This topic answers frequently asked questions (FAQs) about virtual private cloud (VPC) to help you quickly resolve issues, understand product features, and enhance your network architecture.
Network connectivity
How do I connect VPCs to allow resource access between them?
How do I resolve CIDR block conflicts for a VPC peering connection?
After I create a VPC peering connection, why are some IP addresses inaccessible?
Why is the requester VPC able to ping the peer, yet the accepter can't ping back?
Why can't I access cloud services such as RDS and Redis in the peer VPC?
Why can't I access the Internet after I delete an IPv4 gateway?
Can ECS instances in the primary CIDR and secondary CIDR within the same VPC communicate?
Why does a VIP fail to fail over after it is associated with a HaVip?
Why is the network connection still down after I add a route?
What do I do if an ECS instance cannot access the Internet after an EIP is attached?
Network planning and design issues
How do I use a public CIDR block for private communication in a VPC?
Are cross-account and cross-region VPC peering connections supported?
Can a VPC peering connection connect VPCs on the China website and the international website?
Do VPC peering connections support cross-border connections?
What are the differences between a VPC and a classic network?
Can a VPC communicate with another VPC or an on-premises network if their CIDR blocks overlap?
How do I enable an ECS instance to access the Internet using an IPv4 or IPv6 address?
How do I use the same public IP address for multiple ECS instances to access the Internet?
What are the differences between an IPv4 gateway and an Internet NAT gateway?
How do I troubleshoot a security group rule that does not take effect?
CIDR block configuration
How do I assign an IPv6 CIDR block to a VPC and use an IPv6 address to access the Internet?
Can I assign only an IPv6 CIDR block to a VPC to create an IPv6-only VPC?
How do I assign a private IP address to an existing ECS instance?
Why can't a Docker network and a VPC communicate if their CIDR blocks overlap?
VPC and vSwitch deletion
Routing
Network O&M and monitoring
Billing
Network connectivity
How do I connect VPCs to allow resource access between them?
Choose either VPC peering connections or Cloud Enterprise Network (CEN) to connect VPCs that are in the same or different accounts and regions. To learn more about their differences, see Connect VPCs.
How do I troubleshoot a failed VPC peering connection?
Use the following methods. You can also use the Network Intelligence Service - Path Analysis tool for diagnosis.
Check routes:
Make sure that the VPC peering connection is in the Activated state.
Check the route tables of the vSwitches in both VPCs. Make sure that a route points to the CIDR block of the peer VPC and that the next hop of the route is the VPC peering connection.
Check security groups and network ACLs:
Check the security group and network ACL rules for the source and destination ECS or RDS instance and make sure:
The inbound rules for the destination instance allow traffic from the CIDR block or IP of the source VPC to access the required service port.
The outbound rules for the source instance do not block outbound traffic.
Check for CIDR block conflicts:
Make sure the CIDR blocks of the two VPCs do not overlap.
Make sure the CIDR block of a Docker or Kubernetes container on the ECS instance do not conflict with the peer VPC CIDR. This is a common but often overlooked cause of connection failures. The network connection fails even if the routes, security groups, and network ACLs are correctly configured.
How do I resolve CIDR block conflicts for a VPC peering connection?
If the CIDR blocks of two VPCs overlap, choose one of the following solutions:
Replan the network (recommended): Migrate the resources in one VPC to a new one with non-overlapping CIDR block.
Use CEN and a VPC NAT gateway: For more complex cases, use Cloud Enterprise Network (CEN) in combination with the private NAT feature of a VPC NAT gateway to map a VPC CIDR to a new CIDR. This solution has a more complex architecture and is more costly. For more information, see Use a VPC NAT gateway to enable communication between VPCs that have address conflicts.
Some IP addresses cannot be accessed after a VPC peering connection is created. How do I troubleshoot this issue?
This is usually caused by more specific routes or security group rules.
VPC routes: Check whether a more specific route in VPC route tables with a higher priority (based on the longest prefix rule) directs traffic to another destination, such as a NAT Gateway specified in a default route.
Security group: Check whether the inbound rules for the destination instance allow access from only some source IP addresses.
Network ACL: Check whether the network ACL allows traffic from only some subnets.
Why is the requester VPC able to ping the peer, yet the accepter can't ping back?
