Virtual private clouds (VPCs) are isolated from each other by default. To connect two VPCs whose CIDR blocks do not overlap, you can create a VPC peering connection and configure routes for both VPCs. Resources in two VPCs can access each other as if they are in the same network. VPC peering connections can be created between VPCs in either the same or different accounts, either in the same or different regions.
How it works
The following steps describe the VPC peering connection process, which involves a requester VPC and an accepter VPC:
The owner of the requester VPC creates a VPC peering connection.
If the accepter VPC is in the same account, the system automatically accepts the connection request and activates the connection.
If the accepter VPC is in another account, the owner must accept the request.
The owner of each VPC manually adds a route that points to the CIDR block of the other VPC, also called the peer VPC.
To connect multiple VPCs that require high bandwidth at a low cost, you can combine VPC peering connections and Cloud Enterprise Network (CEN). To learn their differences, see Connect VPCs.
Create a VPC peering connection
Console
Prerequisites:
The CIDR blocks of the two VPCs do not overlap. If they overlap, migrate your services to VPCs with non-overlapping CIDR blocks.
If this is your first time using a VPC peering connection, make sure that Cloud Data Transfer (CDT) is enabled for both VPCs.
Create a VPC peering connection:
Go to the VPC - VPC Peering Connection page. In the top navigation bar, select the region where the VPC is located and click Create VPC Peering Connection.
Select the accepter account type and accepter region type.
Accepter account type:
Same-Account: Automatically accepts the request and activates the connection. You can click Add route to peer VPC CIDR and the system configures the routes pointing to the peer VPC.
Cross-Account: The owner of the accepter account must go to the VPC console - VPC Peering Connection page. In the top navigation bar, select the region where the accepter VPC is located. Find the peering connection and click Accept in the Actions column.
The accepter can also Reject or Delete the connection request. To learn more about the process, see VPC peering connection lifecycle.
For Inter-Region connections, you must configure the Link Type and Accepter Region.
Platinum and Gold provide different levels data transfer quality and their billing prices vary.
Platinum (99.995% service availability): Recommended for services that are sensitive to jitter and latency and require high connection quality, such as securities trading, online voice calls, video conferencing, and real-time games.
Gold (99.95% service availability): Recommended for services that are not sensitive to connection quality, such as data synchronization and file transfers.
Configure routes:
To enable communication over IPv6, you must also configure a route that points to the IPv6 CIDR block of the peer VPC.
From the requester VPC: In the Requester VPC column, click Configure route. Select the Requester route table associated with the vSwitch and set Destination CIDR Block to the CIDR block of the accepter VPC.
From the accepter VPC: In the Accepter column, click Configure route. Select the Requester route table associated with the vSwitch. Set Destination CIDR Block to the requester VPC CIDR.
Verify connectivity:
Reachability Analyzer: No real data packets are sent and your services are not affected.
In the Diagnose column of the peering connection, choose . Alternatively, you can click the instance ID of the peering connection to go to the Reachability Analyzer tab.
Configure the source and destination. Specify the protocol and port to simulate a business scenario and check the connectivity.
The system checks the route, security group, and network ACL settings, and provides a diagnostic result.
If the one-way path is reachable, click reverse path analytics to check the reverse connectivity.
Manual verification: In an ECS instance in the requester VPC, run the
ping <private IP of the peer ECS instance>command.
After you create an inter-region peering connection, click the instance ID and click Edit to modify its Bandwidth (Mbit/s) and Link Type.
Both the requester and accepter VPC can delete the peering connection. After a connection is deleted, private access is interrupted. This operation cannot be undone. Make sure your services are not interrupted by the deletion.
API
Create a peering connection
Call CreateVpcPeerConnection to create a VPC peering connection.
If the two VPCs belong to different accounts, the owner of the accepter account must call AcceptVpcPeerConnection to accept the VPC peering connection.
The accepter can call RejectVpcPeerConnection to reject the VPC peering connection.
