spoke connection mode of transit routers allows you to connect VPCs to transit routers over VPC connections. Then, the transit routers automatically synchronize the routes of the VPCs. Transit routers require simple configurations and support various routing policies and quality of service (QoS) mechanisms. This helps you build complex networks and implement access control. However, transit routers support limited bandwidth and charge data processing fees. Compared with VPC peering connections, transit routers require a higher cost.
You cannot use only VPC peering connections or only transit routers to build complex networks that require both high bandwidth and cost-effectiveness. You can use VPC peering connections together with transit routers to meet your requirements.
For example, an enterprise creates multiple VPCs in multiple regions and requires communication among the VPCs, routing policy control, and cost reduction.
To enable communication among VPCs in the same region, you can create VPC peering connections. No fees are generated, and the network latency is low.
To enable communication among VPCs in different regions, you can use a transit VPC to connect the VPCs to a transit router. Transit routers also support routing policies that help you implement fine-grained routing.
For VPCs that are deployed in different regions and require high bandwidth, you can create inter-region VPC peering connections. In this example, an inter-region VPC peering connection is created between VPC A and VPC C.
Procedure
Create a CEN instance and a transit router in each region. For more information, see Create a CEN instance and Create a transit router.
Connect the VPCs to the transit router in the region. For more information, see Connect VPCs.
Create an inter-region VPC peering connection. For more information, see Create a VPC peering connection.
Configure routes. For more information, see Configure routes.