This topic describes how to allow virtual private clouds (VPCs) with overlapping CIDR blocks to access each other by using VPC NAT gateways.

Background information

Due to early network planning or business consolidation, you may need two VPCs that have overlapping CIDR blocks to communicate with each other. You can create a VPC NAT gateway and configure a NAT IP address for each VPC. The two NAT IP addresses cannot conflict with each other. One VPC uses SNAT to translate source IP addresses to the configured NAT IP address, which allows the VPC to access the other VPC. The other VPC uses the NAT IP address configured in a DNAT entry to provide services. This way, the two VPCs can access each other.

Scenarios

The following scenario is used as an example in this topic. A company has created two VPCs named VPC1 and VPC2 in the China (Qingdao) region, and the two VPCs have the same CIDR block 192.168.0.0/16. A service vSwitch named VSW1 with the CIDR block 192.168.0.0/24 is created in VPC1. An Elastic Compute Service (ECS) instance named ECS1 is created in VSW1. A service vSwitch named VSW3 with the CIDR block 192.168.0.0/24 is created in VPC2. An ECS instance named ECS2 is created in VSW3. Due to business development requirements, VPC1 needs to access VPC2. Given that VPC1 and VPC2 have the same CIDR block, VPC1 and VPC2 cannot directly access each other by using a Cloud Enterprise Network (CEN) instance. You can create a transit vSwitch named VSW2 with the CIDR block 192.168.100.0/24 in VPC1, create a transit vSwitch named VSW4 with the CIDR block 192.168.200.0/24 in VPC2, and then create a VPC NAT gateway in VSW2 and VSW4. This way, VPC1 and VPC2 can access each other by using the SNAT and DNAT features of the VPC NAT gateways. VPCs accessing each other

Procedure

Procedure

Prerequisites

  • An Alibaba Cloud account is created. For more information, see Create an Alibaba Cloud account.
  • VPCs and vSwitches are created as described in the following table. For more information, see Create a VPC with an IPv4 CIDR block.
    VPC nameRegionCIDR blockvSwitch nameZone and CIDR block
    VPC1China (Qingdao)192.168.0.0/16
    • Service vSwitch: VSW1
    • Transit vSwitch: VSW2
    • VSW1: Qingdao Zone B, 192.168.0.0/24
    • VSW2: Qingdao Zone C, 192.168.100.0/24
    VPC2China (Qingdao)192.168.0.0/16
    • Service vSwitch: VSW3
    • Transit vSwitch: VSW4
    • VSW3: Qingdao Zone B, 192.168.0.0/24
    • VSW4: Qingdao Zone C, 192.168.200.0/24
  • An ECS instance named ECS1 is created in VSW1. An ECS instance named ECS2 is created in VSW3. For more information, see Create an instance by using the wizard.
  • A CEN instance is created. For more information, see Create a CEN instance.
  • An Enterprise Edition transit router is created in the region where the VPC resides. For more information, see Create a transit router.

Step 1: Create two VPC NAT gateways

Perform the following steps to create a VPC NAT gateway named VPC NATGW1 in VSW2 and a VPC NAT gateway named VPC NATGW2 in VSW4.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. On the VPC NAT Gateway page, click Create VPC NAT Gateway.
  4. On the VPC NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.
    The following table describes the parameters of VPC NATGW1 and VPC NATGW2.
    ParameterDescriptionValue
    RegionSelect the region where you want to create the VPC NAT gateway. Select China (Qingdao) for both VPC NAT gateways.
    VPC IDSelect the VPC to which the VPC NAT gateway belongs. After you create a VPC NAT gateway, you cannot change the VPC to which it belongs.
    • VPC NATGW1: VPC1.
    • VPC NATGW2: VPC2.
    ZonesSelect the zone to which the VPC NAT gateway belongs.
    • VPC NATGW1: the zone of VSW2.
    • VPC NATGW2: the zone of VSW4.
    vSwitch IDSelect the vSwitch to which the VPC NAT gateway belongs. We recommend that you select an independent vSwitch.
    • VPC NATGW1: VSW2.
    • VPC NATGW2: VSW4.
    NameEnter a name for the VPC NAT gateway.

    The name must be 1 to 128 characters in length.

    • Enter VPC NATGW1.
    • Enter VPC NATGW2.
    Service-linked RoleDisplays whether a service-linked role is created for the VPC NAT gateway.

