All Products
Search
Document Center

Virtual Private Cloud:Create and manage a VPC

Last Updated:Oct 30, 2024

A virtual private cloud (VPC) is a private network in the cloud. You can specify a CIDR block, configure route tables, and configure gateways for your VPC. You can also add secondary CIDR blocks to a VPC.

Create a VPC and a vSwitch

Make a networking plan before you create a VPC and a vSwitch. For more information, see Plan networks.

  1. Log on to the VPC console.

  2. In the top navigation bar, select the region where you want to create a VPC and a vSwitch.

    Note

    The VPC and the cloud resources that you want to deploy in the VPC must belong to the same region.

  3. On the VPC page, click Create VPC.

  4. On the Create VPC page, set the following parameters and click OK.

    Parameter

    Description

    Region

    Displays the region where you want to create the VPC.

    Name

    Enter a name for the VPC.

    IPv4 CIDR Block

    Select a method to allocate an IPv4 CIDR block to the VPC.

    • Manually enter an IPv4 CIDR block: Manually enter an IPv4 CIDR block.

    • IPv4 CIDR block allocated by IPAM: An IPv4 CIDR block will be allocated from an IP Address Manager (IPAM) pool.

      Note

      You can allocate an IPv4 CIDR block from an IPAM pool in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Philippines (Manila), US (Silicon Valley), and US (Virginia).

    Enter an IPv4 CIDR Block

    Enter a primary IPv4 CIDR block for the VPC.

    • You can specify one of the following CIDR blocks or their subsets as the primary IPv4 CIDR block of the VPC: 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8. These CIDR blocks are standard private CIDR blocks as defined by Request for Comments (RFC) documents. The subnet mask must be 8 to 28 bits in length. Example: 192.168.0.0/24.

    • You can also use a custom CIDR block other than 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, 169.254.0.0/16, and their subnets as the primary IPv4 CIDR block of the VPC.

    • In scenarios where multiple VPCs are used or in hybrid cloud scenarios where data centers and VPCs are used, we recommend that you use subsets of standard RFC CIDR blocks as VPC CIDR blocks with subnet masks no more than 16 bits in length. Make sure that the CIDR blocks of the VPCs do not overlap in both scenarios. In addition, the CIDR blocks of the VPCs cannot overlap with those of the data centers in hybrid cloud scenarios.

    Note
    • This parameter is required only if you set IPv4 CIDR Block to Manually enter an IPv4 CIDR block.

    • After a VPC is created, you can add secondary IPv4 CIDR blocks to the VPC. For more information, see Add a secondary CIDR block.

    Select Pool

    Select an IPAM pool.

    Note
    • This parameter is required only if you set IPv4 CIDR Block to IPv4 CIDR block allocated by IPAM.

    • Make sure that an effective region is specified for the selected IPAM pool and CIDR blocks are provisioned to the IPAM pool. For more information, see Create an IPAM pool and Provision CIDR blocks.

    Network Mask

    Select a network mask. This parameter is required only if you set IPv4 CIDR Block to IPv4 CIDR block allocated by IPAM and an IPAM pool is specified in the Select Pool field.

    If the selected pool has multiple CIDR blocks, the system selects a CIDR block that meets the allocation rules after you specify Network Mask.

    Important

    The network mask must meet the following requirements:

    • The network mask must fall within the valid CIDR range of the VPC, which is /8 to /28.

    • The network mask must meet the allocation rules.

    • The network mask must fall within the CIDR range of the provisioned CIDR blocks.

    The following example is used in this topic:

    • The valid CIDR range of the VPC is /8 to /28.

    • The minimum mask for the IPAM pool is /4 and the maximum mask is /27.

    • The following CIDR blocks are provisioned to the IPAM pool: 10.0.0.0/12, 10.16.0.0/14, and 10.20.0.0/15.

    In this example, the network mask length for the IPv4 CIDR block allocated from the IPAM pool is /12 to /27.

    IPv6 CIDR Block

    Specify whether to assign an IPv6 CIDR block to the VPC. In this example, Assign BGP (Multi-ISP) is selected.

