A Virtual Private Cloud (VPC) peering connection is a private network connection between two VPCs. After you create a VPC peering connection between two VPCs, the VPCs can communicate with each other over the connection. This topic describes how to create and manage a VPC peering connection.
Prerequisites
Two VPCs between which you want to create a VPC peering connection are created. If the VPCs belong to different Alibaba Cloud accounts, make sure that both the requester and accepter accounts have a VPC. For more information, see Create and manage a VPC.
Create a VPC peering connection
Log on to the VPC console.
In the left-side navigation pane, click VPC Peering Connection.
If this is the first time you create a VPC peering connection, click Activate CDT on the VPC Peering Connection page, and click Activate in the message that appears.
If the VPCs belong to different Alibaba Cloud accounts, make sure that both the requester and accepter accounts have the Cloud Data Transfer (CDT) service activated.
On the VPC Peering Connection page, click Create VPC Peering Connection.
On the Create VPC Peering Connection page, set the following parameters and click OK.
You can create VPC peering connections of the following types: same-account and intra-region, same-account and inter-region, cross-account and intra-region, and cross-account and inter-region.
The following table describes the parameters that are required when you create different types of VPC peering connections.
Parameter
Description
Peering Connection Name
Enter a name for the VPC peering connection.
Resource Group
Select a resource group for the peering connection.
Requester VPC
You can select a VPC as the requester by using one of the following methods:
Enter a VPC name or ID in the drop-down list to perform fuzzy search.
Select a VPC from the drop-down list.
NoteThe requester VPC and accepter VPC must belong to the same resource group.
Accepter Account Type
Select whether the requester VPC and accepter VPC belong to the same Alibaba Cloud account. Valid values:
Same-Account: The requester VPC and accepter VPC belong to the same Alibaba Cloud account.
After you initiate a connection request from the requester VPC, the VPC peering connection is automatically established. You do not need to accept the request on the accepter VPC.
Cross-Account: The requester VPC and accepter VPC belong to different Alibaba Cloud accounts, for example, different accounts on the Alibaba Cloud China site, or an Alibaba Cloud China site account and an Alibaba Cloud International site account.
After you initiate a connection request from the requester VPC, you can accept or reject the request on the accepter VPC to establish or deny the VPC peering connection.
If you select Cross-Account, enter the ID of the Alibaba Cloud account to which the accepter VPC belongs in the UID of the receiver field.
Accepter Region Type
Select whether the requester VPC and accepter VPC belong to the same region. Valid values:
Intra-Region: The requester VPC and accepter VPC belong to the same region.
Inter-Region: The requester VPC and accepter VPC belong to different regions.
If you select Inter-Region, select the region where the accepter VPC is deployed from the Accepter Region drop-down list.
Accepter VPC
You can select a VPC as the accepter by using one of the following methods:
Enter a VPC name or ID in the drop-down list to perform fuzzy search.
Select a VPC from the drop-down list.
If the VPCs belong to different Alibaba Cloud accounts, the accepter VPC can accept or reject the request. The following procedure shows how to accept or reject a request:
Log on to the VPC console with the account of the accepter VPC.
In the left-side navigation pane, click VPC Peering Connection.
On the VPC Peering Connection page, find the VPC peering connection and perform the following operations:
The status of the peering connection is Peer Accepting.
To accept the request, click Accept in the Actions column.
Then, the status of the peering connection changes from Peer Accepting to Updating. After the peering connection is activated, it enters the Activated state and is ready for use.
To reject the request, click Reject in the Actions column.
Then, the status of the peering connection changes from Peer Accepting to Rejected.
A VPC peering connection in the Rejected state is unavailable. You can delete the VPC peering connection on the requester VPC or accepter VPC.
NoteIf you do not accept or reject the request within seven days, the VPC peering connection enters the Expired state.
On the VPC Peering Connection page, check the status of the peering connection.
An activated VPC peering connection is in the Activated state and is ready for use.
You can view the following information about the requester VPC and accepter VPC: the VPC ID, region, CIDR block, and owner Alibaba Cloud account.
Configure a route
After you create a VPC peering connection, you must add a route that points to the peer VPC for both the accepter VPC and requester VPC.
Log on to the VPC console.
In the left-side navigation pane, click VPC Peering Connection.
On the VPC Peering Connection page, find the peering connection that you want to manage and perform the following steps to add routes:
Configure a route for the requester VPC
Click Configure Route in the Requester VPC column.
In the Configure Route dialog box, set the following parameters and click OK.
Parameter
Description
VPC
The requester VPC is automatically displayed.
