Virtual private cloud (VPC) sharing lets you share vSwitch resources in a VPC across Alibaba Cloud accounts. Resources created under the shared VPC communicate with each other by default.
Use VPC sharing in the following scenarios:
Central planning: The O&M department centrally plans, configures, and manages VPCs and shares vSwitches with business departments, while business departments manage and modify their own resources as needed, such as Elastic Compute Service (ECS) and database instances.
Centralized network management: By sharing the vSwitch across accounts, you reduce the number of VPCs needed and simplify network complexity. This setup enables centralized network management, while the network access control list (ACL) and security groups provide security isolation at the vSwitch and instance levels.
How it works
As demonstrated in the example, Account A shares a VPC with Account B by performing the following steps:
Account A enables VPC sharing and shares its vSwitch with Account B.
Account B creates resources in the shared vSwitch. After creation, the resources can communicate with those created by Account A within the VPC.
In this example:
Account A is the resource owner of the shared vSwitch.
Account B is the principal who only has the right to use the shared vSwitch, not to manage it.
For the differences in permissions between Account A and Account B, see Limits.
Supported resource types
After the vSwitch is shared, Account B can create resources such as ECS and RDS in the shared vSwitch. Here are the supported resources:
Billing
While the VPC sharing feature itself is free, principals pay for the resources created in a shared VPC, such as ECS, Server Load Balancer (SLB), and RDS instances. Resource owners are responsible for costs associated with gateways, such as Internet NAT and VPN gateways, along with public bandwidth fees. For more information about billing, refer to the billing documentation for each resource.
Procedure
This section describes how Account A shares the VPC with Account B.
Step 1: Account A enables VPC sharing
Account A can enable VPC sharing in two ways:
Share with any account: A straightforward way to share resources among a limited number of accounts.
Sharing in a resource directory: Despite its complexity, businesses can use the resource directory to centrally plan, configure, and manage VPCs according to their organizational structure or needs, enabling rapid connectivity among multiple accounts.
Choose the appropriate sharing method based on your needs:
Share with any account
Share in a resource directory
A resource owner can share resources with any principal, regardless of whether they are part of a resource directory.
Example scenarios:
An Alibaba Cloud account that is not the management account or a member of a resource directory shares resources with another Alibaba Cloud account that is not the management account or a member of a resource directory.
The management account or a member of a resource directory shares resources with an Alibaba Cloud account that is not the management account or a member of the resource directory.
The management account or a member of a resource directory shares resources with all members in the resource directory, all members in a specific folder in the resource directory, or a specific member in the resource directory.
Important
Resource sharing across resource directories is not supported.
The following example illustrates how Account A can share a vSwitch with Account B. Neither account is part of a resource directory.
1. Create a resource share
Account A creates a resource share, adds the vSwitch to be shared, and then sets Account B as a principal.
Log on to the Resource Management console with Account A.
In the left-side navigation pane, choose Resource Sharing > Resources I Share.
In the top navigation bar, select the region of the resources to be shared.
On the Shared By Me page, click Create Resource Share.
In the Configure Basic Information and Add Resources step, enter a resource share name in the Resource Share Name field, select the vSwitches to be shared, and then click Next.
In the Add Permissions step, select the AliyunRSDefaultPermissionVSwitch permission and click Next.
In the Add Principals step, add a principal and click Next.
Select Alibaba Cloud Account from the Principal Type drop-down list.
Enter the ID of Alibaba Cloud account B in the Principal ID field.
Click Add.
In the Confirm and Submit step, click OK.
2. Accept the sharing invitation
Account B accepts the sharing invitation initiated by Account A.
Log on to the Resource Management console with Account B.
In the left-side navigation pane, choose Resource Sharing > Resources Shared To Me.
On the Shared To Me page, find the newly created resource share and click Accept in the Status column.
In the Accept Resource Sharing Invitation dialog box, click Accept.
