Transit routers can be used to establish network communication between network instances and forward network traffic within a region or across regions. Transit routers support a range of routing features. You can configure routes to define how traffic is forwarded between network instances.
How Enterprise Edition transit routers work
Connect network instances
You can connect the following network instances to an Enterprise Edition transit router:
One or more virtual private clouds (VPCs)
In regions where Enterprise Edition transit routers are available in only one zone, such as China (Nanjing - Local Region), make sure that the VPC to be connected has at least one vSwitch in the zone and that the vSwitch has at least one available IP address. When you connect the VPC to the Enterprise Edition transit router, an elastic network interface (ENI) is created in the vSwitch. The ENI occupies one IP address in the vSwitch and forwards network traffic between the VPC and Enterprise Edition transit router.
In regions where Enterprise Edition transit routers are available in more than one zone, such as China (Hangzhou), make sure that the VPC to be connected has at least two vSwitches. The vSwitches need to be located in different zones, with each having an available IP address. When you connect the VPC to the Enterprise Edition transit router, an ENI is created in each of the vSwitches. Each ENI occupies one IP address in the vSwitch and forwards network traffic between the VPC and Enterprise Edition transit router. The two vSwitches support zone-disaster recovery to ensure uninterrupted data transmission between the VPC and the transit router.
NoteFor information about the regions and zones that support Enterprise Edition transit routers, see What is CEN?.
If your Enterprise Edition transit router is deployed in a region that supports multiple zones, we recommend that you create a vSwitch in each of the zones for VPC connections. Make sure that each vSwitch has at least one idle IP address. This way, the network latency is reduced and the network performance is improved due to shorter data transmission distance. For more information, see VPC connection routing principles.
Routing
After network instances are connected to an Enterprise Edition transit router, routes of the network instances are stored in route tables. The Enterprise Edition transit router forwards traffic of the network instances based on the routes in the route table.
Each Enterprise Edition transit router has a default route table. You can also create custom route tables for Enterprise Edition transit routers. Default route tables are isolated from custom route tables for access control.
Associated forwarding controls how network traffic is forwarded. An Enterprise Edition transit router can forward network traffic for a network instance by querying routes only after the network instance connection is associated with the route table.
Each network instance connection can have an associated forwarding correlation with the route tables of only one Enterprise Edition transit router.
Route learning controls how a network instance advertises routes. The routes of a network instance can be advertised to an Enterprise Edition transit router only after you enable route learning between the network instance connection and the route tables of the transit router.
You can enable route learning between the network instance connection and the route tables of one or more Enterprise Edition transit routers. Then, routes can be advertised from the network instance to the route tables.
You can add custom routes to the route tables of an Enterprise Edition transit router to manage traffic forwarding.
Default route behavior
After a network instance is connected to an Enterprise Edition transit router, no routes are advertised to the network instance by default. You can enable route synchronization to turn on the feature. For more information, see Route Synchronization.
Route priority
Traffic that enters into Enterprise Edition transit routers is routed based on the Longest Prefix Match principle. In cases where multiple routes to the same destination CIDR block exist, the routing is determined in the following order of priority:
Determine route conflicts.
NoteEnsure that you avoid creating primary and secondary routes or ECMP routes with identical destination CIDR blocks between different VPCs or between VPCs and on-premises networks. The Enterprise Edition transit router reports a routing conflict upon receiving new routes with the same destination CIDR block, which results in disconnection between the new and existing networks to prevent disruptions to online operations.
When a static or dynamic route that points to a VPC connection already exists, new routes for the same destination are flagged as a routing conflict.
When a dynamic route from a VPC instance already exists, new routes for the same destination are flagged as a routing conflict.
When a static or dynamic route that is not from VPC instances already exists, new VPC route entries for the same destination are flagged as a routing conflict.
For route entries with the same destination CIDR block that do not cause routing conflicts, the route priority will be determined by comparing the following items in order:
Custom route entries have the highest priority. Custom routes of a transit router and Prefix list routes have the same priority. When both are configured, they automatically form ECMP routes.
Route entries added through the prefix lists have higher precedence if none of the route entries are manually configured custom entries.
If all route entries are automatically learned, the priority is determined based on the source resources and listed in descending order: VBR instances or Express Connect Router (ECR) instances > Cloud Connect Network (CCN) instances > IPsec connections (VCO).
If the source resources of the route entries are the same, the BGP AS_PATH attribute is compared. Routes with shorter BGP AS_PATH length are preferred.
