Create a VPC connection

This topic describes how to use transit routers to connect a virtual private cloud (VPC) to other networks, such as VPCs in the same region, VPCs in different regions, and data centers. After you connect a VPC to the transit router in the region, the VPC can communicate with other network instances that are also connected to the transit router. For example, you can establish network communication among VPCs in the same region or in different regions, and among VPCs and data centers.

Use an Enterprise Edition transit router

Note

This section describes how to use an upgraded Enterprise Edition transit router to connect VPCs. For more information about how to use an unupgraded transit router, see How do I use an unoptimized Enterprise Edition transit router to create a VPC connection?

For more information about how to optimize Enterprise Edition transit routers, see Announcement: Optimization on VPC-connected Enterprise Edition transit routers.

How a VPC connection works

An Enterprise Edition transit router supports one or more zones in a region. For more information, see Regions and zones that support Enterprise Edition transit routers.

If an Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing - Local Region), make sure that the VPC has at least one vSwitch in the zone before you create a VPC connection on the Enterprise Edition transit router. The vSwitch must have at least one idle IP address. When you connect the VPC to the Enterprise Edition transit router, the transit router creates an elastic network interface (ENI) on the vSwitch of the VPC. The ENI occupies one IP address on the vSwitch and forwards network traffic between the VPC and the transit router.
If an Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), make sure that the VPC has at least two vSwitches in the zones before you create a VPC connection on the Enterprise Edition transit router. The vSwitches must be deployed in different zones and each vSwitch must have at least one idle IP address. When you connect the VPC to the Enterprise Edition transit router, the transit router creates an ENI in each of the vSwitches. Each ENI occupies one IP address in the vSwitch and forwards network traffic between the VPC and the transit router. The two vSwitches support zone-disaster recovery to ensure uninterrupted data transmission between the VPC and the transit router.
Note
- Ensure that an idle IPv6 address exists when you enable the IPv6 function upon creating a VPC connection. The Enterprise Edition transit router occupies an IPv4 address and an IPv6 address in the VPC when creating an ENI.
- If your Enterprise Edition transit router supports multiple zones, we recommend that you create a vSwitch in each of the zones and make sure that each vSwitch has at least one idle IP address for creating VPC connections. This way, the network latency is reduced and the network performance is improved due to shorter data transmission distance. For more information about how network traffic is forwarded between the VPC and the transit router, see the How routes are selected for a VPC connection section in this topic.

创建VPC连接-2023年02

How routes are selected for a VPC connection

After a VPC is connected to an Enterprise Edition transit router, network traffic from the VPC is forwarded over the shortest route to reduce network latency. This section describes how an Enterprise Edition transit router selects routes for a VPC connection.

Route selection is performed three times to send a request from the initiator to the acceptor over a VPC connection.

No.	Description
①	The first routing. When the request is forwarded from the initiator to the Enterprise Edition transit router, it undergoes the first routing process based on the following criteria: After the initiator sends the request, the system queries the route table associated with the vSwitch of the initiator and forwards the request. If the route table contains a custom route whose next hop is the ENI of the transit router (an ENI that is created in the vSwitch of the transit router), the request is routed to the ENI and then enters the transit router through the ENI. If the route table does not contain such a custom route, the request is routed to the ENI of the transit router that is associated with the initiator network connection. If the zone where the initiator vSwitch is located is associated with the transit router, the request is routed to the ENI in that zone and then routed to the Enterprise Edition transit router through the ENI. Click to view the example If the zone where the initiator vSwitch is located is not associated with the transit router, the request is routed to the default ENI that is associated with the initiator network connection (when the VPC connection is created, the transit router randomly selects one ENI as the default ENI) and then routed to the transit router through the ENI. Click to view the example
②	The second routing. When the request is forwarded from the Enterprise Edition transit router to the acceptor network instance, it undergoes a second routing process based on the following criteria: After the Enterprise Edition transit router receives the request, it queries the route table associated with the initiator network connection. The Enterprise Edition transit router finds the next hop and then routes the request to the ENI associated with the acceptor network connection. If the zone where the source ENI is located is associated with the acceptor VPC connection, the request is routed to the Enterprise Edition transit router ENI in that zone and then to the acceptor network instance through the ENI. Click to view the example If the zone where the source ENI is located is not associated with the acceptor VPC connection, the request is routed to the default ENI of the acceptor network connection (when the VPC connection is created, the transit router randomly selects one ENI as the default ENI) and then to the acceptor network instance through the ENI. Click to view the example
③	The third routing. When the request undergoes the third routing process, the system routes it to the acceptor based on the route table associated with the vSwitch that accepts the request. Click to view the example

Prerequisites

An Enterprise Edition transit router has been created in the region where the VPC resides. For more information, see Create a transit router.
The VPC has sufficient vSwitches in the zone supported by the Enterprise Edition transit router. Each vSwitch has at least one idle IP address. For more information about how to create a vSwitch, see Create a vSwitch.
- If the Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing - Local Region), the VPC must have at least one vSwitch in the zone.
- If the Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.
You can connect an Enterprise Edition transit router to a VPC that belongs to either the same account or different accounts. If the VPC and the transit router belong to different Alibaba Cloud accounts, the transit router must acquire the required permissions from the account to which the VPC belongs. For more information, see Acquire permissions to connect to a network instance that belongs to another account.
To realize IPv6 network communication through the Enterprise Edition transit router, ensure that the IPv6 feature is enabled for the VPC. For more information, see Enable IPv6 for a VPC.