One-way connectivity is usually caused by asymmetric configurations. Check the security group and network ACL rules for the ECS instances in both VPCs to make sure that both outbound and inbound traffic are allowed.
I created VPC peering connections between VPC A and VPC B, and between VPC B and VPC C. Why can't VPC A and VPC C communicate?
VPC peering connections are not transitive.
Traffic cannot pass through VPC B from VPC A to VPC C. If you need full connectivity among multiple VPCs (star/mesh), use CEN.
Why can't I access cloud services such as RDS and Redis in the peer VPC?
This issue is similar to an ECS instance connection failure. However, you must also check the access control of the cloud service.
Perform a basic connectivity check: Follow the checklist in troubleshooting a failed VPC peering connection to check the routing, CIDR blocks, security group, and network ACL configurations, and ensure that the network connection is established.
Check the IP address whitelist of the cloud service: Most database and cache services, such as RDS, Redis, and MongoDB, provide an IP address whitelist feature. Add the private IP or CIDR block of the source ECS instance to the cloud service whitelist.
Are cross-account and cross-region VPC peering connections supported?
Yes. When you use a cross-region connection, Cloud Data Transfer (CDT) charges a data transfer fee for outbound traffic.
You cannot create connections between the China website (aliyun.com) and the international website (alibabacloud.com).
Why can't I access the Internet after I delete an IPv4 gateway?
The common cause is deleting the IPv4 Gateway with private mode selected. No resource in the VPC can access the Internet.
To restore the VPC to a state where it can access the Internet without an IPv4 gateway, recreate the IPv4 gateway, and delete it with the public mode. For more information, see IPv4 Gateway.
Can ECS instances in the primary CIDR and secondary CIDR within the same VPC communicate?
Yes. They are in the same VPC and can communicate if security group and network ACL rules allow the traffic.
With ClassicLink enabled, can ECS instances in a classic network communicate with resources in the secondary CIDR of the VPC?
No. Secondary CIDR blocks are not compatible with the ClassicLink feature.
Why does a VIP fail to fail over after it is associated with a HaVip?
The most common issue with high-availability virtual IP address (HaVip) configurations is that the virtual IP address (VIP) fails to automatically fail over to the secondary node after the primary node fails. The possible causes are as follows:
Keepalived not running: For example, on CentOS 7.9, run the
systemctl status keepalivedcommand to check the Keepalived status. If the service is not started, run thesystemctl start keepalivedcommand to start it.Invalid Keepalived configuration: Check whether the
keepalived.conffile is correctly configured. For example:Mismatched
virtual_router_idbetween the primary and secondary nodes.Mismatched
authenticationsettings between the primary and secondary nodes.Incorrest peer IP address specified in
unicast_peer.The virtual IP address specified in
virtual_ipaddressis not the HaVip.
Blocked by a security group or network ACL: Check whether the security group or network ACL rules block traffic from the source IP.
Instance-level firewall: Check whether the firewall on the ECS instance, such as firewalld or iptables, blocks traffic from the source IP.
Why is the network connection still down after I add a route?
Adding the correct routes is only one prerequisite. If connectivity still fails, check:
Bidirectional routing: Ensure both request and return paths are routed. For VPC peering connections, configure routes on both VPCs.
Security group: On source and destination ECS instances, allow the required protocols/ports. For example, the
pingcommand requires the ICMP protocol to be allowed.Network ACLs: Verify inbound and outbound rules permit the traffic.
ECS instance-level firewall: Check whether the firewall on the operating system, such as
iptablesorfirewalldon Linux or Windows Firewall, does not block traffic.CIDR block conflicts: Check for network address conflicts. For example, the Docker CIDR block on the ECS instance does not conflict with the peer VPC CIDR block.
Use the Network Intelligence Service - Path Analysis tool in the console to visualize and diagnose connectivity.
What do I do if an ECS instance cannot access the Internet after an EIP is attached?
Perform the following steps to check:
IPv4 gateway and VPC route table: If an IPv4 gateway is enabled for the VPC, check the route table of the vSwitch to which the ECS instance belongs. Make sure that a default route of
0.0.0.0/0points to the IPv4 gateway.Security group rules: Check the outbound rules of the ECS security group. By default, all outbound traffic is allowed (
0.0.0.0/0). Make sure that outbound access is not incorrectly restricted.Network ACL rules: Check the outbound rules of the vSwitch network ACL to make sure that outbound traffic is allowed.