After the invitation is accepted, Alibaba Cloud account B can be used to access the shared vSwitches, and invitations for using resources that are added to the resource share in the future will be automatically accepted.
The administrator or a member of a resource directory can share resources with all members in the directory, all members in a folder, or a specific member in the resource directory.
1. Manage accounts with the resource directory
The Resource Directory service provided by Alibaba Cloud lets you create members in your resource directory or invite accounts to join your resource directory as members, so that you can centrally manage all members in the resource directory.
Enable a resource directory.
Use the management account of the resource directory to create folders based on the organizational structure of your enterprise.
Use the management account of the resource directory to create members in the resource directory or invite accounts to join the resource directory as members.
2. Enable organization sharing
Log on to the Resource Management console by using the management account of your resource directory.
In the left-side navigation pane, choose Resource Sharing > Settings.
On the page that appears, click Enable.
In the Service-linked Role for Resource Sharing dialog box, click OK.
The system creates a service-linked role named AliyunServiceRoleForResourceSharing to obtain the organizational structure of the resource directory. For more information, see Service-linked role for Resource Sharing.
3. Create a resource share
The resource owner creates a resource share in the Resource Management console, adds the resources to be shared, and specifies the principals.
Create a resource share. Then, add the VPC resources that you want to share and the accounts you want to use to share the resources to the resource share.
Log on to the Resource Management console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region where the VPC resources that you want to share are deployed.
On the Shared By Me page, click Create Resource Share.
In the Configure Basic Information and Add Resources step, enter a name for the resource share in the Resource Share Name field. For example, Finance_VPC. In the Resources section, select the resource type and resource IDs. For example, the vSwitch type and the ID vsw-bp183p93qs667muql****. Then, click Next.
In the Add Permissions step, select permissions for principals and click Next. For example, select AliyunRSDefaultPermissionVSwitch.
In the Add Principals step, add principals and click Next.
In the Confirm and Submit step, click OK.
View the details of the resource share.
In the resource share list, view the Resource Share ID/Name, Status, Sharing With All Accounts, and Creation Time.
If the resource share status is Enabled, it has been created successfully. 
Click the resource share ID link to view more details.
If the Status is Associated under the tabs of Resources and Principals, the resources and principals have been added. Principals can create resources in the shared vSwitch after joining the resource directory. For more information, see Create resources in a shared vSwitch as a principal. 
If the Status is Association Failed, the sharing has failed. Possible reasons:
The principal account is the same as the resource owner account. You cannot share resources with yourself.
The number of principals in a shared VPC exceeds 50.
The number of principals in a shared vSwitch exceeds 50.
A principal has accepted more than 30 shared vSwitches.
To stop sharing, remove the shared vSwitch. Deleting the resource share will revoke all principals' access to the shared resources, but the resources will not be deleted.
Step 2: Account B creates resources in the shared vSwitch
After the vSwitch is shared, Account B, the principal, can create resources within it.
Account B does the following:
Check the shared vSwitch to ensure that it has received the created resources.
Proceed to create new resources within the shared vSwitch.
View the shared vSwitch
VPC console
Resource Management console
Log on to the VPC console.
In the left-side navigation pane, click vSwitch.
In the top navigation bar, choose the region of the shared vSwitch.
On the vSwitch page, view the shared vSwitch.
The shared vSwitch is labeled as From Sharing. 
Log on to the Resource Management console.
In the left-side navigation pane, select .
In the top navigation bar, choose the region of the shared vSwitch.
On the Resources Shared To Me page, click the resource share ID.
In the Resources section, view information of the shared vSwitch.
Create resources in the shared vSwitch
Here's how principals can create resources, such as ECS, RDS in the shared vSwitch on the vSwitch page:
Log on to the VPC console.
In the left-side navigation pane, click vSwitch.
In the top navigation bar, select the region of the shared vSwitch.
On the vSwitch page, find the shared vSwitch, click the Create in the Actions column, and choose the resource you want to create.
