Use transit routers to connect a VPC to network instances in the same region or across regions - Cloud Enterprise Network

This topic describes how to use transit routers to connect a virtual private cloud (VPC) to other networks, such as VPCs in the same region, VPCs in different regions, and data centers. After you connect a VPC to the transit router in the region, the VPC can communicate with other network instances that are also connected to the transit router. For example, you can establish network communication among VPCs in the same region or in different regions, and among VPCs and data centers.

Create a VPC connection

Use an Enterprise Edition transit router to connect VPCs

Note

This section describes how to use an upgraded Enterprise Edition transit router to connect VPCs. For more information about how to use an unoptimized Enterprise Edition transit router to connect VPCs, see How do I use an unoptimized Enterprise Edition transit router to create a VPC connection?

For more information about how to optimize Enterprise Edition transit routers, see Announcement: Optimization on VPC-connected Enterprise Edition transit routers.

How a VPC connection works

An Enterprise Edition transit router supports one or more zones in a region. For more information, see Regions and zones that support Enterprise Edition transit routers.

If an Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing - Local Region), make sure that the VPC has at least one vSwitch in the zone before you create a VPC connection on the Enterprise Edition transit router. The vSwitch must have at least one idle IP address. When you connect the VPC to the Enterprise Edition transit router, the transit router creates an elastic network interface (ENI) on the vSwitch of the VPC. The ENI occupies one IP address on the vSwitch and forwards network traffic between the VPC and the transit router.
If an Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), make sure that the VPC has at least two vSwitches in the zones before you create a VPC connection on the Enterprise Edition transit router. The vSwitches must be deployed in different zones and each vSwitch must have at least one idle IP address. When you connect the VPC to the Enterprise Edition transit router, the transit router creates an ENI in each of the vSwitches. Each ENI occupies one IP address in the vSwitch and forwards network traffic between the VPC and the transit router. The two vSwitches support zone-disaster recovery to ensure uninterrupted data transmission between the VPC and the transit router.
Note
- Ensure that an idle IPv6 address exists when you enable the IPv6 function upon creating an VPC connection. The Enterprise Edition transit router occupies an IPv4 address and an IPv6 address in the VPC when creating an elastic network interface (ENI).
- If your Enterprise Edition transit router supports multiple zones, we recommend that you create a vSwitch in each of the zones and make sure that each vSwitch has at least one idle IP address for creating VPC connections. This way, the network latency is reduced and the network performance is improved due to shorter data transmission distance. For more information about how network traffic is forwarded between the VPC and the transit router, see the "How routes are selected for a VPC connection" section in this topic.

创建VPC连接-2023年02

How routes are selected for a VPC connection

After a VPC is connected to an Enterprise Edition transit router, network traffic from the VPC is forwarded over the shortest route to reduce network latency. This section describes how an Enterprise Edition transit router selects routes for a VPC connection.

Route selection is performed three times to send a request from the initiator to the acceptor over a VPC connection.

VPC连接选路原则

No.	Description
①	The first route. The system must select a route between the initiator network and the Enterprise Edition transit router. A route is selected based on the following rules: After the initiator sends the request, the system queries the route table that is associated with the vSwitch of the initiator. If the route table contains a custom route whose next hop is the ENI of the Enterprise Edition transit router, the request is routed to the ENI and then routed to the Enterprise Edition transit router. If the route table does not contain a custom route whose next hop is the ENI of the Edition transit router, the request is routed to the ENI of the Enterprise Edition transit router that is associated with the initiator network connection. If the initiator network connection is associated with the zone where the initiator resides, the request is routed to the ENI of the Enterprise Edition transit router in the zone and then routed to the Enterprise Edition transit router. If the initiator network connection is not associated with the zone where the initiator resides, the request is routed to the ENI of the Enterprise Edition transit router in the first zone associated with the initiator network connection, and then routed to the Enterprise Edition transit router. The first zone was specified when you created the initiator network connection.
②	The second route. The Enterprise Edition transit router must select a route between the Enterprise Edition transit router and the acceptor network. A route is selected based on the following rules: After the Enterprise Edition transit router receives the request, the Enterprise Edition transit router queries the route table that is associated with the acceptor network connection. The Enterprise Edition transit router finds the next hop for the request and then routes the request to the ENI of the Enterprise Edition transit router that is associated with the acceptor network connection. If the acceptor network connection is associated with the zone where the Enterprise Edition transit router that accepts the request resides, the request is routed to the ENI of the Enterprise Edition transit router in the zone and then routed to the acceptor network. If the acceptor network connection is not associated with the zone where the Enterprise Edition transit router that accepts the request resides, the request is routed to the ENI of the Enterprise Edition transit router in the first zone associated with the acceptor network connection and then routed to the acceptor network. The first zone was specified when you created the acceptor network connection.
③	The third route. The system must select a route between the acceptor network and the acceptor. The system routes the request to the acceptor based on the route table that is associated with the vSwitch that accepts the request.