Overdue payments: Check whether your Alibaba Cloud account has overdue payments, which may cause the EIP to become unavailable.
ECS network configuration: Check the OS settings of ECS instances, such as the gateway and DNS, are correct. These settings are usually obtained automatically through DHCP.
Why don't ECS instances in a VPC have public IP addresses?
VPCs are designed for network isolation, which is a key security feature. By default, an ECS instance created in a VPC is assigned only a private IP address for internal communication. The instance cannot access the Internet.
To access the Internet, you must attach an EIP or configure a NAT Gateway. For more information, see Internet access.
Network planning and design
Does VPC support multicast?
VPC does not natively support multicast. However, you can use VPC in conjunction with the CEN to implement multicast management.
How do I use a public CIDR block for private communication in a VPC?
Some enterprises use private CIDR block outside RFC 1918 in their IDC or VPC, for example, 30.0.0.0/16. When you connect with other VPCs or on‑premises networks, the VPC treats any CIDR block outside RFC 1918 as public. When resources in the VPC have Internet access, traffic to 30.0.0.0/16 will prefer the Internet path even if you have added a route to the IDC or another VPC. It will not reach the intended private destination.
Two ways to fix it:
Method 1: Use an IPv4 gateway.
Create an IPv4 gateway to centrally control Internet access of a VPC. When you access
30.0.0.0/16, traffic is preferentially routed to other VPCs or on-premises data centers. For more details, see Use IPv4 gateway to route traffic from Internet to private network.Method 2: Use a customer CIDR block.
If you want requests to
30.0.0.0/16to be forwarded based on the route table instead of being forwarded to the Internet, call the CreateVpc operation and pass in theUserCidrparameter to specify a customer CIDR block for the VPC when creating a VPC. Requests from the VPC to an address in the customer CIDR block are forwarded based on the route table.1. You can specify a customer CIDR block only by calling the API. The feature is not supported by the console. Customer CIDR blocks cannot be modified once created.
2. When specifying only the IPv4 CIDR block for a VPC, if you select a custom CIDR block that is not a standard private CIDR block defined in RFC 1918 (192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8) or a subnet of these CIDR blocks, the system specifies the primary CIDR block as a customer CIDR block by default.
What are the differences between a VPC and a classic network?
A classic network is an earlier network type, which by default cannot communicate with a VPC. Classic networks are being phased out and is no longer recommended. All new resources must be deployed in VPCs.
Attribute | Classic network | VPC |
Network model | All users share a flat, large public address space of Alibaba Cloud. | A logically isolated network based on tunneling. Each user has an exclusive network. |
Isolation | Relies on security groups for isolation. | Provides native Layer 2 network isolation for higher security. |
Customization | Cannot customize the network topology and IP addresses. | Highly flexible. You can customize CIDR blocks, routes, and the network topology. |
Security | Lower | Higher |
How do I connect a VPC to a classic network?
How do I connect a VPC to an on-premises data center? How do I connect a Alibaba Cloud VPC to an AWS or Tencent Cloud VPC?
See Connecting a VPC to an on-premises data center or another cloud.
Can a VPC communicate with another VPC or an on-premises network if their CIDR blocks overlap?
Choose one of the following solutions:
How do I enable an ECS instance to access the Internet? How do I enable its Internet access using an IPv6 address?
How do I use the same public IP address for multiple ECS instances to access the Internet?
For more information, see:
What are the differences between an IPv4 gateway and an Internet NAT gateway?
Attribute | IPv4 gateway | Internet NAT gateway |
Feature | Controls public IPv4 traffic at the border of a VPC. | A Network Address Translation (NAT) device within a VPC. |
Scenarios | Centrally control Internet traffic. | Centralized Internet egress traffic. |
Provide Internet access | No. Only controls Internet traffic. | Yes. Provide Internet access using EIPs. (The NAT gateway itself does not provide Internet access.) |
IPv4 gateways and Internet NAT gateways provide non-overlapping features and can be used together. For more information about these network components, see Internet access.
How do I switch between a public and a private IP address?
An ECS instance to which an EIP is attached has both a public and a private IP address. You do not need to manually switch between them.
Intra-VPC communication: When other ECS instances in the VPC access a ECS instance, they must always use its private IP address. Traffic is transmitted entirely within the VPC, which is fast and free of charge.