The owners of both VPCs must call GetVpcPeerConnectionAttribute to query the CIDR blocks of the two VPCs.
The owners of both VPCs must call CreateRouteEntry to create routes that point to the peering connection.
Modify a cross-region peering connection
Call ModifyVpcPeerConnection to modify the bandwidth or link type of a cross-region VPC peering connection.
Delete a peering connection
Call DeleteRouteEntry to delete the routes that point to the peering connection.
Call DeleteVpcPeerConnection to delete the VPC peering connection.
Path analysis
Call the following API operations in sequence to use path analysis to check connectivity.
Terraform
Same-account peering connection
Resources: alicloud_vpc_peer_connection, alicloud_route_entry
Data Sources: alicloud_account
# The account to which the VPC belongs
data "alicloud_account" "default" {}
provider "alicloud" {
alias = "local"
region = "cn-hangzhou" # The region where the requester VPC is located.
}
provider "alicloud" {
alias = "accepting"
region = "cn-beijing" # The region of the accepter VPC. It can be the same as the region of the requester VPC. Configure this parameter based on the region of the accepter VPC.
}
# Requester VPC ID
variable "local_vpc_id" {
default = "vpc-bp1c******"
}
# Accepter VPC ID
variable "accepting_vpc_id" {
default = "vpc-2zev******"
}
# Create a VPC peering connection
resource "alicloud_vpc_peer_connection" "example_peer_connection" {
provider = alicloud.local
peer_connection_name = "example_peer_connection_name"
vpc_id = var.local_vpc_id # Requester VPC ID
accepting_ali_uid = data.alicloud_account.default.id # Accepter account ID
accepting_region_id = "cn-beijing" # The region where the accepter VPC is located
accepting_vpc_id = var.accepting_vpc_id # Accepter VPC ID
bandwidth = 1024 # The bandwidth in Mbit/s. You can configure this parameter only when the requester region and the accepter region are different.
link_type = "Gold" # The link type. You can configure this parameter only when the requester region and the accepter region are different.
}
# Configure a route for the requester VPC
resource "alicloud_route_entry" "example_local_route" {
provider = alicloud.local
route_table_id = "vtb-bp1a******" # The route table bound to the vSwitch where the requester instance is located
destination_cidrblock = "172.16.0.0/12" # The CIDR block of the accepter VPC
nexthop_type = "VpcPeer" # The next hop is a VPC peering connection
nexthop_id = alicloud_vpc_peer_connection.example_peer_connection.id
}
# Configure a route for the accepter VPC
resource "alicloud_route_entry" "example_acceptor_route" {
provider = alicloud.accepting
route_table_id = "vtb-2ze1******" # The route table bound to the vSwitch where the accepter instance is located
destination_cidrblock = "10.0.0.0/8" # The CIDR block of the requester VPC
nexthop_type = "VpcPeer" # The next hop is a VPC peering connection
nexthop_id = alicloud_vpc_peer_connection.example_peer_connection.id
}
Cross-account peering connection
Resources: alicloud_vpc_peer_connection, alicloud_vpc_peer_connection_accepter, alicloud_route_entry
provider "alicloud" {
alias = "local"
region = "cn-hangzhou" # The region of the requester VPC
}
# The region of the accepter VPC. It can be the same as the region of the requester VPC. You need to configure it based on the region of the accepter VPC.