    If you set this parameter to Assign (Alibaba Cloud), the system automatically creates an IPv6 gateway of Free Edition for this VPC, and assigns an IPv6 CIDR block with the subnet mask /56, such as 2408:4005:3c5:6e00::/56. By default, IPv6 addresses are used for communication only within private networks. If you want to use an IPv6 address to access the Internet or provide services for IPv6 clients over the Internet, you must purchase Internet bandwidth for the IPv6 address. For more information, see Enable and manage IPv6 Internet bandwidth.

    Note
    • Only the following regions support IPv6 CIDR blocks: China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), Germany (Frankfurt), UK (London), US (Silicon Valley), US (Virginia), SAU (Riyadh - Partner Region).

    • After you create a VPC, you cannot change its IPv6 CIDR block. However, you can add a secondary IPv6 CIDR block to the VPC. For more information, see Add a secondary CIDR block.

    Description

    Enter a description for the VPC.

    vSwitch

    Name

    Enter a name for the vSwitch.

    Zone

    In the drop-down list, select a zone for the vSwitch. In the same VPC, vSwitches in different zones can communicate with each other.

    The drop-down list shows whether Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, internal-facing Classic Load Balancer (CLB) instances, and internal-facing Application Load Balancer (ALB) instances are supported in each zone. The supported cloud resources vary based on the zone and the creation time of the cloud resources. The instances provided in this topic are for reference only. The actual instances on the buy page shall prevail.

    IPv4 CIDR Block

    Enter an IPv4 CIDR block for the vSwitch. When you specify a CIDR block for the vSwitch, take note of the following limits:

    • The CIDR block of a vSwitch must be a subset of the CIDR block of the VPC to which the vSwitch belongs.

      For example, if the CIDR block of a VPC is 192.168.0.0/16, the CIDR block of a vSwitch in the VPC can range from 192.168.0.0/17 to 192.168.0.0/29.

    • The first IP address and the last three IP addresses of a vSwitch CIDR block are reserved.

      For example, if a vSwitch CIDR block is 192.168.1.0/24, the IP addresses 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255 are reserved.

    • If a vSwitch is required to communicate with vSwitches in other VPCs or with data centers, make sure that the CIDR block of the vSwitch does not overlap with the destination CIDR blocks.

    Note

    After you create a vSwitch, you cannot change its CIDR block.

    IPv6 CIDR Block

    Enable IPv6 and configure an IPv6 CIDR block for the vSwitch.

    Note
    • If your VPC is assigned an IPv6 CIDR block, you must configure the IPv6 CIDR block of the vSwitch.

    • If your VPC is not assigned an IPv6 CIDR block, you do not need to configure the IPv6 CIDR block of the vSwitch.

    • By default, the subnet mask of the IPv6 CIDR block for the vSwitch is /64. You can enter a decimal number from 0 to 255 to define the last 8 bits of the IPv6 CIDR block.

      For example, if the IPv6 CIDR block of the VPC is 2408:XXXX:XXXX:6e00::/56, you can enter 255 (ff in hexadecimal format) for the IPv6 CIDR block of the vSwitch. In this case, the IPv6 CIDR block of the vSwitch is 2408:XXXX:XXXX:6eff::/64.

    • The first IPv6 address and last nine IPv6 addresses are reserved by the system.

      For example, if the IPv6 CIDR block of a vSwitch is 2408:XXXX:XXXX:6eff::/64, the first IPv6 address 2408:XXXX:XXXX:6eff:: and the last nine IPv6 addresses are reserved by the system: 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fff7, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fff8, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fff9, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fffa, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fffb, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fffc, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fffd, 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:fffe, and 2408:XXXX:XXXX:6eff:ffff:ffff:ffff:ffff.

    Click Resource Group and Tag to configure the resource group and tags.

    Resource Group

    Select the resource group to which the VPC belongs.

    Tag Key

    Select or enter a tag key. You can specify up to 20 tag keys.

    A tag key can be up to 128 characters in length and cannot contain http:// or https://. It cannot start with acs: or aliyun.

