Virtual Private Cloud:VPC FAQ

How do I interconnect different VPCs to allow resource access between them?

You can use VPC peering connections or Cloud Enterprise Network (CEN) to connect VPCs that are in the same or different accounts and regions. For a comparison of the two methods, see VPC Interconnection.

How do I troubleshoot a failed VPC peering connection?

You can use the following troubleshooting methods. You can also use the Network Intelligence Service - Path Analysis tool to help you diagnose the issue.

1. Check routes:

   • Make sure that the VPC peering connection is in the Activated state.

   • Check the route tables of the vSwitches in both VPCs. Make sure that a route points to the CIDR block of the peer VPC and that the next hop of the route is the VPC peering connection.

2. Check security groups and network ACLs:

   • Check the security group rules and network ACL rules for the source ECS instance and the destination ECS or RDS instance.

   • Make sure that the inbound rules of the security group and network ACL for the destination instance allow traffic from the CIDR block or specific IP address of the source VPC to access the required service port.

   • Make sure that the outbound rules of the security group and network ACL for the source instance do not block outbound traffic.

3. Check for CIDR block conflicts:

   • Check whether the CIDR blocks of the two VPCs overlap. When you use a VPC peering connection, make sure that the CIDR blocks of the two VPCs do not overlap.

   • Check whether the CIDR block of a Docker or Kubernetes (K8s) container on the ECS instance conflicts with the CIDR block of the peer VPC. This is a common but often overlooked cause of connection failures. If a conflict exists, the network connection fails even if the routes, security groups, and network ACLs are correctly configured.

How do I resolve CIDR block conflicts when I configure a VPC peering connection?

If the CIDR blocks of two VPCs that need to communicate with each other overlap, select one of the following solutions:

1. Replan the network (recommended): Migrate the resources in one of the VPCs to a new VPC whose CIDR block does not overlap with the other VPC. This is the most comprehensive solution.

2. Use Cloud Enterprise Network (CEN) and a VPC NAT gateway: For more complex scenarios that involve overlapping CIDR blocks, you can use CEN in combination with the private NAT feature of a VPC NAT gateway to map the IP addresses of one VPC to a different address range to enable communication. This solution has a more complex architecture and is more costly. For more information, see Enable private network access for VPCs with overlapping CIDR blocks using a VPC NAT gateway.

After I create a VPC peering connection, some IP addresses cannot be accessed. How do I troubleshoot this issue?

This issue is usually caused by more specific routes or security group rules.

• Routing issues: Check the route tables of both VPCs. Check whether a more specific route with a higher priority (based on the longest prefix match rule) directs traffic to another destination, such as a NAT Gateway specified in a default route.

• Security group issues: Check the inbound rules of the security group for the destination instance to determine whether access from only some source IP addresses is allowed.

• Network ACL issues: Check whether the network ACL allows traffic from only some subnets.

Why can the requester VPC ping the accepter VPC, but not the other way around?

One-way connectivity is usually caused by asymmetric configurations. Check the security group and network ACL rules for the ECS instances in both VPCs to make sure that both outbound and inbound traffic are allowed.

I created VPC peering connections between VPC A and VPC B, and between VPC B and VPC C. Why can't VPC A and VPC C communicate?

VPC peering connections are not transitive.

This means that if a peering connection is established between VPC A and VPC B, and another peering connection is established between VPC B and VPC C, VPC A and VPC C cannot communicate with each other through VPC B.

To achieve full connectivity between multiple VPCs, such as building star or mesh network topologies, use the CEN product.

A VPC peering connection is established. Why can't I access cloud services such as RDS and Redis in the peer VPC?

This issue is similar to an ECS instance connection failure. However, when you troubleshoot this issue, you must also check the access control settings of the cloud service itself.

1. Perform a basic connectivity check: Follow the checklist in How do I troubleshoot a failed VPC peering connection? to check the routing, network segment, security group, and network ACL configurations, and ensure that the network link is established.