variable "accepting_region" {
default = "cn-beijing"
}
# The accepter account
variable "accepting_uid" {
default = "1234******"
}
# The AccessKey ID of the accepter account
variable "access_key_id" {
description = "The AccessKey ID for operating your infrastructure"
}
# The AccessKey secret of the accepter account
variable "access_key_secret" {
description = "The AccessKey Secret for operating your infrastructure"
}
provider "alicloud" {
alias = "acceptor"
region = var.accepting_region
access_key = var.access_key_id
secret_key = var.access_key_secret
}
# Requester VPC ID
variable "local_vpc_id" {
default = "vpc-2ze0******"
}
# Accepter VPC ID
variable "accepting_vpc_id" {
default = "vpc-wz9e******"
}
# Create a VPC peering connection
resource "alicloud_vpc_peer_connection" "example_peer_connection" {
provider = alicloud.local
peer_connection_name = "example_peer_connection_name"
vpc_id = var.local_vpc_id # Requester VPC ID
accepting_ali_uid = var.accepting_uid # Accepter account ID
accepting_region_id = var.accepting_region # Accepter region
accepting_vpc_id = var.accepting_vpc_id # Accepter VPC ID
bandwidth = 1024 # The bandwidth in Mbit/s. You can configure this parameter only when the requester region and the accepter region are different.
link_type = "Gold" # The link type. You can configure this parameter only when the requester region and the accepter region are different.
}
# The accepter accepts the peering connection request
resource "alicloud_vpc_peer_connection_accepter" "example_peer_connection_accepter" {
provider = alicloud.acceptor
instance_id = alicloud_vpc_peer_connection.example_peer_connection.id
}
# Configure a route for the requester VPC
resource "alicloud_route_entry" "example_local_route" {
provider = alicloud.local
route_table_id = "vtb-2zel******" # The route table bound to the vSwitch where the requester instance is located
destination_cidrblock = "192.168.0.0/24" # The CIDR block of the accepter VPC
nexthop_type = "VpcPeer" # The next hop is a VPC peering connection
nexthop_id = alicloud_vpc_peer_connection.example_peer_connection.id
}
# Configure a route for the accepter VPC
resource "alicloud_route_entry" "example_acceptor_route" {
provider = alicloud.acceptor
route_table_id = "vtb-wz95******" # The route table bound to the vSwitch where the accepter instance is located
destination_cidrblock = "172.16.0.0/12" # The CIDR block of the requester VPC
nexthop_type = "VpcPeer" # The next hop is a VPC peering connection
nexthop_id = alicloud_vpc_peer_connection.example_peer_connection.id
}
Troubleshoot
First leverage Path Analysis to verify network connectivity.
Check item | Check content | Solution |
Connection status | The Status of the peering connection is Activated. | If the status is Accepting, the owner of the accepter account must accept the connection request. |
CIDR blocks | Check the requester and accepter CIDR blocks:
|
|
Routes | Check the Route Entry List on the peering connection details page:
| Modify the route configurations. |
Access rules |
| Make sure that security groups, network ACLs, and RDS instances whitelist all traffic from the peer IP address. |
Overlapping CIDR blocks:
If two VPC CIDRs overlap and you set the destination to the peer VPC CIDR, traffic will preferentially match the system route and stay inside the local VPC, instead of being routed to the peer VPC.
If the vSwitch CIDR blocks of two VPCs do not overlap, you can set the destination to the peer vSwitch CIDR. However, when you create new vSwitches, their CIDR blocks must not overlap with existing ones. Therefore, we recommend that you migrate the services to VPCs with non-overlapping CIDR blocks and re-create the peering connection.
If the vSwitch CIDR blocks overlap, you can only migrate the services to VPCs with non-overlapping CIDR blocks and re-create the connection. This is because you cannot configure routes that are more specific than system routes.
Using a non-RFC 1918 standard private CIDR block:
VPCs treat IP address spaces outside RFC 1918 as public CIDR blocks, such as 30.0.0.0/16. When resources in a VPC can access the Internet, traffic is routed to the Internet and cannot reach the destination VPC through the peering connection. To solve this, create an IPv4 gateway to ensure that traffic is routed to the destination VPC.
Examples
Connect three VPCs
When you configure routes for a VPC peering connection:
Set the destination CIDR to the peer VPC CIDR to let all instances to access each other.
Configure more specific routes, and set the destination CIDR to the vSwitch CIDR or the IP address of a specific instance in the peer VPC to enhance security. However, if a new instance requires communication, you must manually update the route table.
