You can use resource sharing to share vSwitches in non-default VPCs with other Alibaba Cloud accounts. This allows vSwitch participants to create cloud resources, such as ECS instances and ApsaraDB for RDS instances, within a shared vSwitch. A vSwitch participant can only view and manage the resources they create and cannot view, modify, or delete resources created by other accounts.
How it works
After Account A shares its vSwitch with Accounts B, C, and D, each account can create cloud resources within the shared vSwitch. These cloud resources share the IP address space of the vSwitch and can communicate with each other by default. The vSwitch owner (Account A) can also configure network ACLs or security groups to isolate traffic between vSwitches or cloud resources.
Typical use cases for a shared VPC:
-
Centralized enterprise network management: A network operations team centrally plans, configures, and manages VPCs, and shares the vSwitches with business units. The business units can then create and manage resources such as ECS instances in the shared vSwitches based on their business needs, without managing network configuration.
-
Simplified multi-account network operations: Share vSwitches with multiple accounts to eliminate the need to configure a separate VPC for each account. This significantly reduces the number of VPCs and simplifies network operations in multi-account environments.
Limitations
-
The default VPC does not support sharing. You must create a custom VPC before you can use the shared VPC feature. If you have existing cloud resources in a default VPC, consider migrating or recreating them in a non-default VPC.
-
Before using a shared VPC for existing cloud resources, review Supported cloud resource types and Permissions for vSwitch owners and participants to determine if this approach is applicable. If it is applicable, we recommend that you recreate the existing resources in the shared VPC. If the cloud resources support cross-VPC migration, you can also migrate them directly to the shared VPC. If this approach is not applicable or if recreation or migration is not feasible, use a VPC peering connection or Cloud Enterprise Network (CEN) to enable cross-account network communication.
Supported cloud resource types
-
ECS instance
-
SLB instance
-
ApsaraDB for RDS instance
-
Container Service Terway component
-
ApsaraDB for MongoDB instance
-
ApsaraDB for Redis instance
-
ApsaraMQ for Kafka instance
-
Elasticsearch
-
Container Registry (ACR) instance
-
PolarDB for MySQL cluster
-
ApsaraMQ for RocketMQ instance
-
Microservices Engine (MSE) instance
Permissions for vSwitch owners and participants
For a shared vSwitch:
|
Resource |
vSwitch owner |
vSwitch participant |
|
Cloud resources (such as ECS and ApsaraDB for RDS instances) |
Each account can only view and manage the resources it creates. They cannot access resources created by other accounts. |
|
|
Security groups |
Each account can only view and manage the security groups it creates. They cannot access security groups created by other accounts. |
|
|
Elastic network interfaces (ENIs) |
Can call the DescribeNetworkInterfaces operation to view ENIs created by participants, but cannot manage them. |
You can only view and manage the ENIs that you create. |
|
VPC, vSwitch, route table, network ACL, and secondary CIDR block |
All permissions |
View-only |
|
Reserved CIDR blocks |
All permissions |
No permissions |
|
IPv6 gateway |
All permissions |
|
|
Flow logs |
|
Can create only ENI-level flow logs. These flow logs apply only to ENIs owned by the vSwitch participant. |
|
NAT gateway, VPN gateway, Cloud Enterprise Network, VPC peering connection |
All permissions |
You cannot view or manage these network resources but can use them to connect to networks outside the VPC. |
|
Tag |
Tagging is unaffected by sharing. Both the vSwitch owner and vSwitch participants can tag their own resources. These tags are independent and not visible to other accounts. |
|
After a vSwitch is unshared:
|
Resource |
vSwitch participant |
|
Cloud resources (such as ECS and ApsaraDB for RDS instances) |
You can continue to manage the cloud resources you created but cannot create new ones. |
|
vSwitch and its associated resources |
You can no longer view the shared vSwitch or its associated resources, such as the VPC, route tables, private CIDR blocks, and network ACLs. |
|
Tags |
The system deletes the tags you configured on the shared vSwitch. |
Create cloud resources in a shared vSwitch
A vSwitch owner can share a vSwitch with any Alibaba Cloud account or only with accounts within a resource directory. After the owner enables sharing, participants can create cloud resources in the shared vSwitch.