    If this is your first time using a NAT gateway, including an Internet NAT gateway and a VPC NAT gateway, you must click Create Service-linked Role to create a service-linked role.

  5. On the Confirm Order page, confirm the information, select the Terms of Service check box, and then click Activate Now.
    When the message Order complete. appears, it indicates that the VPC NAT gateway is created.

Step 2: Create custom route tables

Perform the following steps to create a custom route table for VSW2 and another for VSW4.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.
  3. In the top navigation bar, select the region to which the route table belongs.
  4. On the Route Tables page, click Create Route Table.
  5. On the Create Route Table page, set the following parameters and click OK.
    The following table describes the parameters for the custom route tables of VSW2 and VSW4.
    ParameterDescriptionValue
    Resource GroupSelect the resource group to which the route table belongs. Select All for both route tables.
    VPCSelect the VPC to which the route table belongs.
    • Route table of VSW2: Select VPC1.
    • Route table of VSW4: Select VPC2.
    NameEnter a name for the route table.
    • Route table of VSW2: VSW2VTB.
    • Route table of VSW4: VSW4VTB.
    DescriptionEnter a description for the route table.
    • Route table of VSW2: Enter VSW2 custom route table.
    • Route table of VSW4: Enter VSW4 custom route table.
  6. On the Route Tables page, find the route table that you created and click its ID.
  7. On the details page of the route table, click the Associated vSwitch tab and click Associate vSwitch.
  8. In the Associate vSwitch dialog box, select the vSwitch that you want to associate and click OK.
    • Associate VSW2VTB with VSW2.
    • Associate VSW4VTB with VSW4.

Step 3: Attach the VPCs to the CEN instance

Connect VPC1 and VPC2 to the transit router in the China (Qingdao) region. This way, CEN automatically distributes and learns routes to enable communication between VPC1 and VPC2.
Note Before you connect a VPC to an Enterprise Edition transit router, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. In this example, the transit router is created in the China (Qingdao) region. Qingdao Zone B and Qingdao Zone C support Enterprise Edition transit routers.
  1. Log on to the CEN console.
  2. On the Instances page, click the ID of the CEN instance that you want to manage.
  3. On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.
  4. On the Connection with Peer Network Instance page, set the following parameters and click OK.
    Note When you perform this operation for the first time, the system automatically creates the service-linked role AliyunServiceRoleForCEN. This role allows the transit router to create an elastic network interface (ENI) in a vSwitch of the VPC to be connected. For more information, see AliyunServiceRoleForCEN.
    The following table describes the parameters of VPC1 connection and VPC2 connection.
    ParameterDescriptionValue
    Network TypeSelect the type of network instance that you want to connect. Select VPC.
    RegionSelect the region where the network instance is deployed. Select China (Qingdao).
    Transit RouterThe transit router in the selected region is displayed. The transit router in the China (Qingdao) region is displayed.
    Resource Owner IDSelect the Alibaba Cloud account to which the network instance belongs. Select Your Account.
    Billing MethodBy default, transit routers use the Pay-As-You-Go billing method.

    For more information about the billing rules, see Billing rules.

    		Pay-As-You-Go is displayed.
    Attachment NameEnter a name for the VPC connection.
    • VPC1 connection: Enter VPC1.
    • VPC2 connection: Enter VPC2.
    NetworksSelect the ID of the VPC to be connected.
    • VPC1 connection: Select the ID of VPC1.
    • VPC2 connection: Select the ID of VPC2.
    vSwitchSelect a vSwitch in a zone that supports transit routers.
    • VPC1 connection:
      • Qingdao Zone B: Select VSW1.
      • Qingdao Zone C: Select VSW2.
    • VPC2 connection:
      • Qingdao Zone B: Select VSW3.
      • Qingdao Zone C: Select VSW4.
    Advanced SettingsBy default, the following advanced features are selected: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC.

    The default settings are used.

  5. Return to the VPC console.
  6. In the left-side navigation pane, click Route Tables.
  7. On the Route Tables page, find the system route table of VPC1 and click its ID.
  8. On the Route Entry List > System Route tab, find conflicting routes and click Withdraw in the Route Status in CEN column.
    Repeat Step 7 and Step 8 to withdraw conflicting routes from the system route table of VPC2.