Internet access: When users or devices on the Internet access this ECS instance, or when this ECS instance accesses the Internet, its public IP address (EIP) must be used.
How do I let an ECS instance access OSS using a VPC?
How do I allow only specific IP addresses to access an ECS instance? What are the differences between a network ACL and a security group?
How do I enable communication between security groups?
You can use a basic security group as an authorization object. However, this feature is not supported by enterprise security groups. See Use a security group as an authorization object.
When configuring inbound or outbound rules for a basic security group, set the source or destination to another basic security group. This method is more flexible than authorizing a CIDR block. If you add new ECS instances or the IP addresses of the instances change, you do not have to modify the security group rules. The new instances automatically have the required access permissions.
How do I troubleshoot a security group rule that does not take effect?
Rule priority: Check whether the rule conflicts with a rule that has a higher priority.
Incorrect direction: Accessing an ECS instance is inbound traffic. The ECS instance accessing an external resource is outbound traffic.
Incorrect object: Make sure that the security group is correctly applied to the ENI of the destination ECS instance.
Blocked by network ACL: Check whether a network ACL is associated with the vSwitch to which the ECS instance belongs and the rules of the network ACL deny the traffic.
ECS firewall: Check the firewall settings on the operating system.
Routing issues: Make sure that traffic is correctly routed to the ECS instance.
How do I migrate an ECS instance to another VPC?
Can I specify a custom DNS server in a VPC?
Yes. Use a DHCP options set to change the default DNS server configuration for your VPC to a DNS server on an ECS instance, a DNS server in your data center, or a third-party public DNS service. Ensure that the server is reachable from the VPC. For more information, see Use an on-premises DNS service.
Can a VPC peering connection connect VPCs on the China website and the international website?
No.
Due to compliance requirements, a VPC peering connection cannot be established between VPCs that belong to accounts on the China website (aliyun.com) and the international website (alibabacloud.com).
Do VPC peering connections support cross-border connections?
Supported.
For cross-border peering connections, CDT charges a data transfer fee based on outbound traffic. To use the cross-border feature of CDT, make sure that your Alibaba Cloud account has completed enterprise real-name registration. See real-name verification
What is the network latency of a VPC peering connection?
Intra-region: Low latency, typically in the millisecond range.
Inter-region: Higher because this involves data transmission between regions. The latency depends on the distance and network conditions between the two regions. Use the network performance monitoring tool to view the average network latency between regions and select a link type.
CIDR block configuration
What are CIDR blocks?
Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and aggregating routes. It improves network management efficiency and simplifies route tables.
CIDR uses slash notation, such as 192.168.1.0/24:
The part before the slash is the network address, which is the first IP address in the range.
The number after the slash is the prefix length. It indicates the number of consecutive leading 1s in the subnet mask. The remaining bits are used for host addresses.
A CIDR block is a collection of IP addresses that share the same network prefix and number of bits. A large CIDR block can be divided into smaller ones with different network prefixes and numbers of bits.
This process is called subnetting. CIDR blocks are the foundation of modern network planning. The subnetting of VPCs and vSwitches is based on this principle.
Examples:
192.168.0.0/16: The first 16 bits are for the network, and the last 16 bits are for hosts, which theoretically contains 216 IP addresses. This CIDR block contains smaller subnets, such as192.168.1.0/24and192.168.2.0/26.10.0.0.0/8: The first 8 bits are for the network, and the last 24 bits are for hosts, which theoretically contains 224 IP addresses. This CIDR block contains smaller subnets, such as10.1.0.0/16and10.2.0.0/24.172.16.0.0/12: The first 12 bits are for the network, and the last 20 bits are for hosts, which theoretically contains 220 IP addresses. This CIDR block contains smaller subnets, such as172.17.0.0/16and172.18.0.0/24.
When creating a VPC and a vSwitch, specify their CIDR blocks. Note that the actual available IP addresses are less than the theoretical value because some IP addresses in a vSwitch are reserved by the system.
How do I modify the CIDR block of a VPC?
Adjust the primary CIDR block:
The IPv4 CIDR block that you specify upon creation is its primary CIDR block. You cannot modify the primary CIDR block of a VPC in the console. However, you can call the ModifyVpcAttribute operation and modify the
CidrBlockparameter to expand or shrink it. When shrinking the CIDR block, ensure that the new block includes all IP addresses that are in use.The IPv6 CIDR block assigned after you enable IPv6 for the VPC cannot be modified.
