To connect a data center or a virtual private cloud (VPC) to a VPC in the same region, connect the data center to Alibaba Cloud by using an Express Connect circuit and a virtual border router (VBR), and then attach the VBR and VPC to the transit router in the region.Virtual Private Cloud (VPC)
Example
A company deployed a data center in Hangzhou, and connected the data center to Alibaba Cloud by using an Express Connect circuit and a VBR. The company also deployed two VPCs named VPC1 and VPC2 in the China (Hangzhou) region. Elastic Compute Service (ECS) instances are deployed in the VPCs. Applications are deployed on the ECS instances. The data center cannot communicate with VPC1 or VPC2, and VPC1 cannot communicate with VPC2. Due to business growth, the company wants to enable network communication among the data center, VPC1, and VPC2.
In this case, the company can use Cloud Enterprise Network (CEN) to connect VPC1, VPC2, and the VBR to the transit router in the China (Hangzhou) region. This enables network communication among the data center, VPC1, and VPC2.
Prerequisites
The data center is connected to Alibaba Cloud by using Express Connect circuits and VBRs. For more information, see Connect a data center to ECS by using an Express Connect circuit.
Two VPCs are deployed in the China (Hangzhou) region, and ECS instances are deployed in the VPCs. Applications are deployed on the ECS instances. For more information, see Create an IPv4 VPC.
Sufficient vSwitches are deployed in each VPC in the zones of the Enterprise Edition transit router. Each vSwitch has at least one idle IP address.
If the Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing - Local Region), the VPC must have at least one vSwitch in the zone.
If the Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.
For more information, see How a VPC connection works.
The following table shows the CIDR blocks allocated to VPC1, VPC2, the VBR, and the data center. Make sure that the CIDR blocks do not overlap.
Item
VPC1
VPC2
VBR
Data center
Network instance regions
China (Hangzhou)
China (Hangzhou)
China (Hangzhou)
Hangzhou
Network instance CIDR blocks
VPC CIDR block: 192.168.0.0/16
vSwitch 1 CIDR block: 192.168.20.0/24
vSwitch 2 CIDR block: 192.168.21.0/24
VPC CIDR block: 10.0.0.0/16
vSwitch 1 CIDR block: 10.0.0.0/24
vSwitch 2 CIDR block: 10.0.1.0/24
VLAN ID: 0
IPv4 address at the Alibaba Cloud side: 172.16.1.2, and subnet mask: 255.255.255.252
IPv4 address at the customer side: 172.16.1.1, and subnet mask: 255.255.255.252
On-premises network CIDR block: 172.16.0.0/16
vSwitch zones
vSwitch 1 in Zone H
vSwitch 2 in Zone I
vSwitch 1 in Zone H
vSwitch 2 in Zone I
N/A
N/A
Server IP addresses
ECS1 IP address: 192.168.20.161
ECS2 IP address: 10.0.0.33
N/A
On-premises server IP address: 172.16.0.89
You must be aware of the security group rules that are applied to the ECS instances in the VPCs. Make sure that the security group rules allow the VPCs to communicate with each other and with the data center. For more information, see View security group rules and Add a security group rule.
Procedure
Step 1: Create a CEN instance
CEN is used to create and manage network resources. Before you can connect networks, you must create a CEN instance.
Log on to the CEN console.
On the Instances page, click Create CEN Instance.
In the Create CEN Instance dialog box, configure the following parameters and click OK:
Name: Enter a name for the CEN instance.
Description: Enter a description for the CEN instance.
Resource Group: Select a resource group for the CEN instance.
In this example, no resource group is selected. The CEN instance is added to the default resource group.
Tag: Add tags to the CEN instance. In this example, no tag is added to the network instance connection.
Step 2: Create a transit router
Before you can create a network instance connection, you must create a transit router in the region where the network instance is deployed.
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance created in Step 1.
Choose and click Create Transit Router.
In the Create Transit Router dialog box, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Value
Region
Select the region where you want to create the transit router.
In this example, China (Hangzhou) is selected.
Edition
The edition of the transit router is displayed.
The transit router edition that is supported in the selected region is automatically displayed.
Enable Multicast
Specify whether to enable multicast.
In this example, multicast is disabled. By default, multicast is disabled.
Name
Enter a name for the transit router.
In this example, a custom name is specified for the transit router.
Description
Enter a description for the transit router.
In this example, a custom description is specified for the transit router.
Tag
Add tags to the transit router.
In this example, no tag is added to the network instance connection.
Transit Router CIDR
Enter a CIDR block for the transit router.
For more information, see Transit router CIDR blocks.
In this example, no CIDR block is specified for the transit router.
Step 3: Connect the VPCs to the transit router
Connect VPC1 and VPC2 to the transit router in the China (Hangzhou) region.
On the Instances page, click the ID of the CEN instance created in Step 1.
Navigate to the tab, find the transit router that you want to manage, and then click Create Connection in the Actions column.
On the Connection with Peer Network Instance page, configure the parameters and click OK. The following table describes the parameters.
The following table describes the parameters for VPC1 and VPC2. Connect VPC1 and VPC2 to the transit router based on the following information.
NoteWhen you perform this operation, the system automatically creates the service-linked role AliyunServiceRoleForCEN. This role allows transit routers to create elastic network interfaces (ENIs) on vSwitches in VPCs. For more information, see AliyunServiceRoleForCEN.