Console
Step 1: Enable sharing
This section describes how to share a vSwitch with any account. To share resources only within a resource directory, see Share resources only within a resource directory.
-
Log on to the vSwitch owner's Alibaba Cloud account and navigate to the Resource Sharing > Resources I Share page in the Resource Management console. In the top navigation bar, select the region where the resource is located, and click Create Resource Share. On the page that appears, perform the following steps:
Step 1: Enter a Resource Share Name and select the vSwitch that you want to share.
Step 2: The system selects the AliyunRSDefaultPermissionVSwitch permission by default.
Step 3: In the Principal Scope section, select All Accounts. For Method, select Add Manually. Enter the Alibaba Cloud account ID of the vSwitch participant, and then click Add.
Step 4: Review the configuration and click Confirm.
-
Log on to the vSwitch participant's account to accept the sharing invitation:
-
Go to the Resource Sharing > Resources Shared with Me page in the Resource Management console.
-
In the top navigation bar, select the region where the shared resource is located. Find the target resource share and click Accept in the Status column.
-
After you accept the invitation, you can access the shared vSwitch. Any new resources added to this resource share are accepted automatically.
-
Step 2: Create a cloud resource
Log on to the vSwitch participant's account:
-
Go to the vSwitches page in the VPC console. In the top navigation bar, select the region of the shared vSwitch. You can then see the shared vSwitch, which is marked as "from sharing".
-
To create an ECS, ApsaraDB for RDS, or SLB instance, find the target shared vSwitch and click Add Cloud Service in the Actions column.
-
For other supported cloud resource types, select the shared vSwitch when you create the resource.
API
Step 1: Enable sharing
-
Method 1: Share with any account
-
Use the credentials of the vSwitch owner to call the CreateResourceShare operation to create a resource share. Make sure to set the
AllowExternalTargetsparameter toTrue. -
Use the credentials of the vSwitch participant to call the ListResourceShareInvitations operation to query received invitations, and then call the AcceptResourceShareInvitation operation to accept an invitation.
-
-
Method 2: Share only within a resource directory
-
Use the credentials of the management account of the resource directory to call the EnableSharingWithResourceDirectory operation to enable sharing within the resource directory.
-
Use the credentials of the vSwitch owner to call the CreateResourceShare operation to create a resource share. Make sure to set the
AllowExternalTargetsparameter toFalse.
-
Step 2: Create a cloud resource
Log on to the vSwitch participant's account and perform the following steps:
-
Call the DescribeVSwitches operation to obtain a list of vSwitches.
-
From the list, filter for shared vSwitches where the
ShareTypeparameter isSharing. -
Call the API operation to create the desired cloud resource, such as RunInstances for an ECS instance. In the request, specify the shared vSwitch.
Terraform
Step 1: Enable sharing
A vSwitch owner creates a resource share:
Terraform currently supports sharing only within a resource directory. Before you proceed, make sure that the management account of the resource directory has enabled sharing for the resource directory.
Resources: alicloud_resource_manager_resource_share, alicloud_resource_manager_shared_resource, and alicloud_resource_manager_shared_target
# Specify the region.
provider "alicloud" {
region = "cn-hangzhou"
}
# Specify the resource share name.
resource "alicloud_resource_manager_resource_share" "example_unit" {
resource_share_name = "example_unit_name"
}
# Specify the vSwitch to share.
resource "alicloud_resource_manager_shared_resource" "example_vsw" {
resource_share_id = alicloud_resource_manager_resource_share.example_unit.id
resource_id = "vsw-bp1omg98fixldnwcxxxxx" # Replace with the actual ID of the shared vSwitch.
resource_type = "VSwitch" # The resource type is VSwitch.
}
# Specify the participant of the shared vSwitch.
resource "alicloud_resource_manager_shared_target" "example_target" {
resource_share_id = alicloud_resource_manager_resource_share.example_unit.id
target_id = "10xxxxxxxxxxxxxx" # Replace with the actual UID of the vSwitch participant.
