All Products
Search
Document Center

Virtual Private Cloud:Use ClassicLink to connect classic network and VPC

Last Updated:Oct 23, 2024

The ClassicLink feature available in virtual private clouds (VPCs) allows Elastic Compute Service (ECS) instances in classic networks to communicate with resources in VPCs.

Important

ClassicLink is only supported in regions where classic networks are available. For more information on ClassicLink availability, see Instance quotas.

Overview

How it works

The underlying mechanism for connecting classic networks with VPCs and connecting classic networks with each other is consistent, which means internal network latency and bandwidth limitations remain unchanged before and after enabling ClassicLink. Operations such as failover migration, hot migration, stopping, starting, rebooting, and changing system disks do not alter existing ClassicLink connections.

Classic networks and VPCs operate on separate network planes. By creating routes to bridge the planes, ClassicLink allows communication between the two types of networks. Therefore, proper address planning is essential to avoid conflicts.

Classic networks of Alibaba Cloud use the CIDR block 10.0.0.0/8 (10.111.0.0/16 is excluded). To establish a ClassicLink connection, ensure that the CIDR block of a VPC does not overlap with that of a classic network. The CIDR blocks that can communicate with classic networks include 10.111.0.0/16, 172.16.0.0/12, and 192.168.0.0/16.

Principles

After you create a ClassicLink connection between ECS instances in a classic network and a VPC:

  • ECS instances in the classic network gain access to resources in the VPC.

    Resources in the VPC, including ECS, Relational Database Service (RDS), and Server Load Balancer (SLB) instances, are accessible to ECS instances in the classic network. For example, if ECS instances in the classic network are linked to a VPC (CIDR block 10.0.0.0/8) whose vSwitch (CIDR block 10.111.1.0/24) has resources such as ECS and RDS instances, the ECS instances in the classic network can access instances deployed in the vSwitch through ClassicLink.

  • ECS instances in the VPC cannot access unconnected resources in the classic network.

    ECS instances in the VPC can only access connected ECS instances in the classic network. Unconnected resources in the classic network cannot be accessed by the VPC.

Scenarios

The following table outlines the ways to create a connection between ECS instances in classic networks and VPCs.

Initiator

Region/Account

Receiver/Internal Connectivity

Classic network

VPC

Classic network

Same region, same account

Update security group rules in the same account.

Create ClassicLink connection

Same region, cross-account

Update the security group rules cross account.

  1. Migrate ECS instances from the classic network to a VPC.

  2. Establish connectivity between VPCs

Cross-region, same account

  1. Migrate ECS instances in the source and destination regions to separate VPCs.

  2. Connect the VPCs.

  1. Move ECS instances from the initiator to a VPC.

  2. Connect the VPCs.

Cross-region, cross-account

VPC

Same region, same account

Initiate a ClassicLink connection.

Connect the VPCs.

Same region, cross-account

  1. Migrate ECS instances connected to the classic network to a VPC.

  2. Connect the VPCs.

Cross-region, same account

  1. Migrate the ECS instances from the receiving classic network to a VPC.

  2. Connect the VPCs.

Cross-region, cross-account

Limits

Ensure that you understand the following limits before using ClassicLink:

  • A VPC can be associated with at most 1,000 ECS instances in classic networks.

  • An ECS instance in a classic network created by an account in a region can only be linked to one VPC.

  • ECS instances in classic networks can only communicate with ECS instances in the primary CIDR block of a VPC. Communication with instances in the secondary CIDR block is not supported.

  • The following table lists the conditions that need to be met to enable ClassicLink for a VPC.

    CIDR block

    Limits

    172.16.0.0/12

    Ensure that no custom route entry in the VPC has a destination CIDR block of 10.0.0.0/8.

    10.0.0.0/8

    • Ensure that no custom route entry in the VPC has a destination CIDR block of 10.0.0.0/8.

    • Ensure that the vSwitch that communicates with the ECS instance in the classic network is within 10.111.0.0/16.

    192.168.0.0/16

    • Ensure that no custom route entry in the VPC has a destination CIDR block of 10.0.0.0/8.

    • A custom route entry with a destination CIDR block of 192.168.0.0/16 needs to be created for the ECS instance in the classic network. Set the next hop as the private network interface controller (NIC). You can use the route script to add route entries.

      Note

      Before running the script, make sure that you read the readme.txt file in the script.

Manage ClassicLink

Enable or disable the ClassicLink feature

  1. Log on to the VPC console.

  2. In the top navigation bar, select the region where the VPC resides in.

  3. On the VPC page, click the ID of the target VPC.

  4. In the details page, click Enable Classiclink in the upper-right corner.

  5. In the Enable Classiclink dialog box, click OK.

    Once ClassicLink is enabled, the status changes to Enabled.image

You can disable ClassicLink when the connection is no longer required.

Note
  1. On the VPC page, click the ID of the target VPC.

  2. On the details page, click Disable Classiclink.

Create or cancel a ClassicLink connection

Note

Before you create a ClassicLink connection, ensure the following conditions are met:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, click Instances & Images > Instances. Select the region to which the instance belongs.

  3. On the Instance page, find the target ECS instance in the classic network. In the Actions column, select More > Network and Security Group > Set VPC Connection Status.

  4. In the Connect To VPC dialog box, select the VPC to be connected. Click Go to the instance security group list and add ClassicLink rules.

  5. In the Security Groups, click the security group ID. On the Security Group Rules page, click Add ClassicLink Rule.

  6. In the Add ClassicLink Rule dialog box, set up the ClassicLink security group rules as follows.

    Parameter

    Description

    Classic Network Security Group

    The security group for the classic network is displayed.

    VPC-type Security Groups:

    Select a security group for the VPC.

    Mode

    Choose from the following authorization modes:

    • Classic Network <=> VPC: Mutual access between two types of networks. Recommended.

    • VPC => Classic Network: Unidirectional access from VPC resources to ECS instances in the classic network.

    • Classic Network => VPC: Unidirectional access from ECS instances in the classic network to resources in the VPC.

    Protocol Type

    Select the protocol for communication.

    Port Range

    Define the port range in the format xx/xx. For example, enter 80/80 for port 80.

    Priority

    Assign a priority level to the rule. Lower values signify higher priority.

You can disable a ClassicLink connection, which cuts connections between ECS instances in classic networks and the VPC.

  1. On the Instance page, find the classic network instance. In the Actions column, click More > Network and Security Group > Cancel VPC connection status.

  2. In the Unconnect the VPC dialog box, click OK.