Parameter
Description
VPC1
VPC2
Network Type
Select the type of the network instance that you want to connect.
VPC
VPC
Region
Select the region where the network instance is deployed.
China (Hangzhou).
China (Hangzhou)
Transit Router
The ID of the transit router in the selected region is automatically displayed.
Resource Owner ID
Select the Alibaba Cloud account to which the network instance belongs.
Your Account
Your Account
Billing Method
Default value: Pay-As-You-Go.
For more information, see Billing.
Attachment Name
Enter a name for the network connection.
VPC1-test
VPC2-test
Tag
Add tags to the network instance connection.
In this example, no tag is added to the network instance connection.
In this example, no tag is added to the network instance connection.
Networks
Select the network instance that you want to connect to the transit router.
VPC1
VPC2
VSwitch
Select a vSwitch in a zone of the transit routers.
If each zone of the transit router has a vSwitch, you can select multiple zones and a vSwitch in each of the zones to enable zone-disaster recovery.
Hangzhou Zone H: Select vSwitch 1
Hangzhou Zone I: Select vSwitch 2
Hangzhou Zone H: Select vSwitch 1
Hangzhou Zone I: Select vSwitch 2
Advanced Settings
The following advanced features are selected by default. Select or clear the advanced features based on your business requirements.
Keep the default settings for VPC1 and VPC2. All advanced features are enabled for the VPCs.
Associate with Default Route Table of Transit Router
After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.
Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC
After this feature is enabled, the system automatically adds the following routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs.
ImportantIf such a route is already in the route table of the VPC, the system cannot advertise this route. You must manually add a route that points to the VPC connection to the route table of the VPC. Otherwise, network communication cannot be established between the VPC and the transit router. To check whether such routes exist, click Check Route below Advanced Settings.
In order for the VPC to have IPv6 traffic enter and be forwarded, it is necessary to enable route synchronization for the VPC connection or manually add IPv6 route entries pointing to the VPC connection in the route table after creating the connection.
Click Return to the List to go to the details page of the CEN instance.
Step 4: Connect the transit router to the VBR
On the Instances page, click the ID of the CEN instance created in Step 1.
Navigate to the tab, find the transit router that you want to manage, and then click Create Connection in the Actions column.
On the Connection with Peer Network Instance page, configure the following parameters and click OK:
Network Type: Select the type of network instance that you want to attach. In this example, Virtual Border Router (VBR) is selected.
Region: Select the region where the network instance is deployed. In this example, China (Hangzhou) is selected.
Transit Router: The ID of the transit router in the selected region is automatically displayed.
Resource Owner ID: Select the Alibaba Cloud account to which the network instance belongs. In this example, the default value Your Account is selected.
Attachment Name: Enter a name for the network instance. In this example, VBR is used.
Tag: Add tags to the network instance connection. In this example, no tag is added to the network instance connection.
Networks: Select the ID of the network instance that you want to connect to the transit router. In this example, the ID of the VBR is selected.
Advanced Settings: By default, the following advanced features are selected. In this example, the default settings are used.
Associate with Default Route Table of Transit Router
After this feature is enabled, the VBR connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VBR based on the default route table.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the system routes of the VBR are advertised to the default route table of the transit router. This way, the VBR can communicate with other network instances that are connected to the transit router.
Propagate Routes to VBR
After this feature is enabled, the system automatically advertises the routes in the transit router route table that is associated with the VBR connection to the VBR.
Click Return to the List to go to the details page of the CEN instance.
Step 5: Test network connectivity
After you complete the preceding steps, VPC1, VPC2, and the data center are connected to each other. You can run tests to test the network connectivity.
In this example, VPC1 and VPC2 run the Alibaba Cloud Linux operating system. For more information about how to use the ping command on other operating systems, see the manual of the operating system that you use.
Test the network connectivity between VPC1 and VPC2.
Log on to the ECS instance that is deployed in VPC1. For more information, see Connect to an ECS instance.
On the ECS instance, run the ping command to test whether you can access the ECS instance in VPC2.
ping
<The IP address of the ECS instance in VPC2>
The following echo reply packet indicates that VPC1 can communicate with VPC2.
Test the network connectivity between VPC1 and the data center
Log on to an ECS instance that is deployed in VPC 1.
On the ECS instance, run the ping command to test whether you can access the data center.
ping <The IP address of the data center>
The following echo reply packet indicates that VPC1 can communicate with the data center.
Test the network connectivity between VPC2 and the data center.
Log on to an ECS instance in VPC 2.
On the ECS instance, run the ping command to test whether you can access the data center.
ping <The IP address of the data center>
The following echo reply packet indicates that VPC2 can communicate with the data center.
Routes
In this topic, the CEN instance automatically learns and advertises routes for the VPCs and the data center when you connect the VPCs or VBR to the transit router.
The transit router in the China (Hangzhou) region automatically learns routes from VPC1, VPC2, and the VBR.
The VBR uses the transit router to learn routes from VPC1 and VPC2.
The CEN instance automatically adds the following route entries to the route tables of VPC1 and VPC2: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops are the transit router.
Network traffic from VPC1 and VPC2 is routed to the transit router. The transit router allows the VPCs and data center to communicate with each other.
The following table describes the route entries of VPC1, VPC2, and the VBR. You can check the route entries in the console. For more information, see View routes of an Enterprise Edition transit router and View routes of network instances.