Use secondary CIDR blocks: Use secondary CIDR blocks to expand the address range to add a secondary CIDR block to a VPC in addition to its primary CIDR block. The secondary CIDR block and the primary CIDR block are active at the same time and can be used to create resources such as vSwitches and deploy ECS instances.
How do I modify the CIDR block of a vSwitch?
You cannot modify the IPv4 or IPv6 CIDR block of a vSwitch after creation.
To change the CIDR block of a vSwitch, delete it and create a new one with the new CIDR block. Before deletion, release or migrate all cloud resources from it, such as ECS, SLB, and RDS instances. This is a high-risk operation. Make sure that you back up your data and create a migration plan.
Which CIDR block should I select when I create a VPC?
Selecting a CIDR block for a VPC is a key step in network planning. Follow these principles:
Use standard private CIDR blocks: We recommend using the standard private CIDR blocks defined in RFC 1918, such as
10.0.0.0/16,172.16.0.0/16, and192.168.0.0/16. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as the VPC CIDR block.Avoid conflicts with on-premises data centers or other networks: If you plan to connect the VPC to an on-premises network, another VPC, or another cloud, make sure that the VPC CIDR does not conflict with the CIDR blocks of these networks.
Reserve sufficient address space: Estimate the number of IP addresses required based on your potential business scale and select a sufficiently large CIDR block. This prevents complex recreation due to insufficient addresses.
Avoid conflicts with commonly used container network CIDR blocks: If you plan to use Docker or Kubernetes in the VPC, we recommend avoiding default container CIDR blocks such as
172.17.0.0/16to prevent communication failures.
How do I assign an IPv6 CIDR block to a VPC? How do I access the Internet using an IPv6 address?
When you enable IPv6 for a VPC and a vSwitch, the system automatically creates an IPv6 gateway and assigns an IPv6 CIDR block. By default, this configuration supports only private network communication. If you require Internet access, enable IPv6 Internet bandwidth. For more information, see Enable/Disable IPv6.
Can I assign only an IPv6 CIDR block to a VPC to create an IPv6-only VPC?
No. VPC currently supports IPv4-only and dual-stack (IPv4 and IPv6).
How do I assign a private IP address to an existing ECS instance?
See Modify the primary private IPv4 address of an existing instance's primary ENI.
Why can't a Docker network and a VPC communicate if their CIDR blocks overlap?
This is a typical issue in cloud network planning. When the Docker or Kubernetes pod network deployed on an ECS instance overlaps with the CIDR block of another vSwitch in your VPC or the CIDR block of the peer VPC of a peering connection, a route conflict occurs, and communication fails.
Cause: Assume that the default Docker CIDR block is
172.17.0.0/16, and the CIDR block of vSwitch B in the VPC is172.17.0.0/24. When an application in a Docker container tries to access an IP address in vSwitch B, the operating system of the ECS instance incorrectly routes the traffic to the localdocker0bridge based on its own route table, instead of forwarding it based on the VPC route table. This causes the communication to fail.Solutions:
Modify the Docker/Kubernetes network: Modify the configuration file of the Docker daemon process, such as
/etc/docker/daemon.json, to specify a private CIDR block that does not conflict with your cloud network environment, including all connected VPCs and on-premises data centers. This is the most fundamental solution.Avoid pitfalls when planning VPC CIDR blocks: Avoid using CIDR blocks that are commonly used by Kubernetes, such as
172.17.0.0/16and10.0.0.0/8.
How do I configure the CIDR block of an IPAM pool to prevent conflicts between a VPC, data center, or cloud platform?
Before you enable IP Address Manager (IPAM), review all your network environments to be connected, including data centers, office networks, and other clouds. Record all used CIDR blocks.
When you provision a CIDR block for an IPAM pool, include the CIDR blocks in use are covered.
Reserve these CIDR blocks by creating a custom allocation in the IPAM pool.
All subsequent VPC CIDR blocks are allocated by IPAM. All used CIDR blocks are recorded by IPAM, the new CIDR blocks it allocates will not conflict with existing ones.
Does HaVip support IPv6?
No. Currently, only IPv4 is supported.
VPC and vSwitch deletion
What do I do if a VPC or vSwitch cannot be deleted due to dependent resources?
