This topic describes how to create virtual private cloud (VPC) peering connections to enable multiple VPCs to use the same Internet NAT gateway. This way, the VPCs can access the Internet.
Background information
A VPC peering connection is a private network connection between two VPCs. You can enable two VPCs to communicate with each other by establishing a VPC peering connection. You can connect multiple VPCs by creating multiple VPC peering connections. For example, if you have three VPCs named VPC1, VPC2, and VPC3, you can connect them by creating a VPC peering connection between VPC1 and VPC2, a connection between VPC2 and VPC3, and a connection between VPC1 and VPC3. This topic describes how to create a VPC peering connection between two VPCs to enable them to share an Internet NAT gateway.
For more information, see VPC peering connections.
Example scenario
A company created two VPCs named VPC-A and VPC-B in the China (Chengdu) region. In VPC-A, vSwitch-A1 and vSwitch-A2 are created, with an Internet NAT gateway in vSwitch-A1 and an ECS-A instance in vSwitch-A2. In VPC-B, vSwitch-B1 is created with an ECS-B instance. Due to business requirements, both VPC-A and VPC-B need to access the Internet.
The company can create a VPC peering connection between VPC-A and VPC-B, configure routes to establish private network connectivity, and then configure SNAT entries on the Internet NAT gateway to enable both VPC-A and VPC-B to access the Internet through the NAT gateway.
Procedure
Step 1: Create an Internet NAT gateway
Log on to the NAT Gateway console.
On the Internet NAT Gateway page, click Create Internet NAT Gateway.
On the NAT Gateway page, configure the following parameters and click Buy Now.
Parameter
Description
Region
Select the region where you want to create the Internet NAT gateway.
Network And Zone
Select the VPC and vSwitch to which the NAT gateway belongs. After the NAT gateway is created, you cannot change the VPC or vSwitch.
Network Type
In this example, Internet NAT Gateway is selected.
Internet NAT Gateway: provides Network Address Translation capabilities and can be associated with EIPs to allow ECS instances to access the Internet, enabling communication between private and public networks.
VPC NAT Gateway: also provides Network Address Translation capabilities but cannot be associated with EIPs. It can only provide address translation within private networks for ECS instances, suitable for scenarios such as hiding internal addresses and avoiding address conflicts.
Elastic IP Address
In this example, Purchase And Associate EIP is selected.
Select Existing
EIP Instance: Select an EIP that is Not Associated With An Instance.
Purchase And Associate EIP: By default, a pay-by-traffic BGP (Multi-ISP) EIP is created. You can select a Bandwidth Peak based on your business requirements.
NoteIf you want to associate an EIP with a different line type or billing method, first apply for an EIP, and then Select An Existing EIP to associate.
Each EIP that you associate with a NAT gateway occupies a private IP address of the vSwitch to which the NAT gateway belongs. Make sure that the vSwitch has sufficient available private IP addresses. Otherwise, you cannot associate new EIPs with the NAT gateway.
Configure Later: The created NAT gateway will not have Internet access capabilities. You need to manually associate an EIP with the NAT gateway.
You can find the Internet NAT gateway on the Internet NAT Gateway page.
Step 2: Create a VPC peering connection
Log on to the VPC console.
In the left-side navigation pane, click VPC Peering Connection.
In the top navigation bar, select the region where you want to create a VPC peering connection.
In this example, select China (Chengdu) region.
On the VpcPeer page, click Create VPC Peering Connection.
On the Create VPC Peering Connection page, configure the parameters and click OK.
Parameter
Description
Peering Connection Name
Enter a name for the VPC peering connection.
Resource Group
Select a resource group for the VPC peering connection.
Requester VPC
Select a requester VPC from the drop-down list.
In this example, select VPC-A.
Accepter Account Type
Select whether the requester VPC and acceptor VPC belong to the same Alibaba Cloud account.
In this example, select Same-Account.
Accepter Region Type
Select whether the requester VPC and acceptor VPC belong to the same region.
In this example, select Intra-Region.
Accepter VPC
Select the acceptor VPC.
In this example, select VPC-B.
On the VpcPeer page, view the status and other information of the VPC peering connection.
An activated VPC peering connection is in the Activated state and is ready for use.
You can view the following information about the requester VPC and acceptor VPC: the VPC ID, region, CIDR block, and owner Alibaba Cloud account.
Step 3: Configure routes
Add routes to VPC1 and VPC2 to manage traffic.
Log on to the VPC console.
In the left-side navigation pane, click VPC Peering Connection.
On the VPC Peering Connection page, find the created VPC peering connection and perform the following operations to configure routes.
Configure routes for the requester (VPC-A)
In the Requester VPC column, click Configure Route.
In the Configure Route dialog box, configure the following parameters and click OK.
Add a route entry for VPC-B's CIDR block 172.16.0.0/16 and point it to the VPC peering connection to ensure that traffic destined for VPC-B is correctly forwarded through the VPC peering connection.
Parameter
Description
VPC
The requester VPC is automatically displayed.
Route Table
Select a route table associated with the VPC from the drop-down list.
Name
Enter a name for the route.
Destination CIDR Block
Enter a destination CIDR block for the route.
In this example, select IPv4 CIDR Block, and enter the CIDR block of VPC-B: 172.16.0.0/16.
Next Hop
The next hop is automatically displayed.
Configure routes for the acceptor (VPC-B)
In the Accepter VPC column, click Configure Route.
In the Configure Route dialog box, configure the following parameters and click OK.
Add a route entry for 0.0.0.0/0 and point it to the VPC peering connection to forward IPv4 traffic to the VPC peering connection.
Parameter
Description
VPC
The requester VPC is automatically displayed.
Route Table
Select a route table associated with the VPC from the drop-down list.
Name
Enter a name for the route.
Destination CIDR Block
Enter a destination CIDR block for the route.
Because VPC-B needs to access the Internet through the Internet NAT gateway, in this example, select IPv4 CIDR Block, and enter 0.0.0.0/0.
Next Hop
The next hop is automatically displayed.
After the routes are configured, you can go to the VPC Peering Connection page, click the ID of the VPC peering connection, and then view the configured route entries on the Route Entry List tab.
Step 4: Create an SNAT entry
- On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
On the SNAT Management tab, click Create SNAT Entry.
On the Create SNAT Entry page, configure the parameters and click Confirm.
Parameter
Description
SNAT Entry
Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. Specify vSwitch is selected in this example. The ECS instances that are attached to the specified vSwitch use the EIP to access the Internet.
Select vSwitch: Select a vSwitch from the drop-down list.
NoteIf you select multiple vSwitches, the system creates multiple SNAT entries that use the same EIP.
vSwitch CIDR block: The CIDR block of the selected vSwitch is displayed.
Select EIP
Select one or more EIPs that are used to access the Internet. In this example, Use Single IP is selected and the EIP that is associated with the Internet NAT gateway in Step 2 is selected from the drop-down list.
Entry Name
Enter a name for the SNAT entry.
Configuration verification
Log on to ECS1 and ECS2 instances through the Workbench console.
Run the
ping 223.5.5.5command.The verification confirms that both ECS1 and ECS2 instances can successfully access the Internet.