    Tag Value

    Select or enter a tag value. You can specify up to 20 tag values

    A tag value can be up to 128 characters in length and cannot contain http:// or https://. It cannot start with acs: or aliyun.

  5. (Optional): If you need to add more vSwitches for the VPC, click Add below the vSwitch list and set the parameters.

    You can create at most 10 vSwitches in each VPC.

  6. Click OK.

View a VPC

  1. Log on to the VPC console.

  2. In the top navigation bar, select the region where the VPC is created.

  3. On the VPC page, find the VPC and click its ID.

  4. You can view the following information about the VPC: Basic Information, Resource Management, and CIDR Block Management.

    • Basic Information

      On the Basic Information tab, you can view the name, IPv4 CIDR block, and IPv6 CIDR block of VPC.

    • Resource Management

      Click the Resource Management tab, you can view resource information in the following sections: VPC Resources, Access to Internet, and Communication between Networks.

    • CIDR Block Management

      On the CIDR Block Management tab, you can add secondary IPv4 or IPv6 CIDR blocks. For more information, see Add a secondary CIDR block.

    • Cross-account Authorization

      On the Cross-account Authorization tab, you can grant permissions to a Cloud Enterprise Network (CEN) instance, virtual border gateway (VBR), or an Express Connect Router (ECR) that belongs to another Alibaba Cloud account.

      • On the Cross-account Authorization > Cloud Enterprise Network tab, you can grant permissions to a CEN instance that belongs to another Alibaba Cloud account so that the VPC can be attached to the CEN instance. For more information, see Grant permissions to an Alibaba Cloud account.

      • On the Cross-account Authorization > Virtual Border Router tab, you can grant the permissions to a VBR that belongs to another Alibaba Cloud account so that the VPC can be connected to the VBR.

      • On the Cross-account Authorization > ECR tab, you can grant the permissions to an ECR that belongs to another Alibaba Cloud account so that the VPC can be connected to the ECR. For more information, see Grant permissions to an ECR across Alibaba Cloud accounts.

    • Network Topology

      On the Network Topology tab, you can view information about Resource Topology and Route Topology.

Modify the basic information about a VPC

You can modify the name and description of a VPC, associate a DHCP options set with a VPC, or enable centralized control for an IPv4 gateway.

  1. Log on to the VPC console.

  2. In the top navigation bar, select the region where the VPC is created.

  3. On the VPC page, click the ID of the VPC that you want to manage.

  4. In the VPC Details section, you can perform the following operations:

    Parameter

    Description

    Modify the name or description

    1. Click Edit next to Name or Description.

    2. In the dialog box that appears, enter a new name or description and click OK.

    Enable IPv6

    If IPv6 is not enabled for the VPC, you can perform the following operations to enable IPv6 for the VPC.

    1. Click Enable IPv6 next to IPv6 CIDR Block.

    2. In the Enable IPv6 dialog box, select Assign (Alibaba Cloud) and click OK.

      To enable IPv6 for all vSwitches in the VPC, select Automatically Enable IPv6 for All vSwitches.

    Associate a DHCP options set with a VPC

    You can associate a DHCP options set with a VPC so that instances in the VPC can use network configurations in the set such as domain names and DNS servers.

    1. Click Associate next to DHCP Options Set.

    2. In the Associate DHCP Options Set dialog box, select a DHCP options set and click OK.

    Enable centralized control for an IPv4 gateway

    IPv4 gateways support the following Internet access modes:

    • Direct Internet access: Instances in the VPC can directly communicate with the Internet through public IP addresses or EIPs. For more information, see Internet access overview.

    • Centralized control: Internet access of instances in the VPC is controlled by the IPv4 gateway. Only instances with routes that point to the IPv4 gateway configured can access the Internet.

    You can perform the following operations to enable centralized control. After centralized control is enabled, Internet access of instances in the VPC is controlled by the IPv4 gateway.

    Note

    If an IPv4 gateway is activated and associated with your VPC, skip this step.

    1. Click Enable next to IPv4 Internet Access Mode.

    2. You will be redirected to the IPv4 Gateway page. On this page, perform the following operations as needed:

      • If no IPv4 gateway exists in this VPC, create and activate one.