2. Check the IP address whitelist of the cloud service: Most database and cache services, such as RDS, Redis, and MongoDB, provide an IP address whitelist feature. Add the private IP address or CIDR block of the source ECS instance to the IP address whitelist of the destination cloud service.

Do VPC peering connections support cross-account and cross-region scenarios?

Yes, they do. Note that when you use a cross-region connection, Cloud Data Transfer (CDT) charges a data transfer fee for outbound traffic.

Note: Cross-site connections are not supported. For example, VPCs on the China site (aliyun.com) and the international site (alibabacloud.com) cannot communicate with each other.

Why can't I access the Internet after I delete an IPv4 gateway?

The most common reason is that you selected Private Mode instead of Public Mode when you deleted the IPv4 gateway. If you delete the IPv4 gateway in private mode, all resources in the VPC cannot communicate with the Internet.

To restore the VPC to a state where it can access the internet without an IPv4 gateway, you can recreate the IPv4 gateway, and then delete it and select public mode. For more information, see IPv4 Gateway.

Can ECS instances in the primary CIDR block of a VPC communicate with ECS instances in a secondary CIDR block of the same VPC?

Yes, they can. ECS instances in the primary and secondary CIDR blocks are all instances within the same VPC. They can communicate with each other if the security group and network ACL rules allow traffic.

After I enable ClassicLink for a VPC, can classic network ECS instances communicate with cloud resources in the secondary CIDR blocks of the VPC?

No, they cannot. Secondary CIDR blocks are not compatible with the ClassicLink feature.

Why does a VIP fail to fail over after it is associated with a HaVip?

The most common issue with high-availability virtual IP address (HaVip) configurations is that the virtual IP address (VIP) fails to automatically fail over to the secondary node after the primary node fails. The possible causes are as follows:

• The Keepalived service is not started: For example, on CentOS 7.9, run the systemctl status keepalived command to check the status of the service. If the service is not started, run the systemctl start keepalived command to start Keepalived.

• The Keepalived configuration is invalid: Check whether the keepalived.conf file is correctly configured. For example:

  • The virtual_router_id of the primary node is different from that of the secondary node.

  • The authentication settings of the primary and secondary nodes are different.

  • The peer IP address specified in unicast_peer is incorrect.

  • The virtual IP address specified in virtual_ipaddress is not the HaVip.

• Blocked by a security group or network ACL: Check whether the security group or network ACL rules block traffic from the source IP address.

• Instance-level firewall: Check whether the firewall on the ECS instance, such as firewalld or iptables, blocks traffic from the source IP address.

Why is the network connection still down after I add a route?

Configuring a correct route is only one of the prerequisites for network connectivity. If the connection fails, perform the following steps to troubleshoot the issue:

1. Bidirectional route check: Make sure that routes are correctly configured for both request and response traffic. For example, for a VPC peering connection, you must configure routes for both VPCs.

2. Security group rules: Check the security groups of the source and destination ECS instances to make sure that traffic of the required protocol and port is allowed. For example, the ping command requires the ICMP protocol to be allowed.

3. Network ACL rules: If you configured a network ACL, check its outbound and inbound rules to make sure that the relevant traffic is allowed.

4. ECS instance-level firewall: Check whether the firewall on the operating system of the ECS instance, such as iptables or firewalld on Linux or Windows Firewall, blocks traffic.

5. CIDR block conflicts: Check for network address conflicts. For example, check whether the Docker CIDR block on the ECS instance conflicts with the CIDR block of the peer VPC.

6. You can use the Network Intelligence Service - Path Analysis tool in the console to visually diagnose the network connectivity between two points.

What do I do if an ECS instance cannot access the Internet after an EIP is attached?

Perform the following steps to check:

1. IPv4 gateway and VPC route table: If an IPv4 gateway is enabled for the VPC, check the route table of the vSwitch to which the ECS instance belongs. Make sure that a default route (0.0.0.0/0) points to the IPv4 gateway.

