The ClassicLink feature available in virtual private clouds (VPCs) allows Elastic Compute Service (ECS) instances in classic networks to communicate with resources in VPCs.
ClassicLink is only supported in regions where classic networks are available. For more information on ClassicLink availability, see Instance quotas.
Overview
How it works
The underlying mechanism for connecting classic networks with VPCs and connecting classic networks with each other is consistent, which means internal network latency and bandwidth limitations remain unchanged before and after enabling ClassicLink. Operations such as failover migration, hot migration, stopping, starting, rebooting, and changing system disks do not alter existing ClassicLink connections.
Classic networks and VPCs operate on separate network planes. By creating routes to bridge the planes, ClassicLink allows communication between the two types of networks. Therefore, proper address planning is essential to avoid conflicts.
Classic networks of Alibaba Cloud use the CIDR block 10.0.0.0/8 (10.111.0.0/16 is excluded). To establish a ClassicLink connection, ensure that the CIDR block of a VPC does not overlap with that of a classic network. The CIDR blocks that can communicate with classic networks include 10.111.0.0/16, 172.16.0.0/12, and 192.168.0.0/16.
Principles
After you create a ClassicLink connection between ECS instances in a classic network and a VPC:
ECS instances in the classic network gain access to resources in the VPC.
Resources in the VPC, including ECS, Relational Database Service (RDS), and Server Load Balancer (SLB) instances, are accessible to ECS instances in the classic network. For example, if ECS instances in the classic network are linked to a VPC (CIDR block 10.0.0.0/8) whose vSwitch (CIDR block 10.111.1.0/24) has resources such as ECS and RDS instances, the ECS instances in the classic network can access instances deployed in the vSwitch through ClassicLink.
ECS instances in the VPC cannot access unconnected resources in the classic network.
ECS instances in the VPC can only access connected ECS instances in the classic network. Unconnected resources in the classic network cannot be accessed by the VPC.
Scenarios
The following table outlines the ways to create a connection between ECS instances in classic networks and VPCs.
Initiator | Region/Account | Receiver/Internal Connectivity | |
Classic network | VPC | ||
Classic network | Same region, same account | Update security group rules in the same account. | Create ClassicLink connection |
Same region, cross-account | Update the security group rules cross account. |
| |
Cross-region, same account |
|
| |
Cross-region, cross-account | |||
VPC | Same region, same account | Initiate a ClassicLink connection. | Connect the VPCs. |
Same region, cross-account |
| ||
Cross-region, same account |
| ||
Cross-region, cross-account | |||
Limits
Ensure that you understand the following limits before using ClassicLink:
A VPC can be associated with at most 1,000 ECS instances in classic networks.
An ECS instance in a classic network created by an account in a region can only be linked to one VPC.
ECS instances in classic networks can only communicate with ECS instances in the primary CIDR block of a VPC. Communication with instances in the secondary CIDR block is not supported.
The following table lists the conditions that need to be met to enable ClassicLink for a VPC.
CIDR block
Limits
172.16.0.0/12
Ensure that no custom route entry in the VPC has a destination CIDR block of 10.0.0.0/8.
10.0.0.0/8
Ensure that no custom route entry in the VPC has a destination CIDR block of 10.0.0.0/8.
Ensure that the vSwitch that communicates with the ECS instance in the classic network is within 10.111.0.0/16.
192.168.0.0/16
Ensure that no custom route entry in the VPC has a destination CIDR block of 10.0.0.0/8.
A custom route entry with a destination CIDR block of 192.168.0.0/16 needs to be created for the ECS instance in the classic network. Set the next hop as the private network interface controller (NIC). You can use the route script to add route entries.
NoteBefore running the script, make sure that you read the readme.txt file in the script.
Manage ClassicLink
Enable or disable the ClassicLink feature
Log on to the VPC console.
In the top navigation bar, select the region where the VPC resides in.
On the VPC page, click the ID of the target VPC.
In the details page, click Enable Classiclink in the upper-right corner.
In the Enable Classiclink dialog box, click OK.
Once ClassicLink is enabled, the status changes to Enabled.
You can disable ClassicLink when the connection is no longer required.
Before you disable ClassicLink, ensure that you cancel the ClassicLink connection between the classic network and VPC.
Disabling ClassicLink prevents the classic network from connecting to the VPC.
On the VPC page, click the ID of the target VPC.
On the details page, click Disable Classiclink.
Create or cancel a ClassicLink connection
Before you create a ClassicLink connection, ensure the following conditions are met:
You understand the limitations of creating a ClassicLink connection.
The ClassicLink feature is enabled for the VPC pending connection.
Log on to the ECS console.
In the left-side navigation pane, click . Select the region to which the instance belongs.
On the Instance page, find the target ECS instance in the classic network. In the Actions column, select .
In the Connect To VPC dialog box, select the VPC to be connected. Click Go to the instance security group list and add ClassicLink rules.
In the Security Groups, click the security group ID. On the Security Group Rules page, click Add ClassicLink Rule.
In the Add ClassicLink Rule dialog box, set up the ClassicLink security group rules as follows.
Parameter
Description
Classic Network Security Group
The security group for the classic network is displayed.
VPC-type Security Groups:
Select a security group for the VPC.
Mode
Choose from the following authorization modes:
Classic Network <=> VPC: Mutual access between two types of networks. Recommended.
VPC => Classic Network: Unidirectional access from VPC resources to ECS instances in the classic network.
Classic Network => VPC: Unidirectional access from ECS instances in the classic network to resources in the VPC.
Protocol Type
Select the protocol for communication.
Port Range
Define the port range in the format xx/xx. For example, enter 80/80 for port 80.
Priority
Assign a priority level to the rule. Lower values signify higher priority.
You can disable a ClassicLink connection, which cuts connections between ECS instances in classic networks and the VPC.
On the Instance page, find the classic network instance. In the Actions column, click .
In the Unconnect the VPC dialog box, click OK.