For example, VPC1 is configured with routes that point to the vSwitch 3 CIDR in VPC2 and ECS04 in VPC3. Resources in VPC1 can communicate only with resources in vSwitch 3 and ECS04 over private IP addresses. VPC2 and VPC3 are configured with routes pointing to the peer VPC CIDR, allowing for full communication between their resources.
Connect multiple VPCs to a central VPC
Branch VPCs can access services in the central VPC, but branch VPCs are not connected with each other. Use cases include:
Department isolation: Mutually isolated department VPCs need to access the central VPC.
User isolation: Services in a central VPC are accessed by user VPCs. Each user VPC communicates with the central VPC, but they are isolated from each other.
Monitoring and O&M
Monitoring data, such as bandwidth and packet loss rate, is available for inter-region peering connections. Using CloudMonitor to create threshold-based alert rules to monitor the connection status in real time. Promptly detect and resolve network congestion or faults.
You cannot view the metrics of an intra-region peering connection.
Console
Monitor a peering connection
Go to the VPC - VPC Peering Connection page. In the top navigation bar, select the region where the VPC is located.
Click the
icon in the Monitoring column of the target inter-region VPC peering connection to view metrics, such as bandwidth and packet loss.
CloudMonitor alerts
Go to the CloudMonitor - Alert Rules page, and click + Create Alert Rule.
Configure thresholds for each alert level. When a metric reaches its threshold, an alert notification is sent to the specified Alert Contact Group. View the alert timeline by clicking Alert History in the Actions column of the alert rule.
In the Actions column of the alert rule, you can Modify, Disable, or Delete the rule.
API
Call PutResourceMetricRules to set multiple threshold-based alert rules for the specified metrics of a VPC peering connection. For more information, see CloudMonitor metrics for peering connections.
Call EnableMetricRules to enable one or more alert rules.
Call DisableMetricRules to disable alert rules.
Call DeleteMetricRules to delete one or more alert rules.
Terraform
Configure threshold-based alert rules. For more information, see CloudMonitor metrics for peering connections.
Resources: alicloud_cms_alarm_contact, alicloud_cms_alarm_contact_group, alicloud_cms_alarm
# The ID of the peering connection instance to be monitored
variable "vpc_peer_id" {
default = "pcc-28cv******"
}
# Create an alert contact
resource "alicloud_cms_alarm_contact" "example_cms_alarm_contact" {
alarm_contact_name = "example_cms_alarm_contact_name"
describe = "example_vpc_peer_alarm"
channels_mail = "xxx@xxx.com" # Change it to your email address.
lifecycle {
ignore_changes = [channels_mail]
}
}
# Create an alert contact group
resource "alicloud_cms_alarm_contact_group" "example_cms_alarm_contact_group" {
alarm_contact_group_name = "example_cms_alarm_contact_group"
contacts = [alicloud_cms_alarm_contact.example_cms_alarm_contact.id] # Alert contact
}
# Create an alert rule
resource "alicloud_cms_alarm" "example_cms_alarm" {
name = "example_cms_alarm_name"
project = "acs_vpcpeer" # The data namespace of the cloud service
metric = "IntranetRX" # The name of the metric
period = 60 # The statistical period
contact_groups = [alicloud_cms_alarm_contact_group.example_cms_alarm_contact_group.alarm_contact_group_name]
effective_interval = "06:00-20:00" # The effective period
metric_dimensions = <<EOF
[
{
"instanceId": "${var.vpc_peer_id}"
}
]
EOF
escalations_critical { # Info-level alert
statistics = "Sum" # The statistical method for the alert
comparison_operator = ">=" # The comparison operator for the threshold
threshold = 104857600 # The threshold
times = 2 # The number of retries for the alert
}
}FAQ
Are cross-border peering connections supported?
Yes. VPC peering connections support the following scenarios:
Non-cross-border: Connects two regions in the Chinese mainland, or two regions outside the Chinese mainland.