2. Security group rules: Check the outbound rules of the security group to which the ECS instance belongs. By default, all outbound traffic is allowed (0.0.0.0/0). Make sure that outbound access is not incorrectly restricted.

3. Network ACL rules: If you configured a network ACL for the vSwitch, check its outbound rules to make sure that outbound traffic is allowed.

4. Overdue payments: Check whether your Alibaba Cloud account has overdue payments. Overdue payments may cause the EIP to become unavailable.

5. ECS instance-level network configuration: Make sure that the network settings on the operating system of the ECS instance, such as the gateway and DNS, are correct. These settings are usually obtained automatically through DHCP.

Why don't ECS instances in a VPC have public IP addresses?

VPCs are designed for network isolation and security. By default, an ECS instance created in a VPC is assigned only a private IP address for internal communication. The instance cannot access the Internet. This is a core security feature of VPC.

If you need an instance to access the Internet, you must explicitly configure this capability by attaching an EIP or configuring a NAT Gateway. For more information, see Internet access.

Does VPC support multicast?

VPC does not natively support multicast capabilities. However, you can use VPC in conjunction with the Cloud Enterprise Network (CEN) product to implement multicast management.

How do I use a public CIDR block for private communication in a VPC?

Some enterprises use public CIDR blocks, such as 30.0.0.0/16, for private communication in their on-premises data centers or VPCs. These CIDR blocks are not defined as private in RFC 1918. When you connect the VPC to another VPC or an on-premises data center, the VPC considers IP addresses outside the CIDR blocks defined in RFC 1918 as public IP addresses. After you enable Internet access for cloud resources in the VPC, traffic destined for 30.0.0.0/16 is routed to the Internet first, even if you configure a route that directs the traffic to the on-premises data center or peer VPC. As a result, you cannot access the destination VPC or on-premises data center.

You can use one of the following methods to use a public CIDR block for private communication:

• Method 1: Use an IPv4 gateway.

  You can use an IPv4 gateway to centrally control the Internet access behavior of a VPC. When you access 30.0.0.0/16, traffic is preferentially routed to other VPCs or on-premises data centers. For more information, see Use an IPv4 gateway to enable private use of public IP addresses.

• Method 2: Use a user CIDR block.

  If you want requests to 30.0.0.0/16 to be forwarded based on the route table instead of being directly forwarded to the Internet, you can call the CreateVpc operation and specify the UserCidr parameter to specify a user CIDR block for the VPC when you create the VPC. After you specify a user CIDR block, requests from the VPC to an address in the user CIDR block are forwarded based on the route table.

  1. You can specify a user CIDR block only by calling an API operation. You cannot specify a user CIDR block in the console. After a user CIDR block is created, it cannot be modified.

  2. When you specify only the IPv4 CIDR block for a VPC, if you select a custom CIDR block that is not a standard private CIDR block defined in RFC 1918 (192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8) or a subnet of these CIDR blocks, the system specifies the primary CIDR block as a user CIDR block by default.

What are the differences between a VPC and a classic network?

A classic network is an earlier network type provided by Alibaba Cloud. By default, a classic network cannot communicate with a VPC. This network type is being phased out and is no longer recommended. All new resources should be deployed in VPCs.

How do I connect a VPC to a classic network?

For more information, see Use ClassicLink to connect a classic network and a VPC.

How do I connect an Alibaba Cloud VPC to an on-premises data center? How do I connect an Alibaba Cloud VPC to an AWS or Tencent Cloud VPC?

For more information, see Connecting a VPC to an on-premises data center or another cloud.

Can a VPC communicate with another VPC or an on-premises network if their CIDR blocks overlap?

For more information, see:

• Use a VPC NAT gateway to implement private network access when VPC address conflicts occur.

