What are transit router CIDR blocks - Cloud Enterprise Network

You can specify CIDR blocks for a transit router. The CIDR blocks work in a similar way as the CIDR block of the loopback interface on a router. IP addresses within the CIDR blocks can be allocated to IPsec-VPN connections.

Background information

When you create VPN attachments, IP addresses are allocated from the CIDR blocks to the IPsec-VPN connections.

If you create a private VPN attachment, an IP address that falls into the CIDR blocks of the transit router is allocated to the IPsec-VPN connection as the gateway IP address, which is used to connect to the on-premises network.
After you enable route learning between the private VPN attachment and a route table of the transit router, the system automatically adds a blackhole route to the route table of the transit router. The destination CIDR block of the blackhole route is the CIDR block of the transit router. The CIDR block of the transit router refers to the CIDR block from which gateway IP addresses are allocated to IPsec-VPN connections. The blackhole route is advertised only to the route table of the virtual border router (VBR) that is connected to the transit router.
Note
- You can call the CreateTransitRouterCidr operation and view the value of the PublishCidrRoute parameter in the response. The value indicates whether blackhole routes whose destination CIDR blocks are the CIDR blocks of a transit router can be added to the route tables of the transit router. For more information, see CreateTransitRouterCidr.
- After you enable route learning between the private VPN attachment and a route table of the transit router, the transit router automatically learns a route that points to the IPsec-VPN connection. The CIDR block of the route is the gateway IP address of the IPsec-VPN connection, and the next hop is the VPN attachment.
  This route is added only to the route table of the transit router that is a route learning correlation with the VPN attachment.
If you create an Internet VPN attachment, a public IP address from the Alibaba Cloud IP pool is allocated to the IPsec-VPN connection for connecting to the on-premises network. Meanwhile, an IP address that falls into the CIDR blocks of the transit router is allocated to the IPsec-VPN connection for health checks. This does not affect your network.

For more information, see Rules for allocating IP address from the CIDR blocks of a transit router.

Limits

Only Enterprise Edition transit routers support custom CIDR blocks.
Each transit router supports at most five CIDR blocks. The subnet mask of the CIDR block of a transit router must be 16 bits to 24 bits in length.
You cannot specify 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, 169.254.0.0/16, or their subnets as the CIDR blocks of transit routers.
The CIDR blocks of each transit router cannot overlap with the CIDR blocks of the network instances that need to communicate with each other by using the Cloud Enterprise Network (CEN) instance.
The CIDR block of each transit router on the same CEN instance must be unique.

Rules for allocating IP addresses from the CIDR blocks of a transit router

The following section describes the rules for allocating IP addresses from the CIDR blocks of a transit router:

After you add a CIDR block to a transit router, the system automatically reserves three CIDR blocks whose subnet mask length is 28 bits for creating VPN attachments when the first VPN attachment is created on the transit router. IP addresses are allocated from the remaining CIDR block to IPsec-VPN connections.

When the system allocates IP addresses to IPsec-VPN connections, the system divides a smaller CIDR block whose subnet mask length is 28 bits from the remaining CIDR block, and reserves four IP addresses in the smaller CIDR block. The remaining 12 IP addresses can be allocated to IPsec-VPN connections. If all the 12 IP addresses are allocated to IPsec-VPN connections, the system divides another smaller CIDR block whose subnet mask length is 28 bits from the remaining CIDR block, and reserves four IP addresses in the smaller CIDR block.

Examples

Alice added the 10.0.0.0/24 and 192.168.0.0/20 CIDR blocks to a transit router. 10.0.0.0/28, 10.0.0.16/28, and 10.0.0.32/28 are reserved by the system. The system divides a smaller CIDR block, such as 10.0.0.48/28, whose subnet mask length is 28 bits from the remaining CIDR blocks. IP addresses are allocated from the smaller CIDR block to IPsec-VPN connection. Four IP addresses in the 10.0.0.48/28 CIDR block are reserved by the system. The remaining 12 IP addresses in the CIDR block can be allocated to IPsec-VPN connections. If all the 12 IP addresses are allocated to IPsec-VPN connections, the system divides another smaller CIDR block whose subnet mask length is 28 bits from the remaining CIDR blocks, and reserves four IP addresses in the smaller CIDR block.

As a result:

The maximum number of VPN attachments that can be created in the 10.0.0.0/24 CIDR block: (2^8/2^4 - 3) × (2^4 - 4) = 156.
The maximum number of VPN attachments that can be created in the 192.168.0.0/20 CIDR block: (2^12/2^4) × (2^4 - 4) = 3,072.
The maximum number of VPN attachments that can be created on the transit router: 156 + 3,072 = 3,228.