Route Table
Select a route table associated with the VPC from the drop-down list.
Name
Enter a name for the route.
Destination CIDR Block
To add an IPv4 route:
Select IPv4 and enter the IPv4 CIDR block of the accepter VPC.
To add an IPv6 route:
Select IPv6 and enter the IPv6 CIDR block of the accepter VPC.
Next Hop
The next hop is automatically displayed.
Configure a route for the accepter VPC that belongs to the same Alibaba Cloud account
Click Configure Route in the Accepter VPC column.
In the Configure Route dialog box, set the following parameters and click OK.
Parameter
Description
VPC
The system automatically displays the accepter VPC.
Route Table
Select a route table associated with the VPC from the drop-down list.
Name
Enter a name for the route.
Destination CIDR Block
To add an IPv4 route:
Select IPv4 and enter the IPv4 CIDR block of the requester VPC.
To add an IPv6 route:
Select IPv6 and enter the IPv6 CIDR block of the requester VPC.
Next Hop
The next hop is automatically displayed.
Configure a route for the accepter VPC that belongs to a different Alibaba Cloud account
Log on to the VPC console with the account of the accepter VPC.
In the left-side navigation pane, click VPC Peering Connection.
On the VPC Peering Connection page, find the VPC peering connection that you want to manage and click Configure Route in the Acceptor column.
The subsequent operations are the same as the operations that you perform to configure a route for the VPC that belongs to the same Alibaba Cloud account.
After you configure the routes, you can click the ID of the VPC peering connection on the VPC Peering Connection page to view the information about the routes in the Route Entry List section.
Test network connectivity
Before you begin, make sure that Elastic Compute Service (ECS) instances are deployed in the requester and accepter VPCs, and the security group rules of ECS instances allow access between the VPCs. For more information, see Create a security group. Perform the following operation to test network connectivity between the requester and accepter VPCs:
Log on to an ECS instance in the requester VPC. For more information, see Connection methods.
Run the
ping
command toping
the private IP address of an ECS instance in the accepter VPC.If you can receive echo reply packets, it indicates that the requester VPC can access the accepter VPC.
Log on to an ECS instance in the accepter VPC.
Run the
ping
command toping
the private IP address of an ECS instance in the requester VPC.If you can receive echo reply packets, it indicates that the accepter VPC can access the requester VPC.
After you verify the connectivity, you can deploy your services in the VPCs.
NoteIf the communication failed, you can refer to ECS FAQ and Security FAQ to troubleshoot.
Delete a VPC peering connection
You can delete a VPC peering connection in one of the following ways:
Natural deletion: Before you delete a VPC peering connection, you must first delete the routes that point to the VPC peering connection from the route table. For more information about how to delete custom routes, see Create and manage a route table.
Forceful deletion: You do not need to delete the route that points to the VPC peering connection from the route table. After you delete the VPC peering connection, the system automatically deletes this route.
After you delete a VPC peering connection, it cannot be restored, and the private communication is unavailable. Proceed with caution.
Log on to the VPC console.
On the VPC Peering Connection page, find the peering connection that you want to delete and click Delete in the Actions column.
In the message that appears, click OK.
To forcefully delete a VPC peering connection, select I confirm that my services will not be affected and want to delete all the preceding VPC peering connections and routes in the dialog box.
More operations
Modify the bandwidth of an inter-region VPC peering connection
On the VPC Peering Connection page, click the ID of the VPC peering connection that you want to modify.
On the details page of the peering connection, find the Information section and click Edit on the right side of Bandwidth (Mbit/s).
In the dialog box that appears, enter a new bandwidth value and click OK.
The bandwidth value must be an integer greater than 0. The maximum bandwidth value is 1024.
Modify the name or description of a VPC peering connection
On the VPC Peering Connection page, click the ID of the VPC peering connection that you want to manage.
On the details page of the peering connection, find the Information section and click Edit on the right side of VPC Peering Connection Name.
In the dialog box that appears, enter a new name and click OK.
On the details page of the peering connection, find the Information section and click Edit on the right side of Description.
In the dialog box that appears, enter a new description and click OK.
References
CreateVpcPeerConnection: creates a VPC peering connection.
AcceptVpcPeerConnection: accepts a VPC peering connection request.
RejectVpcPeerConnection: rejects a VPC peering connection request.
GetVpcPeerConnectionAttribute: queries the details of a VPC peering connection.
CreateRouteEntry: adds a custom route.
DeleteRouteEntry: deletes a custom route.
DeleteVpcPeerConnection: deletes a VPC peering connection.
ModifyVpcPeerConnection: modifies the description or name of a VPC peering connection.