Use ClassicLink to implement communication between a classic network and a VPC - Elastic Compute Service

You can establish ClassicLink connections to allow Elastic Compute Service (ECS) instances in a classic network to communicate with resources in a virtual private cloud (VPC) over private IP addresses. You can establish ClassicLink connections in scenarios such as during a transition from a classic network to a VPC and when resources in a classic network need to communicate with resources in a VPC over private IP addresses. This topic describes how to connect an instance in a classic network to a VPC by using ClassicLink.

Background information

The ClassicLink feature of Alibaba Cloud allows you to establish private connections between Alibaba Cloud classic networks and VPCs. Classic networks and VPCs are two types of networks on Alibaba Cloud. By default, classic networks are isolated from VPCs. You can use the ClassicLink feature to connect classic networks to VPCs. This way, resources in the classic networks can communicate with resources in the VPCs. For more information, see Overview of ClassicLink.

Limits

Before you use the ClassicLink feature, take note of the following limits:

You can associate up to 1,000 classic network-connected ECS instances with a VPC.
For one Alibaba Cloud account in one region, a classic network-connected ECS instance can be associated with only one VPC.
If you want to associate an ECS instance of Account A with a VPC of Account B, you must first transfer the ECS instance from Account A to Account B.
Classic network-connected ECS instances can communicate only with ECS instances in the primary CIDR block of a VPC. Classic network-connected ECS instances cannot communicate with ECS instances in the secondary CIDR block of the VPC.

To enable the ClassicLink feature for a VPC, the following conditions must be met.

VPC CIDR block	Limit
172.16.0.0/12	The VPC does not contain a custom route entry whose destination CIDR block is 10.0.0.0/8.
10.0.0.0/8	The VPC does not contain a custom route entry whose destination CIDR block is 10.0.0.0/8. Make sure that the CIDR block of the vSwitch to communicate with the classic network-connected ECS instances is within 10.111.0.0/16.
192.168.0.0/16	The VPC does not contain a custom route entry whose destination CIDR block is 10.0.0.0/8. Add a custom route entry to the ECS instance that is deployed in the classic network. The destination CIDR block of the route entry is 192.168.0.0/16 and the next hop is the private network interface controller (NIC). You can add the route by using the provided script. Download routing script. Note Before you run the script, read the readme.txt file.

Procedure

Step 1: Enable the ClassicLink feature

Log on to the VPC console.
In the top navigation bar, select the region and resource group to which the resource belongs.
In the list of VPCs, find the VPC to which you want to connect and click the ID of the VPC.
On the Basic Information tab, click Enable ClassicLink in the upper-right corner.
In the Enable ClassicLink message, click OK.

Step 2: Add a ClassicLink security group rule

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select the region and resource group to which the resource belongs.

Add a ClassicLink rule to a security group of an ECS instance that resides in a classic network.

Find the ECS instance that resides in the classic network. In the Actions column, choose > Network and Security Group > Set VPC Connection Status.
In the dialog box that appears, select the VPC to which you want to connect the instance and click Confirm.
Click Go to the instance security group list and add ClassicLink rules.
Find a security group of the ECS instance. In the Actions column, click Add Rules.

On the Security Group Rules page, click Add ClassicLink Rule in the upper-right corner. In the dialog box that appears, configure the parameters that are described in the following table.

Parameter	Description
Classic Security Group	The name of the classic-network security group is displayed.
Select VPC	The VPC to which to connect the instance.
VPC-type Security Groups	The security groups from the selected VPC that you want to associate with the instance. You can select up to five security groups.
Mode	The access mode. Classic Network <=> VPCs (recommended): allows mutual access between resources in the classic network and resources in the VPC. Classic Network => VPCs: allows resources in the classic network to access resources in the VPC. VPCs => Classic Network: allows resources in the VPC to access resources in the classic network.
Protocol	The communication protocol. Example: Custom TCP.
Port Range	The port range. Specify a port range in the <Start port number>/<End port number> format. Example: `80/80`, which indicates port 80.
Priority	The priority of the rule. A smaller value indicates a higher priority. Example: `1`.
Description	The description of the rule.

Click OK.

Step 3: Test the connectivity between the instance and the VPC

Perform the following steps to test the connectivity between the instance and the VPC:

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select the region and resource group to which the resource belongs.
View the Network Type column of the ECS instance.
If the ECS instance in the classic network is connected to the VPC, the connection status is Connected.