This topic describes how to use Cloud Enterprise Network (CEN) to build a centralized API management solution across regions. You can also refer to steps in this topic to build a centralized API management solution between virtual private clouds (VPCs) and between VPCs and on-premises data centers by using CEN and Express Connect. This way, you can publish APIs of various services for users to call in API Gateway.
Overview
By default, an API Gateway instance can communicate with only VPCs in the same region as itself. This topic uses a dedicated instance created in the China (Hangzhou) region as an example to describe how to manage APIs in three different scenarios.
API Gateway is an API hosting service. You must create a VPC in the region where your API Gateway instance resides to communicate with another region or with an on-premises data center. In this topic, VPC-1 is created in the China (Hangzhou) region to communicate with a VPC in the China (Beijing) region and with an on-premises data center.
The architectures in this topic are used only to illustrate how to call APIs across VPCs. In similar cases, you must configure a VPC, such as VPC-1 in this example, in the region where your API Gateway instance resides. This VPC is used to communicate with other environments, such as VPCs in other regions or on-premises data centers.
The following scenarios are used as examples in this topic:
Scenario 1: Call APIs in another region over a VPC on Alibaba Cloud
Scenario 2: Call APIs in Alibaba Cloud from an on-premises data center
Scenario 3: Access a backend service deployed in an on-premises data center from an Elastic Compute Service (ECS) instance deployed on Alibaba Cloud
Scenario 1: Call APIs in another region over a VPC on Alibaba Cloud
In this scenario, the client is deployed on ECS instance ecs-3 in VPC-3 of the China (Beijing) region. The API Gateway instance is a dedicated instance in the China (Hangzhou) region. The backend service is a Function Compute function in the China (Hangzhou) region. The following diagram shows the architecture: 
The configuration process is as follows:
Create an API.
Create a CEN instance and connect VPC-3 in the China (Beijing) region to VPC-1 in the China (Hangzhou) region.
Grant VPC-1 the access to the API Gateway instance. This way, the ECS instance in VPC-3 can call APIs over VPC-1.
Step 1: Create an API
Create an API that uses Function Compute as the backend service. For more information, see Create an API with Function Compute as the backend service.
Step 2: Create a CEN instance
Log on to the Cloud Enterprise Network console and create a CEN instance.
Step 3: Attach VPC instances
Attach VPC-1 and VPC-3 to the CEN instance. The following figure shows the basic information of the CEN instance after the VPCs are attached.
Step 4: Configure a bandwidth plan for cross-region communication
Purchase a bandwidth plan for communication within the CEN instance. In this example, a 2 Mbit/s bandwidth plan is purchased. You can purchase a bandwidth plan based on your business requirements.
Configure the bandwidth for the regions of the CEN instance. You can allocate the bandwidth of the bandwidth plan you purchased to multiple pairs of connected regions.
Step 5: Grant VPC-1 the access to the API Gateway instance
On the Instances page of the API Gateway console, find the dedicated instance you created and click Bind to VPC in the row of VPC for Access to Dedicated Instance. Select the ID of VPC-1 in the China (Hangzhou) region.
In the left-side navigation pane, choose Open API > API Groups and click the API group that you want to manage. On the Group Details page, click Enable VPC Second-level Domain. In the Enable VPC Second-level Domain message, click OK. After the previous operations, resources in VPC-3 can call APIs of this API group.
Scenario 2: Call APIs in Alibaba Cloud from an on-premises data center
In this scenario, the client is located in an on-premises data center in Hangzhou. The API Gateway instance is a dedicated instance in the China (Hangzhou) region. The backend service is a Function Compute function in the China (Hangzhou) region. All access requests are sent over a VPC. The following diagram shows the architecture: 
The configuration process is as follows:
Create an API.
Connect the on-premises data center to VPC-1.
Grant VPC-1 the access to the API Gateway instance. This way, the client located in the on-premises data center can call APIs over VPC-1.
Step 1: Create an API
Create an API that uses Function Compute as the backend service. For more information, see Create an API with Function Compute as the backend service.
Step 2: Connect the on-premises data center to VPC-1
Connect the on-premises data center to VPC-1 by using an Express Connect circuit. For more information, see Connect a data center to ECS by using an Express Connect circuit.
Step 3: Grant VPC-1 the access to the API Gateway instance
Refer to Step 5 in Scenario 1. You must select the ID of VPC-1 in the China (Hangzhou) region. After the previous operations, the client in the on-premises data center can access the VPC domain of the API group to which the API you created belongs over VPC-1.
Scenario 3: Access a backend service deployed in an on-premises data center from an ECS instance deployed on Alibaba Cloud
In this scenario, the client is deployed on an ECS instance in the China (Hangzhou) region. The API Gateway instance is a dedicated instance in the China (Hangzhou) region. The backend service is deployed in an on-premises data center in Hangzhou. All access requests are sent over a VPC. The following diagram shows the architecture: 
The configuration process is as follows:
Connect the on-premises data center to VPC-1.
Grant the API Gateway instance the access to VPC-1. This way, the API Gateway instance can access the client in the on-premises data center over VPC-1.
Create an API.
Step 1: Connect the on-premises data center to Alibaba Cloud over a VPC
Connect the on-premises data center to VPC-1 by using an Express Connect circuit. For more information, see Connect a data center to ECS by using an Express Connect circuit.
Step 2: Configure routes to access cloud services
Log on to the API Gateway console and click Instances in the left-side navigation pane. On the Instances page, find your instance and record its egress IP address.
Configure access routes to cloud services in the CEN console. For more information, see Access to cloud services.
Step 3: Create a VPC access authorization
Before creating an API, you must create an authorization for access from API Gateway to VPC-1. Log on to the API Gateway console. In the left-side navigation pane, choose Open API > VPCs. In the upper-right corner, click Create Authorization and configure the following parameters:
- VPC Access Name: Enter a custom name for the authorization.
- VPC Id: Enter the ID of VPC-1.
- Instance ID or IP Address: Enter the internal IP address of the data center.
- Port Number: Enter the service port number.
Step 4: Create an API
For more information, see Create an API operation with a resource in a VPC as the backend service.
8. Limits
This topic is suitable for dedicated instances only.