All Products
Search
Document Center

Virtual Private Cloud:Shared VPC

Last Updated:Jun 20, 2026

You can use resource sharing to share vSwitches in non-default VPCs with other Alibaba Cloud accounts. This allows vSwitch participants to create cloud resources, such as ECS instances and ApsaraDB for RDS instances, within a shared vSwitch. A vSwitch participant can only view and manage the resources they create and cannot view, modify, or delete resources created by other accounts.

How it works

image

After Account A shares its vSwitch with Accounts B, C, and D, each account can create cloud resources within the shared vSwitch. These cloud resources share the IP address space of the vSwitch and can communicate with each other by default. The vSwitch owner (Account A) can also configure network ACLs or security groups to isolate traffic between vSwitches or cloud resources.

Typical use cases for a shared VPC:

  • Centralized enterprise network management: A network operations team centrally plans, configures, and manages VPCs, and shares the vSwitches with business units. The business units can then create and manage resources such as ECS instances in the shared vSwitches based on their business needs, without managing network configuration.

  • Simplified multi-account network operations: Share vSwitches with multiple accounts to eliminate the need to configure a separate VPC for each account. This significantly reduces the number of VPCs and simplifies network operations in multi-account environments.

Limitations

  1. The default VPC does not support sharing. You must create a custom VPC before you can use the shared VPC feature. If you have existing cloud resources in a default VPC, consider migrating or recreating them in a non-default VPC.

  2. Before using a shared VPC for existing cloud resources, review Supported cloud resource types and Permissions for vSwitch owners and participants to determine if this approach is applicable. If it is applicable, we recommend that you recreate the existing resources in the shared VPC. If the cloud resources support cross-VPC migration, you can also migrate them directly to the shared VPC. If this approach is not applicable or if recreation or migration is not feasible, use a VPC peering connection or Cloud Enterprise Network (CEN) to enable cross-account network communication.

Supported cloud resource types

  • ECS instance

  • SLB instance

  • ApsaraDB for RDS instance

  • Container Service Terway component

  • ApsaraDB for MongoDB instance

  • ApsaraDB for Redis instance

  • ApsaraMQ for Kafka instance

  • Elasticsearch

  • Container Registry (ACR) instance

  • PolarDB for MySQL cluster

  • ApsaraMQ for RocketMQ instance

  • Microservices Engine (MSE) instance

Permissions for vSwitch owners and participants

For a shared vSwitch:

Resource

vSwitch owner

vSwitch participant

Cloud resources (such as ECS and ApsaraDB for RDS instances)

Each account can only view and manage the resources it creates. They cannot access resources created by other accounts.

Security groups

Each account can only view and manage the security groups it creates. They cannot access security groups created by other accounts.

Elastic network interfaces (ENIs)

Can call the DescribeNetworkInterfaces operation to view ENIs created by participants, but cannot manage them.

You can only view and manage the ENIs that you create.

VPC, vSwitch, route table, network ACL, and secondary CIDR block

All permissions

View-only

Reserved CIDR blocks

All permissions

No permissions

IPv6 gateway

All permissions

  • Assign or unassign private IPv6 addresses for resources such as ECS instances, ENIs, and NLB instances.

  • Can view IPv6 addresses within your own account.

  • You can manage public bandwidth for IPv6 addresses in your account, including enabling or disabling bandwidth and setting or deleting egress-only rules. You are billed for this public bandwidth usage.

Flow logs

  • Can create VPC-level and vSwitch-level flow logs. These flow logs apply only to ENIs owned by the vSwitch owner.

  • Can create ENI-level flow logs. These flow logs apply only to ENIs owned by the vSwitch owner.

Can create only ENI-level flow logs. These flow logs apply only to ENIs owned by the vSwitch participant.

NAT gateway, VPN gateway, Cloud Enterprise Network, VPC peering connection

All permissions

You cannot view or manage these network resources but can use them to connect to networks outside the VPC.

Tag

Tagging is unaffected by sharing. Both the vSwitch owner and vSwitch participants can tag their own resources. These tags are independent and not visible to other accounts.

