Cloud Enterprise Network:Connect VPCs in different accounts

Example

The preceding figure shows an example. A company uses Account A to deploy a VPC named VPC1 in the China (Hangzhou) region and a VPC named VPC3 in the China (Qingdao) region. The company uses Account B to deploy a VPC named VPC2 in the China (Hangzhou) region. Elastic Compute Service (ECS) instances are deployed in the VPCs. The VPCs cannot communicate with each other. To accommodate business growth, the company wants to establish network communication among the VPCs.

In this case, the company can use CEN to connect VPC1 and VPC2 to the Enterprise Edition transit router in the China (Hangzhou) region that belongs to Account A. Then, the company can connect VPC3 to the Enterprise Edition transit router in the China (Qingdao) region that belongs to Account A. This way, the company can create inter-region connections between the transit routers in the China (Hangzhou) and China (Qingdao) regions to enable network communication among VPC1, VPC2, and VPC3.

Prerequisites

• A VPC has been deployed in each of the China (Hangzhou) and China (Qingdao) regions by using Account A. A VPC is deployed in the China (Hangzhou) region by using Account B. ECS instances are deployed in the VPCs. For more information, see Create an IPv4 VPC.

  Sufficient vSwitches are deployed in each VPC in the zones of the Enterprise Edition transit router. Each vSwitch has at least one idle IP address.

  • If the Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing - Local Region), the VPC must have at least one vSwitch in the zone.

  • If the Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.

  For more information, see How a VPC connection works.

  Click to view regions and zones that support Enterprise Edition transit routers

  Table 1: Regions and zones that support Enterprise Edition transit routers

  Area	Region	Zone
  Chinese Mainland	China (Hangzhou)	Zone B, Zone H, Zone I, Zone J, and Zone K
  	China (Shanghai)	Zone F, Zone G, Zone E, Zone B, Zone N, Zone M, and Zone L
  	China (Nanjing - Local Region)	Zone A
  	China (Fuzhou - Local Region)	Zone A
  	China (Shenzhen)	Zone D, Zone E, Zone F, Zone A, and Zone C
  	China (Heyuan)	Zone A and Zone B
  	China (Guangzhou)	Zone A and Zone B
  	China (Qingdao)	Zone B and Zone C
  	China (Beijing)	Zone C, Zone H, Zone G, Zone J, Zone K, Zone I, and Zone L
  	China (Zhangjiakou)	Zone A, Zone B, and Zone C
  	China (Hohhot)	Zone A and Zone B
  	China (Ulanqab)	Zone A, Zone B, and Zone C
  	China (Chengdu)	Zone A and Zone B
  Asia Pacific	Singapore	Zone A, Zone B, and Zone C
  	China (Hong Kong)	Zone B, Zone C, and Zone D
  	Malaysia (Kuala Lumpur)	Zone A and Zone B
  	Indonesia (Jakarta)	Zone A, Zone B, and Zone C
  	Philippines (Manila)	Zone A
  	Japan (Tokyo)	Zone A, Zone B, and Zone C
  	South Korea (Seoul)	Zone A
  	Thailand (Bangkok)	Zone A
  Europe	Germany (Frankfurt)	Zone A and Zone B
  	UK (London)	Zone A and Zone B
  North America	US (Virginia)	Zone A and Zone B
  	US (Silicon Valley)	Zone A and Zone B
  Middle East	SAU (Riyadh - Partner Region)	Zone A and Zone B

  The following table describes the CIDR blocks that are allocated to the VPCs. Make sure that the CIDR blocks do not overlap.