If BGP AS_PATH lengths are the same, routes whose source resources are in the same region as the Enterprise Edition transit router take higher precedence over those from different regions.
If the source resources are in the same region, the priority is determined by the route priority defined in routing policies. The smaller the value, the higher the priority.
If the route entries apply no routing policy or the same routing policy, the priority is determined based on the following principles:
If the source resources of route entries are located in the same region as the transit router, these entries will automatically form ECMP routes.
If the source resources of route entries are located in different region from the transit router, route entries are ranked according to the region ID of their corresponding next-hop transit routers. Entries with alphabetically earlier region IDs are prioritized.
- Important
The Enterprise Edition transit router table supports the Multi-region ECMP Routing for VBRs feature. If you enable it, the system will no longer compare the region IDs of next-hop transit routers from VBR instances, as these entries will automatically form ECMP routes.
IPv6 Description
Enterprise Edition transit routers are capable of learning and propagating IPv6 routes as well as forwarding IPv6 traffic. By connecting VPC, ECR, and VBR instances to the transit router, you can enable IPv6 communication for the associated local networks in the same region or across regions.
Network instances supported by IPv6
Network instance | Description |
Enterprise Edition transit router | Enterprise Edition transit routers have IPv6 network communication enabled by default upon creation. |
VPC | IPv6 network communication is supported. To facilitate IPv6 communication through an Enterprise Edition transit router, the following prerequisites need to be met:
|
ECR | ECR instances have IPv6 network communication enabled by default upon creation. |
VBR | IPv6 network communication is supported. To enable IPv6 communication through an Enterprise Edition transit router, the VBR instance needs to have IPv6 enabled. For more information, see Create a VBR. |
IPsec-VPN connection | IPv6 network communication is not supported. |
Cloud Connect Network (CCN) | IPv6 network communication is not supported. |
Limits
The multicast feature does not support IPv6 network communication.
IPv6 route entries consume the route table entry quota of the transit routers.
For example, if the maximum number of route entries for a transit router is 10,000, the combined total of IPv4 and IPv6 entries must be lower than the quota.
IPv4 and IPv6 traffic and routing behaviors are aligned for all features of transit routers, with the exception of the following scenarios.
When you select IPv Automatically Create Route That Points to Transit Router and Add to All Route Tables of Current VPC upon creating a VPC connection, the system automatically adds three custom route entries of 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 to all route tables, directing IPv4 traffic to the transit router. However, IPv6 routes are not added automatically.
To enable IPv6 communication through the transit router for a VPC instance, activate route synchronization after creating a VPC connection, or manually add IPv6 route entries in the VPC route tables. This step is necessary for routing IPv6 traffic to the transit router. For more information, see Use Enterprise Edition transit routers to establish IPv6 communication among VPCs in different regions
How Basic Edition transit routers work
Beginning March 31, 2022, Basic Edition transit routers are supported only in CCN areas. They are not available for purchase in Alibaba Cloud regions. By default, only Enterprise Edition transit routers are available for purchase in Alibaba Cloud regions. If your Basic Edition transit routers reside in regions that no longer support Basic Edition transit routers, we recommend that you upgrade to Enterprise Edition, which supports more features and greater networking capacity. For more information, see Upgrade Basic Edition transit routers.
Connecting network instances
You can connect the following network instances to a Basic Edition transit router:
Manage routes
After network instances are connected to a Basic Edition transit router, routes of the network instances are stored in route tables. The Basic Edition transit router forwards traffic of the network instances based on the routes of the route table.
Each Basic Edition transit router has one default route table. You cannot create custom route tables for Basic Edition transit routers.
After network instances are connected to a Basic Edition transit router, all routes of the network instances are advertised to the default route table of the Basic Edition transit router. Then, the Basic Edition transit router advertises the routes to all network instances that are also connected to the transit router to enable communication among the network instances.
You can configure routing policies to control route advertisement for the route tables of a Basic Edition transit router. You can configure routing policies to specify whether to advertise the routes in the route table of a Basic Edition transit router to the network instances connected to the transit router. You can also configure routing policies to modify the attributes of the routes in the route table of a Basic Edition transit router.
If both VBRs and CCN instances are connected to a Basic Edition transit router, the system automatically creates a routing policy whose priority is 5000, action is Reject, and direction is Egress Regional Gateway. This routing policy forbids the VBRs and CCN instances from communicating with other VBRs and CCN instances that are also connected to the Basic Edition transit router. For more information, see Default routing policy.