      • If an IPv4 gateway is already created but not activated, activate it.

    For more information, see Create and manage an IPv4 gateway.

    Enable DNS hostname

    The DNS hostname in VPCs controls the private domain name resolution of ECS instances. This means the private domain names of ECS only take effect when the feature is enabled and become invalid when it is disabled.

    Note

    DNS hostname is only available to users who receive invitations. Contact your account manager if you need this feature.

    1. Click Enable next to DNS Hostname.

    2. In the Enable DNS Hostname dialogue box, click OK.

Add a secondary CIDR block

Limits

  • When you create a VPC, the IPv4 CIDR block that you specify is the primary CIDR block. After the VPC is created, you cannot modify the primary IPv4 CIDR block of the VPC. However, you can add a secondary IPv4 CIDR block to the VPC. After you add a secondary IPv4 CIDR block to the VPC, both the primary and secondary IPv4 CIDR blocks are in effect.

    You can add at most five secondary IPv4 CIDR blocks to a VPC. If the VPC has IPv6 enabled, you can add at most five secondary IPv6 CIDR blocks to the VPC.

  • You can create a vSwitch with the primary IPv4 CIDR block or a secondary CIDR block of a VPC. However, the CIDR block of a vSwitch must belong to only one CIDR block of the VPC. Whether you create a vSwitch with the primary IPv4 CIDR block or a secondary CIDR block, the system automatically adds a route to a route table of the VPC. The destination CIDR block of the route is the CIDR block of the vSwitch. The CIDR block of a vSwitch cannot be the same as or larger than the destination CIDR block of a route in a route table of the VPC to which the vSwitch belongs.

    For example, 172.16.0.0/12 is added to a VPC as a secondary IPv4 CIDR block and a CEN route exists in a route table of the VPC. Overlapping routing is enabled for CEN and the destination CIDR block of the CEN route is 172.16.0.0/24. In this case, you cannot create a vSwitch with 172.16.0.0/24 or a larger CIDR block. However, you can create a vSwitch with 172.16.0.0/25 or a smaller CIDR block.

Prerequisites

Before you add a secondary IPv4 CIDR block to a VPC, make sure that a VPC is created. If you want to add a secondary IPv6 CIDR block to a VPC, you must enable IPv6 for the VPC. If you want to create a vSwitch with a secondary IPv6 CIDR block, you must enable IPv6 for the vSwitch.

  1. Log on to the VPC console.

  2. In the top navigation bar, select the region where the VPC is created.

  3. On the VPC page, find the VPC that you want to manage, and click the ID of the VPC.

  4. On the VPC Details page, click the CIDR Block Management tab and perform the following steps to add a secondary CIDR block to the VPC.

    • Add a secondary IPv4 CIDR block

      1. Click the IPv4 CIDR Block tab, and click Add Secondary IPv4 CIDR Block.

      2. In the Add Secondary CIDR Block dialog box, set the following parameters and click OK.

        Parameter

        Description

        VPC

        The VPC to which you want to add a secondary IPv4 CIDR block is displayed.

        Secondary CIDR Block

        Select a method to add a secondary IPv4 CIDR block:

        • Default CIDR Block: Uses 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8 as the secondary CIDR block.

        • Custom CIDR Block: Uses a custom CIDR block other than 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16, or their subnet as the secondary CIDR block.

        When you add a secondary IPv4 CIDR block, take note of the following limits:

        • The CIDR block cannot start with 0. The subnet mask must be 8 to 28 bits in length.

        • The secondary IPv4 CIDR block cannot overlap with the primary IPv4 CIDR block or an existing secondary IPv4 CIDR block.

          For example, if the primary IPv4 CIDR block of a VPC is 192.168.0.0/16, you cannot specify one of the following CIDR blocks as the secondary IPv4 CIDR block:

          • 192.168.0.0/16.

          • A CIDR block larger than 192.168.0.0/16, for example, 192.168.0.0/8.

          • A CIDR block smaller than 192.168.0.0/16, for example, 192.168.0.0/24.

