Use CEN and Basic Edition transit routers to connect VPCs in different regions and created by Alibaba Cloud accounts -

This topic describes how to use Basic Edition transit routers to connect virtual private clouds (VPCs) that are deployed in different regions and owned by different accounts.

Regions that support Basic Edition transit routers

Table 2: Regions and zones that support Basic Edition transit routers

Area	Region
Chinese mainland	Chinese mainland CCN
Asia Pacific	Japan CCN, Singapore CCN, Hong Kong CCN, Malaysia CCN, and Indonesia CCN
Europe	Frankfurt CCN
Australia	Australia CCN

Example

Important

Beginning Mach 31, 2022, Basic Edition transit routers are supported only in Cloud Connect Network (CCN) regions. By default, other regions support only Enterprise Edition transit routers. If you have Basic Edition transit routers in regions that no longer support Basic Edition transit routers, we recommend that you upgrade to Enterprise Edition, which offers more features and greater networking capacity. For more information, see Upgrade Basic Edition transit routers.
In this example, a Cloud Enterprise Network (CEN) instance is created within Account A, and Basic Edition transit routers are deployed in the China (Guangzhou) and China (Ulanqab) regions. If you do not have a Basic Edition transit router, you can use an Enterprise Edition transit router. For more information, see Use CEN and Enterprise Edition transit routers to connect VPCs in different regions and Alibaba Cloud accounts.

A company uses Account A to deploy a VPC named VPC1 in the China (Guangzhou) region and a VPC named VPC3 in the China (Ulanqab) region. The company uses Account B to deploy a VPC named VPC2 in the China (Guangzhou) region. Elastic Compute Service (ECS) instances are deployed in the VPCs that are isolated from one another. Due to business growth, the company plans to enable communication among the VPCs.

In this case, the company can use CEN to connect VPC1 and VPC2 to the Basic Edition transit router that belongs to Account A in the China (Guangzhou) region. Then, the company can connect VPC3 to the Basic Edition transit router that belongs to Account A in the China (Ulanqab) region. This way, the company can use bandwidth plans to create inter-region connections between the China (Guangzhou) and China (Ulanqab ) regions to enable network communication among VPC1, VPC2, and VPC3.

实现跨地域跨账号网络实例互通

Prerequisites

A VPC is deployed in each of the China (Guangzhou) and China (Ulanqab) regions by using Account A. A VPC is deployed in the China (Guangzhou) region by using Account B. ECS instances are deployed in the VPCs. For more information, see Create an IPv4 VPC.

The following table shows the CIDR blocks that are allocated to the VPCs. Make sure that the CIDR blocks do not overlap.

Item	VPC1	VPC2	VPC3
Network instance CIDR blocks	VPC CIDR block: 192.168.0.0/16 vSwitch CIDR block: 192.168.0.0/24	VPC CIDR block: 10.0.0.0/16 vSwitch CIDR block: 10.0.0.0/24	VPC CIDR block: 172.16.0.0/16 vSwitch CIDR block: 172.16.0.0/24
Network instance regions	China (Guangzhou)	China (Guangzhou)	China (Ulanqab)
Network instance owner account	Account A	Account B	Account A
ECS instance IP address	192.168.0.239	10.0.0.121	172.16.0.201

You must be aware of the security group rules that are applied to the ECS instances in the VPCs. Make sure that the security group rules allow the VPCs to communicate with each other. For more information, see View security group rules and Add a security group rule.

Step 1: Grant permissions to the accounts

Before you can connect VPC2 that belongs to Account B to the transit router that belongs to Account A, you must grant the required permissions to Account A. Otherwise, the transit router that belongs to Account A cannot connect to VPC2.

Log on to the VPC console with Account B.
In the top navigation bar, select the region where VPC2 is deployed. In this example, China (Guangzhou) is selected.
On the VPCs page, find and click the ID of VPC2.
Click the Cross-account Authorization tab. On the Cloud Enterprise Network tab, click Authorize Cross Account Attach CEN.

In the Attach to CEN dialog box, configure the parameters and click OK. The following table lists the parameters.

Parameter	Description
Peer Account UID	Enter the ID of the Alibaba Cloud account to which the transit router belongs. In this example, the ID of Account A is used.
Peer Account CEN ID	Enter the ID of the CEN instance to which the transit router belongs. In this example, the ID of the CEN instance that belongs to Account A is used.
Payer	Select a payment account. CEN Instance Owner: The Alibaba Cloud account to which the transit router belongs pays the connection and data transfer fees of the VPC. This is the default value. VPC Owner: The Alibaba Cloud account to which the VPC belongs pays the connection and data transfer fees of the VPC. In this example, the default value is used. Note If you use Basic Edition transit routers to connect VPCs, connections and data transfer are free of charge.

Step 2: Connect the VPCs to the transit router

After Account A is granted the required permissions, you must connect VPC1, VPC2, and VPC3 to the transit router that belongs to Account A. This establishes network communication among the VPCs.