  Item	VPC1	VPC2	VPC3
  Network instance owner account	Account A	Account B	Account A
  Network instance region	China (Hangzhou)	China (Hangzhou)	China (Qingdao)
  Network instance CIDR block	VPC3: 192.168.0.0/16 vSwitch 1 CIDR block: 192.168.20.0/24 vSwitch 2 CIDR block: 192.168.21.0/24	VPC CIDR block: 10.0.0.0/16 vSwitch 1 CIDR block: 10.0.0.0/24 vSwitch 2 CIDR block: 10.0.1.0/24	VPC CIDR block: 172.16.0.0/16 vSwitch 1 CIDR block: 172.16.0.0/24 vSwitch 2 CIDR block: 172.16.1.0/24
  vSwitch zones	vSwitch 1 in Zone H vSwitch 2 in Zone I	vSwitch 1 in Zone H vSwitch 2 in Zone I	vSwitch 1 in Zone B vSwitch 2 in Zone C
  ECS instance IP address	192.168.20.161	10.0.0.33	172.16.0.89

• You are familiar with the security group rules that apply to the ECS instances in the VPCs. Make sure that the security group rules allow the VPCs to communicate with each other. For more information, see View security group rules and Add a security group rule.

Procedure

Step 1: Create a CEN instance

In this example, VPC2 within Account B is connected to the CEN instance within Account A to establish network communication among VPC1, VPC2, and VPC3. You must first use Account A to create a CEN instance.

1. Log on to the CEN console with Account A.

2. On the Instances page, click Create CEN Instance.

3. In the Create CEN Instance dialog box, configure the following parameters and click OK:

   • Name: Enter a name for the CEN instance.

   • Description: Enter a description for the CEN instance.

   • Resource Group: Select a resource group for the CEN instance.

     In this example, no resource group is selected. The CEN instance is added to the default resource group.

   • Tag: Add tags to the CEN instance. In this example, no tag is added to the network instance connection.

Step 2: Create a transit router

Before you can create a network instance connection, you must create a transit router in the region where the network instance is deployed.

1. Log on to the CEN console with Account A.

2. On the Instances page, click the ID of the CEN instance created in Step 1.

3. Go to the Basic Information > Transit Router tab and click Create Transit Router.

4. In the Create Transit Router dialog box, configure the parameters and click OK.

   The following table describes the parameters that are used to create a transit router in each of the China (Hangzhou) and China (Qingdao) regions.

   Parameter	Description	China (Hangzhou)	China (Qingdao)
   Region	Select the region where you want to create the transit router.	In this example, China (Hangzhou) is selected.	In this example, China (Qingdao) is selected.
   Edition	The edition of the transit router.	The transit router edition that is supported in the selected region is automatically displayed.	The transit router edition that is supported in the selected region is automatically displayed.
   Enable Multicast	Specify whether to enable multicast.	In this example, multicast is disabled. By default, multicast is disabled.	In this example, multicast is disabled. By default, multicast is disabled.
   Name	Enter a name for the transit router.	In this example, a custom name is specified for the transit router.	In this example, a custom name is specified for the transit router.
   Description	Enter a description for the transit router.	In this example, a custom description is specified for the transit router.	In this example, a custom description is specified for the transit router.
   Tag	Add tags to the transit router.	In this example, no tag is added to the transit router.	In this example, no tag is added to the transit router.
   Transit Router CIDR	Enter a CIDR block for the transit router. For more information, see Transit router CIDR blocks.	In this example, no CIDR block is specified for the transit router.	In this example, no CIDR block is specified for the transit router.

Step 3: Grant permissions to Account A

Before you can connect VPC2 that belongs to Account B to the transit router that belongs to Account A, you must grant the required permissions to Account A. Otherwise, the transit router that belongs to Account A cannot connect to VPC2.

1. Log on to the CEN console with Account B.

2. In the top navigation bar, select the region where VPC2 is deployed.

   In this example, China (Hangzhou) is selected.

3. On the VPC page, click the ID of VPC2.

4. Click the Cross-account Authorization tab. On the Cloud Enterprise Network tab, click Authorize Cross Account Attach CEN.