Prerequisites

An Enterprise Edition transit router is created in the region where the VPC resides. For more information, see Create a transit router.
The VPC in a zone supported by the Enterprise Edition transit router has sufficient vSwitches. Each vSwitch has at least one idle IP address. For more information about how to create a vSwitch, see Create a vSwitch.
- If the Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing - Local Region), the VPC must have at least one vSwitch in the zone.
- If the Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.
You can connect an Enterprise Edition transit router to a VPC that belongs to the same or a different Alibaba Cloud account. If the VPC and the transit router that you want to connect belong to different Alibaba Cloud accounts, the transit router must acquire the required permissions from the Alibaba Cloud account to which the VPC belongs. For more information, see Acquire permissions to connect to a network instance that belongs to another account.
If you want to realize IPv6 network communication through the Enterprise Edition transit router, ensure that the IPv6 feature is enabled for the VPC. For more information, see Enable IPv6 for a VPC.

Procedures

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Information > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, set the parameters and click OK. The following table describes the parameters.

Note

When you perform this operation, the system automatically creates the service-linked role AliyunServiceRoleForCEN. The service-linked role allows the Enterprise Edition transit router to create an ENI in a vSwitch of the VPC. The ENI is used to forward data between the VPC and the transit router. For more information about service-linked roles, see AliyunServiceRoleForCEN.

Parameter	Description
Network Type	Select VPC.
Region	Select the region where the network instance is deployed.
Transit Router	The transit router in the selected region is displayed.
IPv6	Enabling the IPv6 feature for VPC connections is optional. The feature is disabled by default. Make sure you turn it on if VPCs need to communicate over an IPv6 network through an Enterprise Edition transit router. Note IPv6 can be enabled for existing VPC connections. For more information see, Enable IPv6 for VPC.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. You can connect a VPC to a transit router that belongs to the same Alibaba Cloud account or a different Alibaba Cloud account. If the network instance and the transit router that you want to connect belong to the same Alibaba Cloud account, select Current Account. If the network instance and the transit router that you want to connect belong to different Alibaba Cloud accounts, select Different Account, and enter the ID of the Alibaba Cloud account to which the network instance belongs.
Billing Method	By default, transit routers use the pay-as-you-go billing method. For more information, see Billing rules.
Attachment Name	Enter a name for the network connection.
Tag	Add a tag to the VPC connection. Tag Key: The tag key cannot be an empty string. The tag key can be up to 64 characters in length. The key cannot start with `acs:` or `aliyun` or contain `http://` or `https://`. Tag Value: The tag value can be an empty string. The tag value can be up to 128 characters in length. The tag value cannot start with `acs:` or `aliyun` or contain `http://` or `https://`. You can add one or multiple tags to a VPC connection. For more information about tags, see Manage tags.
Network Instance	Select the VPC.
vSwitch	Select vSwitches that are deployed in zones supported by the transit router. If the Enterprise Edition transit router is deployed in a region that supports only one zone, select a vSwitch in the zone. If the Enterprise Edition transit router is deployed in a region that supports multiple zones, select at least two vSwitches. The two vSwitches must be in different zones. The two vSwitches support zone-disaster recovery to ensure uninterrupted data transmission between the VPC and the transit router. We recommend that you select a vSwitch in each zone to reduce network latency and improve network performance because data can be transmitted over a shorter distance.
Advanced Settings	When you create a VPC connection, the system enables the following features in the advanced settings by default: Associate with Default Route Table of Transit Router After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table. Propagate System Routes to Default Route Table of Transit Router After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router. Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward IPv4 traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs. Important If such a route is already in the route table of the VPC, the system cannot advertise this route. You must manually add a route that points to the VPC connection to the route table of the VPC. Otherwise, network communication cannot be established between the VPC and the transit router. To check whether such routes exist, click Check Route below Advanced Settings. In order for the VPC to have IPv6 traffic enter and be forwarded, it is necessary to enable route synchronization for the VPC connection or manually add IPv6 route entries pointing to the VPC connection in the route table after creating the connection. You can disable the advanced features by clearing the check boxes. If you want to enable the VBR to communicate with other network instances, you can configure associated forwarding and route learning on the transit router. For more information, see Manage routes.

After the VPC connection is created, you can view the details about the connection on the Intra-region Connections tab. For more information, see View network instance connections.

More Actions

Change the zone and vSwitch of a VPC connection

After you create a VPC connection, you can change the zone and vSwitch of the VPC connection. Before you begin, make sure that no routes of the VPC point to the ENI of an Enterprise Edition transit router. For more information, see Create and manage a route table.