After a vSwitch is unshared:

Resource

vSwitch participant

Cloud resources (such as ECS and ApsaraDB for RDS instances)

You can continue to manage the cloud resources you created but cannot create new ones.

vSwitch and its associated resources

You can no longer view the shared vSwitch or its associated resources, such as the VPC, route tables, private CIDR blocks, and network ACLs.

Tags

The system deletes the tags you configured on the shared vSwitch.

Create cloud resources in a shared vSwitch

A vSwitch owner can share a vSwitch with any Alibaba Cloud account or only with accounts within a resource directory. After the owner enables sharing, participants can create cloud resources in the shared vSwitch.

Console

Step 1: Enable sharing

This section describes how to share a vSwitch with any account. To share resources only within a resource directory, see Share resources only within a resource directory.
  1. Log on to the vSwitch owner's Alibaba Cloud account and navigate to the Resource Sharing > Resources I Share page in the Resource Management console. In the top navigation bar, select the region where the resource is located, and click Create Resource Share. On the page that appears, perform the following steps:

    Step 1: Enter a Resource Share Name and select the vSwitch that you want to share.

    Step 2: The system selects the AliyunRSDefaultPermissionVSwitch permission by default.

    Step 3: In the Principal Scope section, select All Accounts. For Method, select Add Manually. Enter the Alibaba Cloud account ID of the vSwitch participant, and then click Add.

    Step 4: Review the configuration and click Confirm.

  2. Log on to the vSwitch participant's account to accept the sharing invitation:

    1. Go to the Resource Sharing > Resources Shared with Me page in the Resource Management console.

    2. In the top navigation bar, select the region where the shared resource is located. Find the target resource share and click Accept in the Status column.

    3. After you accept the invitation, you can access the shared vSwitch. Any new resources added to this resource share are accepted automatically.

Step 2: Create a cloud resource

Log on to the vSwitch participant's account:

  1. Go to the vSwitches page in the VPC console. In the top navigation bar, select the region of the shared vSwitch. You can then see the shared vSwitch, which is marked as "from sharing".

  2. To create an ECS, ApsaraDB for RDS, or SLB instance, find the target shared vSwitch and click Add Cloud Service in the Actions column.

  3. For other supported cloud resource types, select the shared vSwitch when you create the resource.

API

Step 1: Enable sharing

  • Method 1: Share with any account

    1. Use the credentials of the vSwitch owner to call the CreateResourceShare operation to create a resource share. Make sure to set the AllowExternalTargets parameter to True.

    2. Use the credentials of the vSwitch participant to call the ListResourceShareInvitations operation to query received invitations, and then call the AcceptResourceShareInvitation operation to accept an invitation.

  • Method 2: Share only within a resource directory

    1. Use the credentials of the management account of the resource directory to call the EnableSharingWithResourceDirectory operation to enable sharing within the resource directory.

    2. Use the credentials of the vSwitch owner to call the CreateResourceShare operation to create a resource share. Make sure to set the AllowExternalTargets parameter to False.

Step 2: Create a cloud resource

Log on to the vSwitch participant's account and perform the following steps:

  1. Call the DescribeVSwitches operation to obtain a list of vSwitches.

  2. From the list, filter for shared vSwitches where the ShareType parameter is Sharing.

  3. Call the API operation to create the desired cloud resource, such as RunInstances for an ECS instance. In the request, specify the shared vSwitch.

Terraform

Step 1: Enable sharing

A vSwitch owner creates a resource share:

Terraform currently supports sharing only within a resource directory. Before you proceed, make sure that the management account of the resource directory has enabled sharing for the resource directory.
Resources: alicloud_resource_manager_resource_share, alicloud_resource_manager_shared_resource, and alicloud_resource_manager_shared_target
# Specify the region.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Specify the resource share name.
resource "alicloud_resource_manager_resource_share" "example_unit" {
  resource_share_name = "example_unit_name"
}

# Specify the vSwitch to share.
resource "alicloud_resource_manager_shared_resource" "example_vsw" {
  resource_share_id = alicloud_resource_manager_resource_share.example_unit.id
  resource_id       = "vsw-bp1omg98fixldnwcxxxxx" # Replace with the actual ID of the shared vSwitch.
  resource_type     = "VSwitch"                   # The resource type is VSwitch. 
}