5. In the Attach to CEN dialog box, configure the parameters and click OK. The following table describes the parameters.

   Parameter	Description
   Peer Account UID	Enter the UID of the Alibaba Cloud account to which the transit router belongs. In this example, the UID of Account A is used.
   Peer CEN Instance ID	Enter the ID of the CEN instance to which the transit router belongs. In this example, the ID of the CEN instance created in Step 1 is used.
   Payer	Select a payment account. CEN Instance Owner: The Alibaba Cloud account to which the transit router belongs pays the connection and data transfer fees of the VPC. This is the default value. VPC Owner: The Alibaba Cloud account to which the VPC belongs pays the connection and data transfer fees of the VPC. In this example, the default value is used. Important Your services may be disrupted if you change the payment account. Proceed with caution. For more information, see Change the payment account.

Step 4: Connect the VPCs to the transit router

After Account A is granted the required permissions, you must connect VPC1, VPC2, and VPC3 to the transit router that belongs to Account A to establish network communication among the VPCs.

1. Log on to the CEN console with Account A.

2. On the Instances page, click the ID of the CEN instance created in Step 1.

3. Go to the Basic Information > Transit Router tab, find the transit router that you want to manage, and then click Create Connection in the Actions column.

4. On the Connection with Peer Network Instance page, configure the parameters and click OK.

   The following table describes the settings of each VPC. Connect VPC1, VPC2, and VPC3 to the transit router that belongs to Account A.

   Parameter	Description	VPC1	VPC2	VPC3
   Network Type	Select the type of network instance that you want to connect.	VPC	VPC	VPC
   Region	Select the region where the network instance is deployed.	China (Hangzhou)	China (Hangzhou)	China (Qingdao)
   Transit Router	The ID of the transit router in the selected region is automatically displayed.
   Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs.	Current Account	Different Account If you select Different Account, you must specify the ID of Account B.	Current Account
   Billing Method	Default value: Pay-As-You-Go.
   Attachment Name	Enter a name for the network connection.	Attachment-for-VPC1	Attachment-for-VPC2	Attachment-for-VPC3
   Tag	Add tags to the network instance connection.	In this example, no tag is added to the transit router.	In this example, no tag is added to the transit router.	In this example, no tag is added to the transit router.
   Networks	Select the network instance that you want to connect to the transit router.	VPC1	VPC2	VPC3
   VSwitch	Select a vSwitch in a zone of the transit router. If your transit router is deployed in a region that supports multiple zones and vSwitches are deployed in each of the zones, you can select multiple zones and a vSwitch in each zone to enable zone-disaster recovery.	Hangzhou Zone H: vSwitch 1 Hangzhou Zone I: vSwitch 2	Hangzhou Zone H: vSwitch 1 Hangzhou Zone I: vSwitch 2	Qingdao Zone B: vSwitch 1 Qingdao Zone C: vSwitch 2
   Advanced Settings	The following advanced features are selected by default. You can clear or select the advanced features based on your business requirements. Keep the default settings for VPC1, VPC2, and VPC3. All advanced features are enabled for the VPCs. Associate with Default Route Table of Transit Router After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table. Propagate System Routes to Default Route Table of Transit Router After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router. Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward IPv4 traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs. Important If such a route is already in the route table of the VPC, the system cannot advertise this route. You must manually add a route that points to the VPC connection to the route table of the VPC. Otherwise, network communication cannot be established between the VPC and the transit router. To check whether such routes exist, click Check Route below Advanced Settings. In order for the VPC to have IPv6 traffic enter and be forwarded, it is necessary to enable route synchronization for the VPC connection or manually add IPv6 route entries pointing to the VPC connection in the route table after creating the connection.

   After the VPCs are connected to the transit router, VPC1 and VPC2 can communicate with each other because they are in the same region. VPC3 cannot communicate with VPC1 or VPC2 because they are in different regions. To establish network communication between VPC1 and VPC3 and between VPC 2 and VPC3, you must create an inter-region connection.