• Use a VPC NAT gateway and an Express Connect circuit to enable communication between an on-premises IDC and the cloud.

• Use a VPC NAT gateway with a VPN Gateway to enable private communication between cloud and on-premises environments.

How do I enable an ECS instance to access the Internet? How do I enable an ECS instance to access the Internet using an IPv6 address?

For more information, see Select a public IP address type.

How do I use the same public IP address for multiple ECS instances to access the Internet?

For more information, see:

• Use a NAT Gateway to unify Internet traffic egress.

• Use a VPC peering connection to enable multiple VPCs to share an Internet NAT gateway.

• Use a TransitRouter to enable multiple VPCs to share a NAT Gateway.

What are the differences between an IPv4 gateway and an Internet NAT gateway?

IPv4 gateways and Internet NAT gateways provide distinct features and can be used together. For more information about the relationship between these network components, see Internet access.

How do I switch between a public IP address and a private IP address?

An ECS instance to which an EIP is attached has both a public IP address and a private IP address. You do not need to manually switch between them.

• Internal communication within a VPC: When other ECS instances in the VPC access this ECS instance, they must always use its private IP address. Traffic is transmitted entirely within the VPC, which is fast and free of charge.

• Internet access: When users or other devices on the Internet access this ECS instance, or when this ECS instance actively accesses the Internet, its public IP address (EIP) must be used.

How do I enable an ECS instance to access OSS over an internal network using a VPC?

For more information, see Private access to Alibaba Cloud services from a VPC.

How do I allow only specific IP addresses to access an ECS instance? What are the differences between a network ACL and a security group?

For more information, see Resource Access Management.

How do I enable communication between different security groups?

You can use a basic security group as an authorization object. However, this feature is not supported by enterprise security groups. For more information, see Use a security group as an authorization object.

When you configure inbound or outbound rules for a basic security group, you can directly set the source or destination to another basic security group. This method is more flexible than authorizing a CIDR block. If you add new ECS instances to the security group or the IP addresses of the instances change in the future, you do not need to modify the security group rules. The new instances automatically have the required access privileges.

How do I troubleshoot a security group rule that does not take effect?

1. Rule priority: Check whether the rule conflicts with a rule that has a higher priority.

2. Incorrect direction: Check whether the rule is configured for inbound or outbound traffic. Accessing an ECS instance is inbound traffic. The ECS instance accessing an external resource is outbound traffic.

3. Incorrect object: Make sure that the security group is correctly applied to the ENI of the destination ECS instance.

4. Blocked by a network ACL: Check whether a network ACL is associated with the vSwitch to which the ECS instance belongs and whether the rules of the network ACL deny the traffic.

5. Instance-level firewall: Check the firewall settings on the operating system.

6. Routing issues: Make sure that traffic can be correctly routed to the ECS instance.

How do I migrate an ECS instance to another VPC?

For more information, see Change the VPC for an ECS instance.

Can I specify a custom DNS server in a VPC?

Yes, you can. You can use the DHCP options set feature to change the default DNS server configuration for your VPC to a self-managed DNS server on an ECS instance, a DNS server in your data center, or a third-party public DNS service. Ensure that the specified server is reachable from the VPC. For more information, see Use a self-managed DNS service.

Can a VPC peering connection connect VPCs that belong to accounts on the China site and the international site?

No, it cannot.

Due to compliance requirements, a VPC peering connection cannot be established between VPCs that belong to accounts on the China site (aliyun.com) and the international site (alibabacloud.com).

Do VPC peering connections support cross-border private network communication?

Supported.

For cross-border peering connections, Cloud Data Transfer (CDT) charges a data transfer fee based on outbound traffic. To use the cross-border feature of CDT, you must go to the Cross-border Cloud Leased Line page to apply for enterprise qualification. The cross-border leased line is provided by China Unicom.

What is the network latency of a VPC peering connection?

