This topic provides answers to some frequently asked questions about Virtual Private Cloud (VPC).
Common FAQ
FAQ about secondary CIDR blocks
FAQ about user CIDR blocks
FAQ about quotas
FAQ about VPC communication
What is CIDR?
Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and IP routing. Compared with the traditional system based on classes (Class A, Class B, Class C, ...), CIDR is a more efficient method to allocate IP addresses. For example, the IP addresses from 10.203.96.0 to 10.203.127.255 translate into the following CIDR block:
00001010.11001011.01100000.00000000 to 00001010.11001011.01111111.11111111, or 10.203.96.0/19.
When you create a VPC or a vSwitch, you must specify one or more CIDR blocks for the VPC.
What are the differences between a VPC and a classic network?
Differences between a VPC and a classic network:
A classic network is built on the public infrastructure of Alibaba Cloud. Services in a classic network are deployed and managed by Alibaba Cloud. A classic network is suitable for customers that require simplified networking.
A VPC is an isolated virtual network that is built by customers on Alibaba Cloud. VPCs are logically isolated from each other. You can customize the topology of a VPC and specify IP addresses in a VPC. VPCs are suitable for customers who have high network security requirements and network management capabilities.
Do VPCs support VPN?
Yes, VPCs support VPN. For more information, see VPN gateways.
How do I specify a CIDR block for a VPC?
You can specify 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, or their subnets as the private CIDR block of the VPC. You can also specify a custom CIDR block. The subnet mask must be 8 to 28 bits in length.
For more information, see Create and manage a VPC.
How do I specify a CIDR block for a vSwitch?
Before you specify a CIDR block for a vSwitch, take note of the following limits:
The CIDR block of the vSwitch must fall within the CIDR block of the VPC to which the vSwitch belongs.
The subnet mask of the vSwitch must be 16 to 29 bits in length.
The CIDR block that you specify cannot be the same as or a subset of the CIDR block of an existing vSwitch.
The CIDR block that you specify cannot be the same as the destination CIDR block of a route in the VPC route table.
The CIDR block that you specify cannot contain the destination CIDR block of a route in the VPC route table. However, the CIDR block that you specify can be a subset of the destination CIDR block of a route in the VPC route table.
For more information, see Create and manage a vSwitch.
Can an ECS instance in the primary CIDR block of a VPC communicate with an ECS instance in the secondary CIDR block of the same VPC?
If the ECS instances are added to the same security group, and the network access control list (ACL) rules allow the ECS instances to access each other, the ECS instances can communicate with each other.
For more information about security groups, see Manage ECS instances in security groups.
For more information about network ACLs, see Create and manage a network ACL.
Can I disable the communication between an ECS instance in the primary CIDR block of a VPC and an ECS instance in the secondary CIDR block of same the VPC?
Yes, you can use one of the following methods to disable the communication between the ECS instances:
Configure a network ACL. For more information, see Create and manage a network ACL.
Configure a security group. For more information, see Add a security group rule.
Does a CEN instance automatically add a route for the secondary CIDR block after I add a secondary CIDR block to a VPC?
If the VPC is attached to a CEN instance, after you add a secondary CIDR block to the VPC and create a vSwitch that belongs to the secondary CIDR block, the CEN instance automatically adds a route that specifies the CIDR block of the vSwitch as the destination CIDR block to the route table of the CEN instance.
Can an ECS instance in a classic network communicate with an ECS instance in the secondary CIDR block of a VPC if ClassicLink is enabled for the VPC?
No, secondary CIDR blocks do not support ClassicLink.
What is a user CIDR block?
By default, VPCs use 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 to forward private traffic. A user CIDR block refers to a custom CIDR block specified when you create a VPC other than the following CIDR blocks: 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, 169.254.0.0/16, and their subnets. An ECS instance or elastic network interface (ENI) can access the Internet in the following scenarios: The ECS instance is assigned a static public IP address, the ECS instance or ENI is associated with an elastic IP address (EIP), or DNAT IP mapping is configured for the ECS instance or ENI. In the preceding cases, if the ECS instance or ENI accesses CIDR blocks other than the preceding ones, the requests are forwarded to the Internet based on the public IP address.