Note

"^" indicates exponentiation, for example, 2^4 = 16.

After you create a VPN attachment, you can view the reserved IP addresses and the IP address that is allocated to the VPN attachment in the Address Details panel. For more information, see View allocated CIDR blocks.

Add a CIDR block to a transit router

You can add a CIDR block when you create a transit router or after you create a transit router.

Add a CIDR block when you create a transit router

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Settings > Transit Router tab, click Create Transit Router.

In the Create Transit Router dialog box, set the parameters and click OK.

Parameter	Description
Region	Select the region where you want to create the transit router.
Edition	The edition of the transit router is displayed. The transit router edition that is supported in the selected region is automatically displayed.
Enable Multicast	Specify whether to enable the multicast feature. Multicast is disabled by default. Note Multicast is supported by Enterprise Edition transit routers in some regions. For more information, see Multicast overview.
Name	Enter a name for the transit router.
Description	Enter a description for the transit router.
Tag	Add tags to the transit router. Tag Key: The tag key cannot be an empty string. The tag key can be up to 64 characters in length. The key cannot start with `acs:` or `aliyun` or contain `http://` or `https://`. Tag Value: The tag value can be an empty string. The tag value must be 1 to 128 characters in length. The parameter value cannot start with `acs:` or `aliyun` or contain `http://` or `https://`. You can add one or multiple tags to a transit router. For more information about tags, see Manage tags.
Transit Router CIDR	Enter the CIDR block that you want to create for the transit router. To add multiple CIDR blocks, click Add below the field.

Add a CIDR block after you create a transit router

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the Basic Settings > Transit Router tab and click the ID of the transit router that you want to manage.
On the details page of the transit router, click the Basic Settings tab. On the right side of Transit Router CIDR, click Edit.
In the Modify Transit router CIDR dialog box, enter CIDR blocks and click OK.
To enter multiple CIDR blocks, click Add below the field.
In the Results message, click OK.

View allocated CIDR blocks

When you create a VPN attachment after you add a CIDR block to a transit router, an IP address that falls into the CIDR block is allocated to the IPsec-VPN connection. You can view allocated CIDR blocks on the Basic Settings tab of the transit router.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the Basic Settings > Transit Router tab and click the ID of the transit router that you want to manage.
On the details page of the transit router, click the Basic Settings tab. On the right side of Transit Router CIDR, click Address Details.
In the Address Details panel, view the CIDR blocks that are allocated to the transit router.

Modify the CIDR block of a transit router

CIDR blocks from which IP addresses are already allocated to network connections cannot be modified.

If you need to modify such CIDR blocks, you must delete the VPN attachments that use the IP addresses. For more information, see Delete a network instance connection.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the Basic Settings > Transit Router tab and click the ID of the transit router that you want to manage.
On the details page of the transit router, click the Basic Settings tab. On the right side of Transit Router CIDR, click Edit.
In the Modify Transit router CIDR dialog box, modify the CIDR blocks and click OK.
You can perform the following operations on the CIDR blocks:
- Add CIDR blocks: Click Add below the field to add more CIDR blocks to the transit router.
- Modify the CIDR blocks: modify the CIDR blocks of the transit router.
- Delete CIDR blocks: On the right side of the CIDR block that you want to delete, click the icon.
In the Results message, review the CIDR blocks and click OK.

Delete a CIDR block

CIDR blocks from which IP addresses are already allocated to network connections cannot b deleted.

If you need to delete such CIDR blocks, you must delete the VPN attachments that use the IP addresses. For more information, see Delete a network instance connection.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the Basic Settings > Transit Router tab and click the ID of the transit router that you want to manage.
On the details page of the transit router, click the Basic Settings tab. On the right side of Transit Router CIDR, click Edit.
In the Modify Transit router CIDR dialog box, find the CIDR block that you want to delete, click the icon, and then click OK.
If the icon is dimmed, click Add below the field. Then, the icon is displayed.
In the Results message, review the CIDR blocks and click OK.

References

CreateTransitRouterCidr: Adds a CIDR block to a transit router.
ModifyTransitRouterCidr: Modifies the CIDR block of a transit router.
DeleteTransitRouterCidr: Deletes a CIDR block from a transit router.
ListTransitRouterCidr: Queries the CIDR blocks of a transit router.
ListTransitRouterCidrAllocation: Queries the IP addresses allocated from a CIDR block of a transit router.