A VPC peering connection is a network connection between two VPCs, supporting both IPv4 and IPv6. You can create an IPv4 or IPv6 connection between two VPCs within the same or across different accounts, and within the same or across different regions.
Scenario
A company has established VPC1 and VPC2 in the China (Beijing) and China (Shanghai) regions respectively.
To secure resource access, the company sets up a peering connection between VPC1 and VPC2. As inter-region traffic remains in the private network, it mitigates common security threats such as data leakage and DDoS attacks.
Before you create a VPC peering connection across accounts, make sure that both the requester and accepter have a VPC in place.
Procedure
Step 1: Create a VPC peering connection
Log on to the VPC console. In the top navigation bar, select the region where the requester VPC is located, which is China (Beijing) in this example. In the left-side navigation pane, click VPC Peering Connection.
If you have not used VPC peering connection before, click Activate CDT on the VPC Peering Connection page, and then click OK in the dialog box.
NoteTo create a VPC peering connection across accounts, ensure that the accepter has enabled the Cloud Data Transfer (CDT) feature.
Go to the VPC Peering Connection page, click Create VPC Peering Connection, and set the parameters as follows:
NoteYou can create four types of VPC peering connections: intra-region same-account, inter-region same-account, intra-region cross-account, and inter-region cross-account.
When the accepter account is Same-Account, the system automatically establishes the connection after the requester initiates the request. No action is required from the accepter.
When the accepter account is Cross-Account, the accepter needs to accept the peering request before the VPC peering connection can be created. The accepter may reject the request and terminate the VPC peering connection process. The steps that need to be taken by the accepter are as follows :
Log on to the VPC console with the accepter account. In the left-side navigation pane, click VPC Peering Connection.
Find the target VPC peering connection on the VPC Peering Connection page. Currently, the status of the connection is Accepting.
Decide whether to accept the request:Accept: The status changes from Accepting to Updating.
When the status changes to Activated, it indicates the connection is ready for use.
Reject: The status changes from Accepting to Rejected.
A Rejected VPC peering connection cannot be used. You can Delete it from either the requester or the accepter end.
If the accepter takes no action on a cross-account VPC peering connection request, the connection status changes to Expired after 7 days.
Step 2: Configure routes
After a VPC peering connection has been created and Activated, you need to add route entries that point to the peer VPC on both ends to enable the connection.
Find the VPC peering connection on the VPC Peering Connection page and click Configure Route in either the Requester VPC or Accepter VPC column.
Configure the IPv4 or IPv6 route entries for both the requester and accepter VPCs. Below is an example of configuring an IPv4 route entry.
For cross-account peering connections, log on to the VPC console with the accepter account. Enter the IPv4 or IPv6 CIDR block of the requester VPC to add a route for the accepter VPC.
Step 3: Verify connectivity
Log on to the ECS1 instance and access the private IP address of the ECS2 instance.
Log on to the ECS2 instance and access the private IP address of the ECS1 instance.
If you receive the return message shown in the preceding figures, it indicates VPC1 and VPC2 are connected. After verification, you can deploy and use business applications in the two connected VPCs for secure access.
If you experience network connectivity issues, use the Network Intelligence Service (NIS) and reverse path analytics to diagnose configuration issues and verify the connectivity of bidirectional paths. Make sure the following configurations are set up correctly:
The IPv4/IPv6 route entries of VPCs at both ends of the peering connection have been configured correctly. The destination CIDR block is that of the peer VPC and the next hop is VPC peering connection.
The Inbound and outbound rules for the ECS security group have been set up to allow traffic from the peer IP address.
The inbound and outbound rules of the network ACLs associated with the vSwitches have been configured to allow traffic from the peer IP address.
Related steps
Delete a VPC peering connection
You can delete VPC peering connections that are no longer needed.
After you delete a VPC peering connection, the private network access is terminated and cannot be restored. Ensure that your business is not affected before deleting the connection and proceed with caution.
Go to the VPC Peering Connection page, find the VPC peering connection you want to remove, and click Delete in the Actions column.
In the dialog box that appears, click Confirm.
Natural deletion: Before deleting the VPC peering connection, you must remove the route entries that point to it from the route table.
Forceful deletion: The system automatically deletes the route entries that point to the VPC peering connection.
To forcefully delete the VPC peering connection, click I confirm that my services will not be affected and want to delete all the preceding VPC peering connections and routes.
Modify the bandwidth of an inter-region VPC peering connection
Go to the VPC Peering Connection page, find the inter-region VPC peering connection for which you want to adjust the bandwidth, and click its instance ID.
On the details page, find the Basic Information section and click Edit next to Bandwidth (Mbit/s).
In the dialog box that appears, enter the new bandwidth value and click OK.
The bandwidth value must be a positive integer and cannot exceed 1024.
Use PrivateLink to access OpenAPI service of VPC peering connection
Use PrivateLink to access OpenAPI service of VPC peering connection in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), Hong Kong (China), Singapore, US (Silicon Valley), and US (Virginia).
Log on to the endpoint console. Go to the Endpoints page and click Create Endpoint.
On the Create Endpoint page, set up the endpoint based on the following table and click OK. Only parameters pertinent to this topic are presented in the table. For other parameters, see Create and manage endpoints. After creation, the VPC peering connection API can be accessed by using the endpoint domain name
vpcpeer.vpc-proxy.aliyuncs.com.Parameter
Description
Endpoint Type
Interface Endpoint is chosen in this example.
Endpoint Service
Select an endpoint service.
Alibaba Cloud service is chosen in this example. Then, select the endpoint service named
com.aliyuncs.privatelink.cn-[Region-ID].vpcpeer.
References
For more details about VPC peering connections, such as introduction, scenarios, limits, and billing, see VPC peering connections.
For route configuration examples for VPC peering connections, see Examples of VPC peering connections.
You can also manage VPC peering connections through SDK, Terraform, or ROS by calling the following APIs:
CreateVpcPeerConnection: Create a VPC peering connection.
DeleteVpcPeerConnection: Delete a VPC peering connection.
AcceptVpcPeerConnection: Accept a VPC peering connection request.
RejectVpcPeerConnection: Reject a VPC peering connection request.
GetVpcPeerConnectionAttribute: Query the details of a VPC peering connection.
ModifyVpcPeerConnection: Modify the name or description of a VPC peering connection.
CreateRouteEntry: Add a custom route entry.
DeleteRouteEntry: Delete a custom route entry.