You must set the destination of a request to the user CIDR block of the VPC to which the ECS instance or ENI belongs in the following scenario: You want the request whose destination is not one of the preceding default CIDR blocks to be forwarded based on the route table of a private network. The private network can be a VPC or a hybrid cloud built with VPN, Express Connect, or CEN. Then, requests that point to the user CIDR block are forwarded based on the route table instead of the public IP address.
For example, a VPC needs to be connected to a data center whose private CIDR block is 30.0.0.0/8. If you directly create a VPC without configuring a user CIDR block, when ECS instances with public IP addresses assigned in the VPC access 30.0.0.0/8, the ECS instances will be redirected to the Internet instead of the data center. To access the data center, create a VPC, specify 30.0.0.0/8 as the user CIDR block, and configure a route that points to 30.0.0.0/8 in the VPC route table. This way, traffic can be routed to the data center.
Alternatively, you can create an IPv4 gateway, activate the IPv4 gateway, and configure a route to route traffic to the destination CIDR block. For more information, see Create and manage an IPv4 gateway.
How do I configure a user CIDR block?
You can use one of the following methods to configure a user CIDR block when you create a VPC:
Call the CreateVpc operation to configure a user CIDR block for a VPC when you create the VPC. For more information, see CreateVpc.
You cannot configure a user CIDR block when you create the VPC in the VPC console. If you specify a custom IPv4 CIDR block other than 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, or one of their subnets for the VPC, the system automatically uses the primary CIDR block as the user CIDR block. For more information, see Create a VPC and a vSwitch.
Can a VPC contain multiple vRouters?
No, each VPC can contain only one vRouter. Each vRouter can be associated with multiple route tables.
How many routes can I create in a route table?
By default, you can create up to 200 routes in a route table.
You can go to the Quota Management page to request a quota increase. For more information, see Manage service quotas.
How many vSwitches can I create in a VPC?
By default, you can create up to 150 vSwitches in a VPC.
You can go to the Quota Management page to request a quota increase. For more information, see Manage service quotas.
How many private IP addresses can be used by cloud services in each VPC?
Each VPC supports a maximum number of 300,000 private IP addresses for cloud resources. You cannot increase the quota.
If an ECS instance is assigned only one private IP address, the ECS instance uses one IP address. If multiple ENIs are attached to an ECS instance or an ENI that is associated with multiple IP addresses is attached to the ECS instance, the ECS instance can use multiple IP addresses. The number of IP addresses used by the ECS instance equals the sum of IP addresses that are associated with the ENIs.
Can ECS instances that belong to different vSwitches in the same VPC communicate with each other?
In the same VPC, ECS instances can communicate with each other if security group rules and network ACL rules allow them, regardless of whether the ECS instances belong to the same vSwitch.
Can different VPCs communicate with each other through private connections?
Yes. VPCs are logically isolated from each other. You can use Express Connect, VPN Gateway, or CEN to connect different VPCs. For more information, see Connect VPCs.
Do VPCs support Express Connect circuits?
You can connect a VPC to a data center through an Express Connect circuit. For more information, see Create and manage a dedicated connection over an Express Connect circuit.
Can a VPC access Internet services?
Yes, a VPC can access Internet services. You can use one of the following methods to enable the access:
Assign public IP addresses to the cloud resources in the VPC.
Associate EIPs with the cloud resources in the VPC.
Configure an Internet NAT gateway.
For more information, see Select a product to gain access to the Internet.
Can I access cloud resources in a VPC over the Internet?
Yes, you can access cloud resources in a VPC over the Internet by using one of the following methods:
Assign public IP addresses to the cloud resources in the VPC.
Associate EIPs with the cloud resources in the VPC.
Configure an Internet NAT gateway.
Configure Internet-facing Server Load Balancer (SLB) instances.
For more information, see Select a product to gain access to the Internet.
Can a VPC communicate with the classic network?
Yes, you can connect a VPC to the classic network by using one of the following methods:
Assign public IP addresses to ECS instances in the VPC. This allows the ECS instances to communicate with the cloud resources in the classic network over the Internet. For more information, see Select a product to gain access to the Internet.
Use the ClassicLink feature to establish low-latency and high-speed connections between ECS instances in a VPC and ECS instances in the classic network. For more information, see Overview.