• Intra-region peering connection: The network latency is low, typically in the millisecond range.

• Cross-region peering connection: Network latency is relatively high because this type of connection involves data transmission between different regions. The specific latency depends on the physical distance and network conditions between the two regions. You can use the Cloud Network Inter-Access Performance Monitoring Tool to view the average network latency between regions and select a link type that is more suitable for your business.

What is CIDR?

Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and aggregating routes. It improves network management efficiency and simplifies route tables.

CIDR uses slash notation, such as 192.168.1.0/24:

• The part before the slash is the network address, which is the first IP address in the range.

• The number after the slash is the prefix length. It indicates the number of consecutive leading 1s in the subnet mask. The remaining bits are used for host addresses.

A CIDR block is a collection of IP addresses that share the same network prefix and number of bits. A large CIDR block can be divided into smaller CIDR blocks with different network prefixes and numbers of bits. This process is called subnetting. CIDR blocks are the foundation of modern network planning. The subnetting of VPCs and vSwitches is based on this principle.

Examples:

• 192.168.0.0/16: The first 16 bits are for the network, and the last 16 bits are for hosts, which contains 2¹⁶ IP addresses. This CIDR block includes 192.168.1.0/24 and 192.168.2.0/26.

• 10.0.0.0/8: The first 8 bits are for the network, and the last 24 bits are for hosts, which contains 2²⁴ IP addresses. This CIDR block includes 10.1.0.0/16 and 10.2.0.0/24.

• 172.16.0.0/12: The first 12 bits are for the network, and the last 20 bits are for hosts, which contains 2²⁰ IP addresses. This CIDR block includes 172.17.0.0/16 and 172.18.0.0/24.

When you create a VPC and a vSwitch, you need to specify their network segments in the form of a CIDR block. Note that the actual number of available IP addresses is less than the theoretical value because some IP addresses in a vSwitch are reserved by the system.

How do I modify the CIDR block of a VPC?

• Adjust the primary CIDR block:

  The IPv4 CIDR block that you specify when you create a VPC is its primary CIDR block. You cannot modify the primary CIDR block of a VPC in the console. However, you can call the ModifyVpcAttribute operation and modify the CidrBlock parameter to expand or shrink the primary CIDR block. If you shrink the CIDR block, ensure that the new block includes all IP addresses that are in use.

  The IPv6 CIDR block assigned after you enable IPv6 for the VPC cannot be modified.

• Use secondary CIDR blocks: You can use secondary CIDR blocks to expand the address range to add a secondary CIDR block to a VPC in addition to its primary CIDR block. The secondary CIDR block and the primary CIDR block are active at the same time and can be used to create resources such as vSwitches and deploy ECS instances.

How do I modify the CIDR block of a vSwitch?

You cannot modify the IPv4 or IPv6 CIDR block of a vSwitch after the vSwitch is created.

To change the CIDR block of a vSwitch, you must delete the vSwitch and then create a new one with the new CIDR block. Before you delete the vSwitch, you must release or migrate all cloud resources from it, such as ECS instances, SLB instances, and RDS instances. This is a high-risk operation. Make sure that you back up your data and create a migration plan.

Which CIDR block should I select when I create a VPC?

Selecting a CIDR block for a VPC is a key step in network planning. Follow these principles:

• Use standard private CIDR blocks: We recommend that you use the standard private CIDR blocks defined in RFC 1918, such as 10.0.0.0/16, 172.16.0.0/16, and 192.168.0.0/16. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as the CIDR block of a VPC.

• Avoid conflicts with on-premises data centers or other network environments: If you plan to connect the VPC to an on-premises network, another VPC, or another cloud, make sure that the CIDR block of the VPC does not conflict with the CIDR blocks of these networks.

• Reserve sufficient address space: Estimate the number of IP addresses required based on your future business scale and select a sufficiently large CIDR block. This prevents complex network reconstruction due to insufficient addresses in the future.