    • Add a secondary IPv6 CIDR block

      1. Click the IPv6 CIDR Block tab and click Add IPv6 CIDR Block.

      2. In the Add IPv6 CIDR Block dialog box, set the following parameters and click OK.

        Parameter

        Description

        IPv6 CIDR Block Type

        Only Assign (Alibaba Cloud) is supported.

        IPv6 CIDR Block

        Displays the secondary IPv6 CIDR block.

Delete a secondary CIDR block

You can delete a secondary CIDR block. However, you cannot delete the primary IPv4 CIDR block of a VPC.

Before you delete a secondary CIDR block, make sure that the vSwitches created within the secondary CIDR block are deleted. For more information, see Delete a vSwitch.

  1. Log on to the VPC console.

  2. In the top navigation bar, select the region where the VPC is created.

  3. On the VPC page, click the ID of the VPC that you want to manage.

  4. On the VPC Details page, click the CIDR Block Management tab.

  5. On the CIDR Block Management tab, perform the following steps to delete a secondary CIDR block:

    • Delete a secondary IPv4 CIDR block

      1. On the IPv4 CIDR Block tab, find the secondary IPv4 CIDR block that you want to delete and click Delete in the Actions column.

      2. In the message that appears, click OK.

    • Delete a secondary IPv6 CIDR block

      1. On the IPv6 CIDR Block tab, find the secondary IPv6 CIDR block that you want to delete and click Delete in the Actions column.

      2. In the message that appears, click OK.

Delete a VPC

If you no longer use a VPC, you can delete it. The vRouters and route tables associated with the VPC are also deleted.

  • Unforceful deletion: Make sure that the VPC is not associated with vSwitches, IPv6 gateways, security groups, custom route tables, access control lists (ACLs), DHCP sets, or CEN instances. If the VPC is associated with a resource, release the resource first.

  • Forceful deletion: The VPC can be forcefully deleted if it is associated only with the following resources. The associated resources are also deleted.

    • vSwitches whose private IP addresses are not occupied.

    • Route tables that do not contain custom routes or contain only routes that point to IPv4 or IPv6 gateways.

    • Network ACLs.

    • IPv4 gateways.

    • IPv6 gateways.

    If the VPC is associated with other resources, the VPC cannot be forcefully deleted. You must release the associated resources first.

  1. Log on to the VPC console.

  2. In the top navigation bar, select the region where the VPC is created.

  3. On the VPC page, find the VPC that you want to delete and click Delete in the Actions column.

  4. In the Delete VPC dialog box, select whether to Forcefully Delete the VPC based on your condition, and click OK.

What to do next

Disable IPv6 for a VPC

If a VPC that has IPv6 enabled no longer requires IPv6, you can disable IPv6 for the VPC. Before you disable IPv6 for a VPC, you must disable IPv6 for all the vSwitches in the VPC, and delete the IPv6 gateway of the VPC.

  1. Log on to the VPC console.

  2. In the top navigation bar, select the region where the VPC is created.

  3. On the VPC page, click the ID of the VPC for which you want to disable IPv6.

  4. Click the Resource Management tab. In the VPC Resources section, click the number below the vSwitch parameter.

  5. On the vSwitch page, view the IPv6 CIDR blocks of vSwitches in the IPv6 CIDR Block column.

  6. (Optional): If IPv6 is enabled for the vSwitch, click Disable IPv6 in the IPv6 CIDR Block column.

    You must disable IPv6 for all the vSwitches that have IPv6 enabled in the VPC.

  7. (Optional): In the left-side navigation pane, choose Access to Internet > IPv6 Gateway.

  8. (Optional): On the IPv6 Gateway page, check for IPv6 gateways in the VPC for which you want to disable IPv6 CIDR blocks.

    • If such an IPv6 gateway exists in the VPC for which you want to disable IPv6, click Delete in the Actions column. In the message that appears, click OK.

    • If no IPv6 gateway exists in the VPC for which you want to disable IPv6, skip this step.

  9. Return to the VPC page, find the VPC for which you want to disable IPv6, and then click Disable IPv6 in the IPv6 CIDR Block column. In the message that appears, click OK.

References