Step 4: Add routes to the custom route table

Perform the following steps to add routes to VSW2VTB and VSW4VTB.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.
  3. In the top navigation bar, select the region to which the route table belongs.
  4. On the Route Tables page, find the custom route table that you want to manage and click its ID.
  5. Choose Route Entry List > Custom Route, and click Add Route Entry.
  6. In the Add Route Entry panel, set the following parameters and click OK.
    ParameterDescriptionValue
    NameEnter a name for the route.
    • VSW2VTB: VPCNATGW1ENTRY
    • VSW4VTB: VPCNATGW2ENTRY
    Destination CIDR BlockEnter the CIDR block to which network traffic is forwarded. Set this parameter to the CIDR block of the peer transit vSwitch.
    • VSW2VTB: 192.168.200.0/24
    • VSW4VTB: 192.168.100.0/24
    Next Hop TypeSelect the next hop type. Select Transit Router.
    Transit RouterSelect a transit router.
    • Custom route table of VPC1: VPC1 connection
    • Custom route table of VPC2: VPC2 connection

Step 5: Add routes to the system route tables

Repeat the following steps to add routes to the system route tables of VPC1 and VPC2.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.
  3. In the top navigation bar, select the region to which the route table belongs.
  4. On the Route Tables page, find the system route table that you want to manage and click its ID.
  5. Choose Route Entry List > Custom Route, and click Add Route Entry.
  6. In the Add Route Entry panel, set the following parameters and click OK.
    ParameterDescriptionValue
    NameEnter a name for the route.
    • System route table of VPC1: VPC1.
    • System route table of VPC2: VPC2.
    Destination CIDR BlockEnter the CIDR block to which network traffic is forwarded. Set this parameter to the CIDR block of the peer transit vSwitch.
    • System route table of VPC1: 192.168.200.0/24.
    • System route table of VPC2: 192.168.100.0/24.
    Next Hop TypeSelect the next hop type. Select NAT Gateway.
    NAT GatewaySelect a NAT gateway.
    • VSW2VTB: Select VPC NATGW1.
    • VSW4VTB: Select VPC NATGW2.

Step 6: Configure an SNAT entry on VPC NATGW1

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is created.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click SNAT Management in the Actions column.
  5. On the SNAT Management tab, click Create SNAT Entry.
  6. On the Create SNAT Entry page, set the following parameters and click OK.
    ParameterDescription
    SNAT EntrySpecify whether to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. Specify VPC is selected in this example, which specifies that all ECS instances in the VPC to which the VPC NAT gateway belongs use the SNAT entry to access external networks.
    Select NAT IP AddressSelect the NAT IP address that is used to access external networks. The default NAT IP address is selected in this example.
    Entry NameEnter a name for the SNAT entry.

Step 7: Configure a DNAT entry on VPC NATGW2

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is created.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click DNAT Management in the Actions column.
  5. On the DNAT Management tab, click Create DNAT Entry.
  6. On the Create DNAT Entry page, set the following parameters and click OK.
    ParameterDescription
    Select NAT IP AddressSelect the NAT IP address that is used to receive requests from external networks. The default NAT IP address is selected in this example.
    Select Private IP AddressSpecify the private IP address of the ECS instance that uses the DNAT entry to communicate with external networks. Select Select by ECS or ENI and then select the private IP address of ECS2.
    Port SettingsSelect a DNAT mapping method. Port mapping is used in this example. Select Specific Port. Enter 22 for Frontend Port and Backend Port, and select TCP for Protocol Type.
    Entry NameEnter a name for the DNAT entry.

Step 8: Test the connectivity

  1. Log on to ECS1 in VSW1. For more information, see Connection methods.
  2. Run the ping command to ping the default NAT IP address of VPC NATGW2 to test whether ECS1 can access ECS2.
    The test result shows that ECS1 can access ECS2. Access ECS2 from ECS1
  3. Run the ssh root@NAT IP address command, where the NAT IP address is the default NAT IP address of VPC NATGW2. Then, enter the password of ECS2 to test whether ECS1 can remotely connect to ECS2.
    If the message Welcome to Alibaba Cloud Elastic Compute Service! appears, you are connected to ECS2.

    The test result shows that ECS1 can access ECS2 by using the DNAT feature of VPC NATGW2.

    Log on to ECS2 from ECS1