# Specify the participant of the shared vSwitch.
resource "alicloud_resource_manager_shared_target" "example_target" {
  resource_share_id = alicloud_resource_manager_resource_share.example_unit.id
  target_id         = "10xxxxxxxxxxxxxx" # Replace with the actual UID of the vSwitch participant.
}

Step 2: Create a cloud resource

The following example shows how a vSwitch participant creates an ECS instance in a shared vSwitch:

Resources: alicloud_security_group and alicloud_instance
Data Sources: alicloud_vswitches
# Specify the region.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Specify the shared vSwitch.
variable "vsw_id" {
  default = "vsw-bp1omg98fixldnwcxxxxx" # Replace with the actual ID of the shared vSwitch.
}

# Obtain information about the target shared vSwitch.
data "alicloud_vswitches" "example_vsw" {
  ids = [var.vsw_id]  
}

# Create a security group.
resource "alicloud_security_group" "example_sg" {
  security_group_name = "example_sg_name"
  vpc_id              = data.alicloud_vswitches.example_vsw.vswitches[0].vpc_id
}

# Create an ECS instance.
resource "alicloud_instance" "example_ecs" {
  instance_name        = "example_ecs_name"
  instance_type        = "ecs.e-c1m1.large"
  security_groups      = [alicloud_security_group.example_sg.id]
  vswitch_id           = var.vsw_id
  image_id             = "aliyun_3_x64_20G_alibase_20250117.vhd"
  system_disk_category = "cloud_essd"
}

Manage shared vSwitches and participants

A vSwitch owner can perform the following management tasks:

  • View shared vSwitches

  • View participants of a shared vSwitch

  • Share more vSwitches

  • Share a vSwitch with more accounts

Console

  1. Go to the Resource Sharing > Resources I Share page. In the top navigation bar, select the region where the shared resources are located.

  2. On the Resources I Share page, you can perform the following operations:

    • View shared vSwitches: Click the Shared Resources tab.

    • View participants of a shared vSwitch: Click the Principals tab.

  3. Click the Resource Shares tab, find the target resource share, and then click its ID.

  4. Click the Resources or Principals tab to view the shared vSwitches and participants in this resource share.

    If the Status on the Resources and Principals tabs is Associated, the resources and principals are successfully associated with the share.

    Common causes of association failures

    If the Status in the Resources and Principals sections shows Association Failed, the sharing operation failed. The failure may be caused by one of the following reasons. Please troubleshoot the issue and then add the vSwitch that you want to share:

    • The vSwitch participant's account is the same as the owner's. An owner cannot share a vSwitch with their own account.

    • The number of vSwitch participants for a single VPC has exceeded the quota. The default quota is 50.

    • The number of vSwitch participants for a single vSwitch within a VPC has exceeded the quota. The default quota is 50.

    • The number of shared vSwitches accepted by a single vSwitch participant has exceeded the quota. The default quota is 30.

  5. On the page of the target resource share, click Edit Resource Share in the upper-right corner. You can perform the following actions within this resource share:

    • Add or remove shared vSwitches: In Step 1, select or clear the checkboxes for the vSwitches.

    • Add or remove participants: In Step 3, add or remove account UIDs.

  6. Review the configuration and, in Step 4 of the Edit Resource Share page, click Confirm.

API

A vSwitch owner can view shared vSwitches and their participants by using the following operations:

A vSwitch owner can manage shared vSwitches and participants within a resource share by using the following operations:

More information

Billing

The shared VPC feature is free of charge. However, resource owners and participants are billed for the cloud resources they create, such as ECS instances and ApsaraDB for RDS instances.

Supported regions

Area

Regions

Asia Pacific - China

China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong)

Asia Pacific - Others

Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok)

Europe & Americas

Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)

Middle East

Saudi Arabia (Riyadh) - Partner Region

Quotas

Quota name

Description

Default limit

Adjustable

vpc_quota_sharedvpc_share_user_num_per_vpc

The maximum number of vSwitch principals with which you can share a VPC.

50

Yes. To request a quota increase, go to the Quota Management page or Quota Center.

vpc_quota_sharedvpc_share_user_num_per_vswitch

The maximum number of vSwitch principals with which you can share a vSwitch.

50

vpc_quota_sharedvpc_accept_shared_vswitch_num

The maximum number of shared vSwitches that a vSwitch principal can accept.

30