• Avoid conflicts with commonly used container network CIDR blocks: If you plan to use Docker or Kubernetes (K8s) in the VPC, we recommend that you avoid using default container CIDR blocks such as 172.17.0.0/16 to prevent communication failures.

How do I assign an IPv6 CIDR block to a VPC? How do I access the Internet using an IPv6 address?

When you enable IPv6 for a virtual private cloud (VPC) and a vSwitch, the system automatically creates an IPv6 gateway and assigns an IPv6 CIDR block. By default, this configuration supports only private network communication. If you require Internet communication, you can enable IPv6 Internet bandwidth. For more information, see Enable/Disable IPv6.

Can I assign only an IPv6 CIDR block to a VPC (IPv6-only)?

No, you cannot. VPC currently supports IPv4-only and dual-stack (IPv4 and IPv6), but not IPv6-only.

How do I assign a specific private IP address to an existing ECS instance?

For more information, see Modify the primary private IPv4 address for an existing ECS instance.

Why can't a Docker network and a VPC communicate if their CIDR blocks overlap?

This is a typical issue in cloud network planning. When the Docker or K8s pod network deployed on an ECS instance overlaps with the CIDR block of another vSwitch in your VPC or the CIDR block of the peer VPC of a peering connection, a route conflict occurs, and communication fails.

• Cause: Assume that the default Docker CIDR block is 172.17.0.0/16, and the CIDR block of vSwitch B in the VPC is 172.17.0.0/24. When an application in a Docker container tries to access an IP address in vSwitch B, the operating system of the ECS instance incorrectly routes the traffic to the local docker0 bridge based on its own route table, instead of forwarding it based on the VPC route table. This causes the communication to fail.

• Solutions:

  1. Modify the Docker/K8s network configuration: Modify the configuration file of the Docker daemon process, such as /etc/docker/daemon.json, to specify a private CIDR block that does not conflict with your overall cloud network environment, including all interconnected VPCs and on-premises data centers. This is the most fundamental solution.

  2. Avoid pitfalls when planning VPC CIDR blocks: When you plan the CIDR blocks of VPCs and vSwitches, avoid using CIDR blocks that are commonly used by K8s, such as 172.17.0.0/16 and some subnets of 10.0.0.0/8.

How do I configure the CIDR block of an IPAM pool to prevent CIDR block conflicts between a new VPC and an on-premises data center or a VPC on another cloud platform?

1. Before you enable IP Address Manager (IPAM), review all your network environments that need to be interconnected, including on-premises data centers, office networks, and other clouds. Record all used CIDR blocks.

2. When you provision a CIDR block for an IPAM pool, you must include these used network segments.

3. Reserve these address segments by creating a custom allocation in the IPAM pool.

4. All subsequent new VPC CIDR blocks are allocated by IPAM. Because IPAM has recorded all used CIDR blocks, the new CIDR blocks it allocates will not conflict with existing ones.

Does HaVip support IPv6?

No, it does not. Currently, only IPv4 is supported.

What do I do if a message indicates that a VPC or vSwitch cannot be deleted due to dependent resources?

Follow the instructions in the console to delete the dependent resources, and then delete the VPC or vSwitch.

You can view the existing resources on the VPC instance details page under Resource Management or on the vSwitch instance details page under Cloud Resource Management.

What do I do if an ENI cannot be deleted when I delete a VPC?

An elastic network interface (ENI) is a common type of resource that may prevent you from deleting a VPC or vSwitch.

• Primary ENI: A primary ENI is created together with an ECS instance. Its lifecycle is bound to the ECS instance. A primary ENI cannot be detached or deleted separately. You must release the ECS instance to delete its primary ENI.

• Secondary ENI: If it is a secondary ENI, you need to detach it from the ECS instance before you can delete it.