Cross-border: Connects a region in the Chinese mainland to a region outside the Chinese mainland.Make sure that your account has completed business identity verification.
Why can't I select the accpeter VPC when creating a peering connection?
Ensure you choose the correct region and account.
The region displayed at the top of the page is the requester region, and the account you are logged on is the requester account. Make sure you choose the correct accepter account and region when creating the peering connection.
Why does an ECS instance with Docker installed fail after configuring a peering connection?
If the routes and security group rules are correctly configured, the issue is usually caused by a conflict between the Docker network interface card address and the destination CIDR. Run the ip addr command to check for conflicts.
If there is a conflict, modify the Docker CIDR to make sure it does not conflict with the destination CIDR. Follow these steps:
Stopping Docker or modifying its CIDR interrupts services. Perform these operations during off-peak hours.
When modifying the Docker CIDR, make sure that it is compatible with the network settings of all existing containers and applications.
Run
sudo systemctl stop dockerto stop the Docker service.Run
sudo vim /etc/docker/daemon.jsonto edit and save the Docker configuration file. The file content is as follows:The Docker configuration file is usually
/etc/docker/daemon.jsonor/etc/docker/daemon.conf. The specific file name may vary.{ "bip":"new Docker CIDR block" }Run
sudo systemctl start dockerto start the Docker service and verify the changes.
More information
Limits
You cannot create a VPC peering connection when one VPC belongs to an account of Alibaba Cloud China Website (www.aliyun.com) and the other to the Alibaba Cloud International Website (www.alibabacloud.com).
VPC peering connections do not support route propagation.
For example, if VPC 2 and VPC 3 are both connected to VPC 1 using peering connections, VPC 2 and VPC 3 are not directly connected.
In a shared VPC, the resource owner can create, modify, or delete peering connections, but the principal does not have these permissions.
Billing
No fees are charged for intra-region VPC peering connections, regardless of whether the two VPCs belong to the same or different accounts.
For inter-region VPC peering connections, Cloud Data Transfer (CDT) charges data transfer fees for outbound traffic.
The unit price varies by regions and link type.
The billing cycle is hourly. If you switch the link type within a cycle, you'll be charged at the higher service tier's rate for that entire hour.
A VPC peering connection is created between VPC1 and VPC2 that belong to different accounts in different regions. Assume that the outbound traffic is 200 GB from VPC1 and 100 GB from VPC2. The link type is Gold. The inter-region data transfer fee from China (Hohhot) to China (Guangzhou) is 0.072 USD/GB. Fees for two accounts are:
Account A: USD 0.072/GB × 200 GB = USD 14.4
Account B: USD 0.072/GB × 100 GB = USD 7.2
VPC peering connection lifecycle
After a connection request is sent, a VPC peering connection goes through the following stages:
For same-account connections, the system automatically initiates and accepts the request and activates the connection.
Status description
Supported regions
Area | Regions |
Asia Pacific - China | China (Hangzhou), China (Shanghai), China (Nanjing - Local Region, Closing Down), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), and China (Fuzhou - Local Region, Closing Down) |
Asia Pacific - Others | Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok) |
Europe & Americas | Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia) |
Middle East | UAE (Dubai) and SAU (Riyadh - Partner Region) |
Quotas
Quota name | Description | Default quota | Increase quota |
vpc_quota_cross_region_peer_num_per_vpc | The number of inter-region VPC peering connections that a single VPC can have. | 20 | Go to the Quota Management page or Quota Center to request a quota increase. |
vpc_quota_intra_region_peer_num_per_vpc | The number of intra-region VPC peering connections that a single VPC can have. | 10 | |
vpc_quota_peer_num | The number of VPC peering connections that a single Alibaba Cloud account can create in a region. | 20 | |
vpc_quota_peer_cross_border_bandwidth | The maximum cross-border bandwidth. | 1,024 Mbps | |
vpc_quota_peer_cross_region_bandwidth | The maximum cross-region bandwidth. | 1,024 Mbps |