}
Step 2: Create a cloud resource
The following example shows how a vSwitch participant creates an ECS instance in a shared vSwitch:
Resources: alicloud_security_group and alicloud_instance
Data Sources: alicloud_vswitches
# Specify the region.
provider "alicloud" {
region = "cn-hangzhou"
}
# Specify the shared vSwitch.
variable "vsw_id" {
default = "vsw-bp1omg98fixldnwcxxxxx" # Replace with the actual ID of the shared vSwitch.
}
# Obtain information about the target shared vSwitch.
data "alicloud_vswitches" "example_vsw" {
ids = [var.vsw_id]
}
# Create a security group.
resource "alicloud_security_group" "example_sg" {
security_group_name = "example_sg_name"
vpc_id = data.alicloud_vswitches.example_vsw.vswitches[0].vpc_id
}
# Create an ECS instance.
resource "alicloud_instance" "example_ecs" {
instance_name = "example_ecs_name"
instance_type = "ecs.e-c1m1.large"
security_groups = [alicloud_security_group.example_sg.id]
vswitch_id = var.vsw_id
image_id = "aliyun_3_x64_20G_alibase_20250117.vhd"
system_disk_category = "cloud_essd"
}
Manage shared vSwitches and participants
A vSwitch owner can perform the following management tasks:
-
View shared vSwitches
-
View participants of a shared vSwitch
-
Share more vSwitches
-
Share a vSwitch with more accounts
Console
-
Go to the Resource Sharing > Resources I Share page. In the top navigation bar, select the region where the shared resources are located.
-
On the Resources I Share page, you can perform the following operations:
-
View shared vSwitches: Click the Shared Resources tab.
-
View participants of a shared vSwitch: Click the Principals tab.
-
-
Click the Resource Shares tab, find the target resource share, and then click its ID.
-
Click the Resources or Principals tab to view the shared vSwitches and participants in this resource share.
If the Status on the Resources and Principals tabs is Associated, the resources and principals are successfully associated with the share.
-
On the page of the target resource share, click Edit Resource Share in the upper-right corner. You can perform the following actions within this resource share:
-
Add or remove shared vSwitches: In Step 1, select or clear the checkboxes for the vSwitches.
-
Add or remove participants: In Step 3, add or remove account UIDs.
-
-
Review the configuration and, in Step 4 of the Edit Resource Share page, click Confirm.
API
A vSwitch owner can view shared vSwitches and their participants by using the following operations:
-
Call the ListSharedResources operation to view a list of shared vSwitches.
-
Call the ListSharedTargets operation to view a list of participants for the shared vSwitches.
A vSwitch owner can manage shared vSwitches and participants within a resource share by using the following operations:
-
Call the ListResourceShareAssociations operation to view the vSwitches or participants in a resource share.
-
Call the AssociateResourceShare operation to add a vSwitch or participant to a resource share.
-
Call the DisassociateResourceShare operation to remove a vSwitch or participant from a resource share.
More information
Billing
The shared VPC feature is free of charge. However, resource owners and participants are billed for the cloud resources they create, such as ECS instances and ApsaraDB for RDS instances.
Supported regions
Area | Regions |
Asia Pacific - China | China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong) |
Asia Pacific - Others | Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok) |
Europe & Americas | Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia) |
Middle East | Saudi Arabia (Riyadh) - Partner Region |
Quotas
Quota name | Description | Default limit | Adjustable |
vpc_quota_sharedvpc_share_user_num_per_vpc | The maximum number of vSwitch principals with which you can share a VPC. | 50 | Yes. To request a quota increase, go to the Quota Management page or Quota Center. |
vpc_quota_sharedvpc_share_user_num_per_vswitch | The maximum number of vSwitch principals with which you can share a vSwitch. | 50 | |
vpc_quota_sharedvpc_accept_shared_vswitch_num | The maximum number of shared vSwitches that a vSwitch principal can accept. | 30 |