Step 5: Create inter-region connections

1. Log on to the CEN console with Account A.

2. On the Instances page, click the ID of the CEN instance created in Step 1.

3. Go to the Basic Information > Bandwidth Plans tab and click Set Region Connection.

4. On the Connection with Peer Network Instance page, configure the parameters and click OK. The following table describes the parameters:

   Parameter	Description
   Network Type	In this example, Inter-region Connection is selected.
   Region	Select one of the regions to be connected. In this example, the China (Hangzhou) region is selected.
   Transit Router	The ID of the transit router in the selected region is automatically displayed.
   Attachment Name	Enter a name for the inter-region connection. In this example, Inter-region connection is used.
   Peer Region	Select the other region to be connected. In this example, China (Qingdao) is selected.
   Transit Router	The ID of the transit router in the selected region is automatically displayed.
   Tag	Add tags to the inter-region connection. In this example, no tag is added to the inter-region connection.
   Bandwidth Allocation Mode	The following modes are supported: Pay-By-Data-Tranfer: You are charged for data transfer over the inter-region connection. Allocate from Bandwidth Plan: Bandwidth is allocated from a bandwidth plan. In this example, Allocate from Bandwidth Plan is selected. Note When you choose Pay-By-Data-Transfer, the bills are settled by CDT products. If you see a message indicating that the CDT service has not been activated, click to activate it.
   Bandwidth	Specify a maximum bandwidth value for the inter-region connection. Unit: Mbit/s.
   Default Line Type	Use the default value.
   Advanced Settings	By default, all advanced features are selected. In this example, the default settings are used. Associate with Default Route Table of Transit Router After this feature is enabled, the inter-region connection is automatically associated with the default route table of the transit router. The transit router uses the default route table to forward network traffic across regions. Propagate System Routes to Default Route Table of Transit Router After this feature is enabled, the inter-region connection is associated with the default route tables of the transit routers in the connected regions. Automatically Advertise Routes to Peer Region After this feature is enabled, the routes in the route table of the transit router in the current region are automatically advertised to the route table of the peer transit router for cross-region communication. The route tables of the transit routers refer to the route tables that are associated with the inter-region connection.

Step 6: Test network connectivity

After you complete the preceding steps, VPC1, VPC2, and VPC3 are connected to each other. This section describes how to test the network connectivity among the VPCs.

1. Test the network connectivity between VPC1 and VPC2.

   1. Log on to an ECS instance in VPC 1. For more information, see Connect to an instance.

   2. On the ECS instance, run the ping command to test whether you can access the ECS instance in VPC2.

      <The IP address of the ECS instance in VPC2>

      The following echo reply packet indicates that VPC1 and VPC2 can communicate with each other.

      

2. Test the network connectivity between VPC1 and VPC3.

   1. Log on to an ECS instance in VPC 3.

   2. On the ECS instance, run the ping command to test whether you can access an ECS instance in VPC1.

      ping

      <The IP address of the ECS instance in VPC1>

      The following echo reply packet indicates that VPC1 and VPC3 can communicate with each other.

3. Test the network connectivity between VPC2 and VPC3.

   1. Log on to an ECS instance in VPC 3.

   2. On the ECS instance, run the ping command to test whether you can access an ECS instance in VPC2.

      ping

      <The IP address of the ECS instance in VPC2>

      The following echo reply packet indicates that VPC2 and VPC3 can communicate with each other.

Routes

In this topic, the CEN instance automatically learns and advertises routes for the VPCs when you connect the VPCs or create inter-region connections.

• The transit routers in the China (Hangzhou) and China (Qingdao) regions automatically learn routes from VPC1, VPC2, and VPC3.

• The CEN instance automatically adds the following route entries to the route tables of VPC1, VPC2, and VPC3: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops are the network instance connections.

  Network traffic from VPC1, VPC2, and VPC3 is routed to the transit routers. The transit routers enable the VPCs to communicate with each other.