Follow the instructions in the console to delete the dependent resources, and delete the VPC or vSwitch.
View the existing resources on the VPC instance details page under Resource Management or under Resource in the vSwitch instance details page.
What do I do if an ENI cannot be deleted when I delete a VPC?
An ENI is a common type of resource that may prevent you from deleting a VPC or vSwitch.
Primary ENI: A primary ENI is created together with an ECS instance, with it lifecycle being bound to the ECS instance. A primary ENI cannot be detached or deleted separately. You must release the ECS instance to delete its primary ENI.
Secondary ENI: Detach it from the ECS instance before deleting it the ENI.
Managed by other cloud services: Some cloud services, such as Application Load Balancer (ALB), Network Load Balancer (NLB), Container Service for Kubernetes (ACK), and Function Compute (FC), automatically create and manage ENIs. To delete these ENIs, you must go to the cloud service console and delete the service instance, such as an ACK cluster. The service then automatically deletes the ENIs it created.
Routing
Do CEN and transit routers automatically add routes for secondary CIDR blocks?
If the route propagation feature is enabled for the VPC connection on the transit router (TR), and a vSwitch is created in the VPC using a secondary CIDR block, the TR automatically learns the system route of the vSwitch.
TR supports automatic propagation only for system routes of a VPC. For custom routes, you must manually propagate the routes from the VPC route table to CEN or add the routes in CEN.
Does a VPC have a vRouter?
Yes. Each VPC has one and only one vRouter, which can maintain multiple route tables.
You can query the ID of the vRouter to which a route table belongs on the VPC console - Route Tables page or using the DescribeRouteTables API.
How do I configure routes for a VPC peering connection?
After a VPC peering connection is established and activated, the two VPCs cannot communicate with each other by default when they do not have a route that directs traffic to the peer VPC through the peering connection. You must add routes that point to the peering connection in the route tables of both VPCs.
For more information, see Configure routes.
What do I enter for the destination CIDR block of a route?
The destination CIDR block defines the destination IP addresses to which this route applies.
Exact match: Enter the CIDR block to which you want to send data packets. For example, to access a peer VPC (
192.168.0.0/16), enter192.168.0.0/16.Default route:
0.0.0.0/0represents all IPv4 addresses. By directing traffic destined for0.0.0.0/0to a NAT gateway, you can enable ECS instances without public IP addresses in a VPC to access the Internet through the NAT gateway.
Why must I configure routes for both the requester and accepter VPCs of a peering connection?
Network communication is bidirectional. When configuring routes, both the request traffic and the response traffic should be considered. If you configure a route for only one VPC, the network connection may fail.
Can I set the destination CIDR block of a route to the CIDR block of a vSwitch?
Yes, but this is not recommended.
Best practice: When you configure routes for a VPC peering connection or VPN Gateway, set the destination CIDR block to the VPC CIDR block, rather than a vSwitch CIDR block. This simplifies management. Use a specific vSwitch CIDR block only if you have fine-grained access control requirements.
Network O&M and monitoring
How do I monitor the Internet traffic of a VPC?
Use flow log or the Network Intelligence Service-Traffic Analyzer feature of your VPC to collect traffic information from Internet components, such as Internet NAT gateways and IPv4 gateways. For more information, see Flow log and Traffic analyzer.
How do I view the network topology of a VPC?
Use the Network Intelligence Service - VPC Topology feature to generate a VPC network topology graph.
Billing
How is VPC billed?
The following VPC features are billed:
The following VPC features are in public preview and are currently free of charge:
IPAM
HaVip
Free features:
VPC and vSwitch
Secondary CIDR block and reserved CIDR block
DNS hostname and DHCP options set
Route table, andprefix list
VPC sharing
ClassicLink and gateway endpoint
IPv4 gateway and network ACL
You are charged for cloud resources you created in a VPC. For more information, see the billing for the corresponding resources.
Are VPC peering connections a paid service?
Intra-region: Free of charge. This applies to both same-account and cross-account connections.
Inter-region: Cloud Data Transfer charges a data transfer fee based on outbound traffic.
How do I stop the billing of a VPC peering connection to save costs?
Intra-region peering connections are free of charge. Deleting them does not affect your costs.
For inter-region peering connections, delete the peering connection to stop incurring data transfer fees.