Procedure

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Information > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, set the parameters and click OK. The following table outlines the parameters:

Note

When you perform this operation, the system automatically creates the service-linked role AliyunServiceRoleForCEN, which allows the transit router to create an ENI in a vSwitch to forward data between the VPC and the transit router. For more information about service-linked roles, see AliyunServiceRoleForCEN.

Parameter	Description
Instance Type	Select Virtual Private Cloud (VPC).
Region	Select the region where the network instance to be connected is located.
IPv6	Specify whether to enable IPv6 for the VPC connection. This feature is disabled by default. If the VPC instance requires IPv6 communication through the Enterprise Edition transit router, you must enable this feature. Note You can enable IPv6 for existing VPC connections. For more details, see Enable IPv6 for a VPC Connection.
Transit Router	The system automatically displays the transit routers created in the current region.
Resource Owner ID	Select the Alibaba Cloud account type to which the network instance belongs. Transit routers support connections to network instances in the same or different accounts: If the network instance and the transit router instance belong to the same Alibaba Cloud account, select Same Account. If they belong to different accounts, select Cross-account, and enter the account ID (primary account) of the network instance.
Billing Method	The billing method for the transit router is set to Pay-as-you-go by default. For details about the pay-as-you-go billing rules, see Billing Description.
Attachment Name	Enter a name for the VPC connection.
Tag	Add tags to the VPC connection. Tag Key: The tag key can be up to 64 characters in length. It cannot be an empty string or start with `acs:` or `aliyun` or contain `http://` or `https://`. Tag Value: The tag value can be an empty string with a maximum length of 128 characters. It cannot start with `acs:` or `aliyun` or contain `http://` or `https://`. You can add multiple tags to a VPC connection. For more information about tags, see Tags.
Network Instance	Select the VPC instance to be connected.
VSwitch	Select vSwitch instances in zones supported by the transit router. If the Enterprise Edition transit router is deployed in a region that supports only one zone, select a vSwitch in the zone. If it is deployed in a region that supports multiple zones, select at least two vSwitches that are in different zones for zone-disaster recovery. This ensures uninterrupted data transmission between the VPC and the transit router. We recommend that you select a vSwitch in each zone to reduce latency and improve network performance because data can be transmitted over a shorter distance.
Advanced Settings	When you create a VPC connection, the system enables the following features in the advanced settings by default: Associate with Default Route Table of Transit Router When enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards traffic based on the default route table. Propagate System Routes to Default Route Table of Transit Router After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router. Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward IPv4 traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs. Important If the route table of the VPC already contains routes with destination CIDR blocks 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, the system cannot automatically advertise these routes. You must manually add routes pointing to the VPC connection to enable communication between the VPC and the transit router. You can click Initiate Route Check to check whether the above routes exist in the network instance. If the VPC instance requires IPv6 communication, after creating the VPC connection, you must enable the route synchronization feature for the VPC connection or manually add an IPv6 route entry pointing to the VPC connection in the VPC. Only then can the IPv6 traffic enter the transit router. You can disable these advanced features by clearing the checkboxes. If you want to customize the connectivity of the VPC instance, you can configure associated forwarding and route learning on the transit router. For specific steps, see Route Management.

After the VPC connection is created, you can view the details about the connection on the Intra-region Connections tab. For more information, see View network instance connections.

Related operations

Edit the zone and vSwitch of a VPC connection

After you create a VPC connection, you can change the zone and vSwitch of the VPC connection. Before you begin, make sure that no routes of the VPC point to the ENI of an Enterprise Edition transit router. For more information, see Create and manage a route table.