Log on to the VPC console with Account A.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the Basic Information > Transit Router tab, find a transit router in a region, and then click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure the following parameters and click OK:

Network Type: Select the type of network instance that you want to attach.
Region: Select the region where the network instance is deployed.
Transit Router: The transit router in the selected region is automatically displayed.
Resource Owner ID: Select the Alibaba Cloud account to which the network instance belongs.
Network Instance: Select the ID of the network instance that you want to attach.

The system connects VPC1, VPC2, and VPC3 to the transit router that belongs to Account A based on the preceding settings. The following table lists the settings of each VPC.

Parameter	VPC1	VPC2	VPC3
Network Type	VPC	VPC	VPC
Region	China (Guangzhou)	China (Guangzhou)	China (Ulanqab)
Resource Owner ID	Current Account	Different Account If you select Different Account, you must specify the ID of Account B.	Current Account
Network Instance	VPC1	VPC2	VPC3

After you complete the preceding steps, VPC1, VPC2, and VPC3 automatically learn routes from each other. VPC1 and VPC2 can communicate with each other. Inter-region connections are established between VPC1 and VPC3, and between VPC2 and VPC3. By default, CEN provides 1 Kbit/s of bandwidth for connectivity testing (IPv4 addresses). The bandwidth is used only for testing and does not support service-level inter-region connections. For example, you can create an ECS in each VPC and run the ping command in ECS instances to test connectivity.

Step 3: Purchase a bandwidth plan

To establish connections between VPC1 and VPC3, and between VPC2 and VPC3, you must purchase a bandwidth plan that provides bandwidth for inter-region connections.

Log on to the VPC console with Account A.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the details page of the CEN instance, choose Basic Settings > Bandwidth Plans, and click Purchase Bandwidth Plan (Subscription).

On the buy page, configure the parameters, click Buy Now, and then complete the payment.

Parameter	Description
CEN ID	Select the CEN instance for which you want to purchase the bandwidth plan. After you complete the payment, the bandwidth plan is automatically associated with the CEN instance. In this example, the CEN instance that belongs to Account A is selected.
Area A	Select one of the areas where you want to enable inter-region communication. In this example, Mainland China is selected. Note You cannot change the areas after the bandwidth plan is purchased. For more information, see Work with a bandwidth plan.
Area B	Select the other area where you want to enable inter-region communication. In this example, Mainland China is selected.
Billing Method	The billing method of the bandwidth plan is displayed. Default value: Pay-By-Bandwidth. For more information, see Billing.
Bandwidth	Select a maximum bandwidth value based on your business requirements. Unit: Mbit/s.
Bandwidth Package Name	Enter a name for the bandwidth plan.
Order time	Select a subscription duration for the bandwidth plan. You can select Auto-renewal to enable auto-renewal for the bandwidth plan.

Step 4: Create an inter-region connection

Log on to the VPC console with Account A.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Settings > Bandwidth Plans tab and click Assign Bandwidth.

On the Connection with Peer Network Instance page, configure the parameters and click OK. The following table lists the parameters.

Parameter	Description
Network Type	Select Inter-region Connection.
Region	Select one of the regions to be connected. In this example, China (Guangzhou) is selected.
Transit Router	The ID of the transit router in the selected region is automatically displayed.
Peer Region	Select the other region to be connected. In this example, China (Ulanqab) is selected.
Transit Router	The ID of the transit router in the selected region is automatically displayed.
Tag	Add tags to the inter-region connection. In this example, no tag is added to the inter-region connection.
Bandwidth Plan	Select a bandwidth plan that is associated with the CEN instance.
Bandwidth	Specify a maximum bandwidth value for the inter-region connection. Unit: Mbit/s.

Step 5: Test network connectivity

After you complete the preceding steps, VPC1, VPC2, and VPC3 are connected to each other. This section describes how to test the network connectivity between the VPCs.

Note

In this example, ECS instances in VPC1, VPC2, and VPC3 run the Alibaba Cloud Linux operating system. For more information about how to use the ping command on other operating systems, see the manual of the operating system that you use.

Test the network connectivity between VPC1 and VPC2.
1. Log on to an ECS instance in VPC 1. For more information, see Connection method overview.
2. On the ECS instance, run the ping command to test whether you can access the ECS instance in VPC2.
  ping
```
<The IP address of the ECS instance in VPC2>
```
  The following echo reply packet indicates that VPC1 can communicate with VPC2.
Test the network connectivity between VPC1 and VPC3.
1. Log on to an ECS instance in VPC 3.
2. On the ECS instance, run the ping command to test whether you can access an ECS instance in VPC1.
```
# Send a ping packet that is 2,000 bytes in length to test whether VPC1 and VPC3 can communicate with each other across regions. 
ping <The IP address of the ECS instance in VPC1>  -s 2000
```
  The following echo reply packet indicates that VPC1 can communicate with VPC3.
Test the network connectivity between VPC2 and VPC3.
1. Log on to an ECS instance in VPC 3.
2. On the ECS instance, run the ping command to test whether you can access an ECS instance in VPC2.
```
# Send a ping packet that is 2,000 bytes in length to test whether VPC2 and VPC3 can communicate with each other across regions. 
ping <The IP address of the ECS instance in VPC2>   -s 2000
```
  The following echo reply packet indicates that VPC2 can communicate with VPC3.