Warning

If you change the vSwitch of a VPC connection, the connection may be interrupted for up to 15 seconds. Proceed with caution.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the Intra-region Connections tab, click the ID of the VPC that you want to manage.
In the Attachment Details pane, click Change Zone/Subnet in the Associated Instances section.
In the Change Zone/Subnet dialog box, select a zone and a vSwitch from the Select Zone/Subnet drop-down list, and click OK.
After you change the zone and vSwitch, the zone and vSwitch that you select are associated with the VPC connection.
For example, the VPC connection is associated with Zone A and vSwitch A1, which is deployed in Zone A. The following rules apply when you change the zone and vSwitch in the Change Zone/Subnet dialog box:
- If you select Zone A and vSwitch A2, which is deployed in Zone A, the VPC connection is associated with Zone A and vSwitch A2 after you click OK.
  The VPC connection is automatically disassociated from vSwitch A1.
- If you select Zone B, vSwitch B1 (deployed in Zone B), Zone C, and vSwitch C1 (deployed in Zone C), the VPC connection is associated with Zone B, vSwitch B1, Zone C, and vSwitch C1 after you click OK.
  The VPC connection is automatically disassociated from Zone A and vSwitch A1.
- If you select Zone A, vSwitch A1 (deployed in Zone A), Zone C, and vSwitch C1 (deployed in Zone C), the VPC connection is associated with Zone A, vSwitch A1, Zone C, and vSwitch C1 after you click OK.
  The VPC is automatically associated with Zone C and vSwitch C1.
Note
After a VPC connection is associated with another vSwitch, the ENI of the previous vSwitch is automatically deleted.

Modify the transit router route table associated with a VPC connection

After you create a VPC connection, you can modify the transit router route table that is associated with the VPC connection.

Warning

If the VPC connection has route synchronization enabled, the routes synchronized to the VPC are withdrawn after the route table is modified. Then, the routes in the modified route table are synchronized to all the route tables of the VPC. For more information, see Route Synchronization.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Settings > Transit Router tab, click the ID of the transit router that you want to manage.
On the Intra-region Connections tab, find the VPC connection that you want to manage and click the ID.
In the Attachment Details panel, find the Basic Information section and click Modify next to Associated Route Table.
In the Modify Route Table dialog box, select a route table and click OK.

Enable IPv6 for an existing VPC connection

If a VPC needs to communicate over an IPv6 network through an Enterprise Edition transit router, you need to enable IPv6 for the VPC connection. For an existing VPC connection that does not have IPv6 enabled, you can activate it separately by performing the following steps.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Settings > Transit Router tab, click the ID of the transit router that you want to manage.
On the Intra-region Connections tab, find the VPC connection and click Enable in the IPv6 column.
When prompted, click OK.

Disable IPv6 for a VPC connection

If an IPv6 network communication is no longer needed, you can disable the feature. Make sure the following prerequisites are met before turning it off.

The route table of the VPC does not have an IPv6 route entry that points to the VPC connection or ENI of the Enterprise Edition transit router as the next hop. For more information, see Add and delete routes.
The route table of the Enterprise Edition transit router does not have an IPv6 route entry that points to the VPC connection as the next hop. For more information, see Delete a custom route from a route table of an Enterprise Edition transit router.
The route table of the Enterprise Edition transit router does not have an IPv6 prefix list that points to the VPC connection. For more information, see Disassociate a prefix list from a transit router route table.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Settings > Transit Router tab, click the ID of the transit router that you want to manage.
On the Intra-region Connections tab, find the VPC connection and click Disable in the IPv6 column.
When prompted, click OK

Use a Basic Edition transit router to connect VPCs

You can connect a VPC to a Basic Edition transit router that belongs to the same Alibaba Cloud account or a different Alibaba Cloud account. If the VPC and the transit router that you want to connect belong to different Alibaba Cloud accounts, the transit router must acquire the required permissions from the Alibaba Cloud account to which the VPC belongs. For more information, see Acquire permissions to connect to a network instance that belongs to another account.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Information > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, set the parameters and click OK. The following table describes the parameters.

Parameter	Description
Network Type	Select VPC.
Region	Select the region where the network instance is deployed.
Transit Router	The transit router in the selected region is displayed.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. You can connect a VPC to a transit router that belongs to the same Alibaba Cloud account or a different Alibaba Cloud account. If the network instance and the transit router that you want to connect belong to the same Alibaba Cloud account, select Current Account. If the network instance and the transit router that you want to connect belong to different Alibaba Cloud accounts, select Different Account, and enter the ID of the Alibaba Cloud account to which the network instance belongs.
Network Instance	Select the ID of the network instance.

After you create the VPC connection, you can view it on the Intra-region Connections tab on the details page of the transit router. For more information, see View network instance connections.

Call API operations to create a VPC connection

Alibaba Cloud provides a set of tools, such as Alibaba Cloud SDKs (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS) that allow you to create VPC connections by calling API operations. For more information, see the following API references:

CreateTransitRouterVpcAttachment: creates a VPC connection on an Enterprise Edition transit router.
UpdateTransitRouterVpcAttachmentAttribute: modifies the name and description of a VPC connection on an Enterprise Edition transit router.
UpdateTransitRouterVpcAttachmentZones: changes the zone and vSwitch of a VPC connection on an Enterprise Edition transit router.
ListTransitRouterVpcAttachments: queries the information about VPC connections on an Enterprise Edition transit router.
AttachCenChildInstance: creates a VPC connection by using a Basic Edition transit router.