Warning

If you change the vSwitch of a VPC connection, the connection may be interrupted for up to 15 seconds. Proceed with caution.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the Intra-region Connections tab, find the target VPC connection and click the VPC connection ID.
In the Attachment Details panel, click Change Zone/Subnet in the Associated Instances section.
In the Change Zone/Subnet dialog box, find the Select Zone/Subnet section, select the target zone, choose the vSwitch, and click OK.
After modification, the zone and vSwitch that you select are associated with the VPC connection.
For example, the VPC connection is associated with Zone A and vSwitch A1, which is deployed in Zone A. The following rules apply when you change the zone and vSwitch in the Change Zone/Subnet dialog box:
- If you select Zone A and vSwitch A2, which is deployed in Zone A, the VPC connection is associated with Zone A and vSwitch A2 after you click OK.
  The VPC connection is automatically disassociated from vSwitch A1.
- If you select Zone B, vSwitch B1 (deployed in Zone B), Zone C, and vSwitch C1 (deployed in Zone C), the VPC connection is associated with Zone B, vSwitch B1, Zone C, and vSwitch C1 after you click OK.
  The VPC connection is automatically disassociated from Zone A and vSwitch A1.
- If you select Zone A, vSwitch A1 (deployed in Zone A), Zone C, and vSwitch C1 (deployed in Zone C), the VPC connection is associated with Zone A, vSwitch A1, Zone C, and vSwitch C1 after you click OK.
  The VPC is automatically associated with Zone C and vSwitch C1.
Note
After a VPC connection is associated with another vSwitch, the ENI of the previous vSwitch is automatically deleted.

Modify the transit router route table associated with a VPC connection

After you create a VPC connection, you can modify the transit router route table that is associated with the VPC connection.

Warning

If the VPC connection has route synchronization enabled, the routes synchronized to the VPC are withdrawn after the route table is modified. Then, the routes in the modified route table are synchronized to all the route tables of the VPC. For more information, see Route synchronization.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Information > Transit Router tab, click the transit router instance ID in the destination region.
On the Intra-region Connections tab, find the VPC connection and click the VPC connection ID.
In the Attachment Details panel, in the Basic Information section, click Modify next to Associated Route Table.
In the Modify Route Table dialog box, select the target route table and then click OK.

Enable IPv6 for an existing VPC connection

If a VPC needs to communicate over an IPv6 network through an Enterprise Edition transit router, you need to enable IPv6 for the VPC connection. For an existing VPC connection that does not have IPv6 enabled, you can activate it by performing the following steps:

Before enabling IPv6 for the VPC connection, ensure that the VPC has IPv6 enabled. For more information, see Enable IPv6 for a VPC.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Information > Transit Router tab, click the transit router instance ID in the target region.
On the Intra-region Connections tab, find the VPC connection, and click Enable in the IPv6 column.
When prompted, click OK.

Disable IPv6 for a VPC connection

If an IPv6 network communication is no longer needed, you can disable the feature. Make sure the following prerequisites are met before turning it off:

The route table of the VPC does not have an IPv6 route entry that points to the VPC connection or ENI of the Enterprise Edition transit router as the next hop. For more information, see Add and delete routes.
The route table of the Enterprise Edition transit router does not have an IPv6 route entry that points to the VPC connection as the next hop. For more information, see Delete a custom route from a route table of an Enterprise Edition transit router.
The route table of the Enterprise Edition transit router does not have an IPv6 prefix list that points to the VPC connection. For more information, see Disassociate a prefix list from a transit router route table.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Information > Transit Router tab, click the instance ID of the transit router in the target region.
On the Intra-region Connections tab, locate the VPC connection. In the IPv6 column, click Disable.
When prompted, click OK.

Use a Basic Edition transit router

The Basic Edition transit router supports connecting VPCs that belong to either the same or different accounts. Before you create a cross-account VPC connection, make sure that you acquire the permissions from the peer VPC account. For more information, see cross-account instance authorization.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Information > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure the network instance information as follows, and then click OK To Create.

Parameter	Description
Instance Type	Select Virtual Private Cloud (VPC).
Region	Select the region where the network instance is deployed.
Transit Router	The transit router instance in the selected region is displayed.
Resource Owner UID	Select the Alibaba Cloud account type to which the network instance belongs. Transit routers support connections to network instances in the same or different accounts: If the network instance and the transit router instance belong to the same Alibaba Cloud account, select Same Account. If they belong to different accounts, select Cross-account, and enter the account ID (primary account) of the network instance.
Network Instance	Select the network instance that you want to connect.

After the VPC connection is created, you can view the information about the VPC connection on the Intra-region Connections tab of the transit router instance product page. For more information, see view network instance connections.

Create VPC connections by calling APIs

You can call APIs to create VPC connections using tools such as Alibaba Cloud SDK (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service. For more information, see the following API references:

CreateTransitRouterVpcAttachment: Create a VPC connection on an Enterprise Edition transit router.
UpdateTransitRouterVpcAttachmentAttribute: Modify the name and description of a VPC connection under an Enterprise Edition transit router.
UpdateTransitRouterVpcAttachmentZones: Modify the zones and vSwitches associated with a VPC connection on an Enterprise Edition transit router.
ListTransitRouterVpcAttachments: Query information about VPC connections on an Enterprise Edition transit router.
AttachCenChildInstance: Create a VPC connection by using a Basic Edition transit router.