• Managed by other cloud services: Some cloud services, such as Application Load Balancer (ALB), Network Load Balancer (NLB), Container Service for Kubernetes (ACK), and Function Compute (FC), automatically create and manage ENIs. To delete these ENIs, you must go to the console of the corresponding cloud service and delete the service instance, such as an ACK cluster. The service then automatically deletes the ENIs that it created.

Do CEN and TR automatically add routes for secondary CIDR blocks?

If the route learning feature is enabled for the VPC connection on the Transit Router (TR), and a vSwitch is created in the VPC using a secondary CIDR block, the TR automatically learns the system route of the vSwitch.

TR supports automatic learning only for system routes of a VPC. For custom routes, you must manually publish the routes from the VPC route table to CEN or add the routes in CEN.

Does a VPC have a vRouter?

Yes, it does. Each VPC has one and only one vRouter. Each vRouter can maintain multiple route tables.

You can query the ID of the vRouter to which a route table belongs on the VPC console - Route Tables page or using the DescribeRouteTables API.

How do I configure routes for a VPC peering connection?

After a VPC peering connection is established and activated, the two VPCs cannot communicate with each other by default because they do not have a route that directs traffic to the peer VPC through the peering connection. Therefore, you must add routes that point to the peering connection in the route tables of both VPCs.

For more information, see Configure routes.

What do I enter for the destination CIDR block of a route?

The destination CIDR block defines the destination IP addresses to which this route applies.

• Exact match: Enter the specific network range to which you want to send data packets. For example, to access a peer VPC (192.168.0.0/16), enter 192.168.0.0/16.

• Default route: 0.0.0.0/0 represents all IPv4 addresses. By directing traffic destined for 0.0.0.0/0 to a NAT gateway, you can enable ECS instances without public IP addresses in a VPC to access the Internet through the NAT gateway.

Why must I configure routes for both the requester and accepter VPCs of a peering connection?

Network communication is bidirectional. When you configure routes, you must consider not only the request traffic but also the response traffic. If you configure a route for only one VPC, the network connection may fail.

Can I set the destination CIDR block of a route to the CIDR block of a vSwitch?

Yes, but this is not recommended.

Best practice: When you configure routes for a VPC peering connection or VPN Gateway, set the destination CIDR block to the entire CIDR block of the peer VPC, not a specific vSwitch CIDR block. This simplifies management. You should use a specific vSwitch CIDR block only if you have fine-grained access control requirements.

How do I monitor the Internet traffic of a VPC?

You can use the flow log feature or the Network Intelligence Service-Traffic Analyzer feature of your VPC to collect traffic information from Internet components, such as Internet NAT gateways and IPv4 gateways, for Internet traffic monitoring. For more information, see Flow log and Traffic analyzer.

How do I view the network topology of a VPC?

You can use the Network Intelligence Service - VPC Topology feature to generate a VPC network topology graph.

How is VPC billed?

The following VPC features are billed:

• Peering connection

• Flow log

• Traffic Mirroring

The following VPC features are in public preview and are currently free of charge:

• IP Address Manager (IPAM)

• High-availability virtual IP address (HaVip)

Free features:

• VPC and vSwitch, secondary CIDR block, reserved CIDR block

• DNS hostname, DHCP options set

• Route table, prefix list

• Shared VPC

• ClassicLink, gateway endpoint

• IPv4 gateway, network ACL

If you create cloud resources in a VPC, you are charged for those resources. For more information, see the billing documentation for the corresponding resources.

Are VPC peering connections a paid service?

• Intra-region: Creating and using a VPC peering connection within the same region is free of charge. This applies to both same-account and cross-account connections.

• Cross-region: For cross-region VPC peering connections, Cloud Data Transfer charges a data transfer fee based on outbound traffic.

How do I stop the billing of a VPC peering connection to reduce costs?

• Intra-region peering connections are free of charge. Deleting them does not affect your costs.

• For cross-region peering connections, you must delete the peering connection instance to stop incurring data transfer fees.