Step 3 (Optional): Manage the shared vSwitch and principals
After the vSwitch is shared with other accounts, you can manage the shared vSwitch and its principals.
This section describes how Account A, the resource owner, can do this.
Manage shared vSwitch
Manage principals
Add a shared vSwitch
You have created a resource share and enabled VPC sharing.
Log on to the Resource Management console.
In the left-side navigation pane, select .
In the top navigation bar, select the region to which you want to add the shared vSwitch.
For information about the regions that support shared vSwitches, see Limits.
On the Shared By Me page, click the Resource Share tab, find the resource share, and click its ID.
On the resource share page, click the Edit Resource Share button in the upper-right corner.
On the Configure Basic Information and Add Resources tab, select the vSwitch to be shared in the Resources section, and click Next.
On the Add Permissions tab, select AliyunRSDefaultPermissionVSwitch, then click Next.
On the Add Principals tab, verify the principal ID, then click Next.
On the Confirm and Submit tab, confirm the details of the resource share, then click OK.
After adding the shared vSwitch, you can view its status.
If the Status is Associated in the Shared Resources and Principals sections, this signifies that the shared resources and principals have been added. Principals can then create resources within the shared vSwitch upon receiving an invitation to the resource directory. For more information, see Create cloud resources in the shared vSwitch.
If the Status is Association Failed, this means the sharing attempt was unsuccessful. Troubleshoot the following potential causes before trying again.
The principals belong to the same account as the resource owner. You cannot share vSwitches with yourself.
The number of shared principals exceeds the default limit of 50.
The number of principals with which a vSwitch can be shared exceeds the default limit of 50.
The number of principals that receive the shared vSwitch exceeds the default limit of 30.
View the shared vSwitch
Log on to the Resource Management console.
In the left-side navigation pane, select .
In the top navigation bar, select the region where the shared vSwitch is located.
On the Shared By Me page, click the Shared Resources tab to view all the shared vSwitches under the account.
Optional: To find the target shared vSwitch, click View in the Resource Share column to see which resource share the shared vSwitch is part of.
Optional: Find the shared vSwitch and click View in the Principals column to see its principals.
Remove a shared vSwitch
You can remove shared vSwitches, after which the principals can no longer create resources in it.
Log on to the Resource Management console.In the left-side navigation pane, select .In the top navigation bar, select the region where the shared vSwitch is located.
On the Shared By Me page, click the Resource Share tab, find the resource share, and click its ID.
On the resource share page, click Edit Resource Share in the upper-right corner.
On the Configure Basic Information and Add Resources tab, uncheck the target vSwitch, and then click Next.
On the Add Permissions tab, click Next.
On the Add Principals tab, verify the principal ID, and then click Next.
On the Confirm and Submit tab, click OK.
Add principals
You can add new principals to a resource share for them to create resources in the shared vSwitch.
Log on to the Resource Management console.
In the left-side navigation pane, select .
In the top navigation bar, choose the region where you want to add principals to the shared vSwitch.
On the Shared By Me page, click the Resource Share tab, find the target resource share, and click its ID.
On the resource share page, click the Edit Resource Share in the upper-right corner.
On the Add Principals tab, verify the new principal ID, and click Next.
On the Confirm and Submit tab, verify the details of the resource share you added, and click OK.
View principals
After sharing the vSwitch, you can view its principals, including their ID, type, number of resource shares, and available vSwitches.
Log on to the Resource Management console.
In the left-side navigation pane, select .
In the top navigation bar, choose the region to view the principals associated with the shared vSwitch.
On the Shared By Me page, click the Principals tab to view all the principals under the account.
Optional: Find the target principal and click View in the Resource Share column to check the associated resource share.
Optional: Find the target principal, then click View in the Shared Resources column to see the shared vSwitch.
Remove principals
After removing principals, they will no longer be able to create resources in the shared vSwitch.
Log on to the Resource Management console.
In the left-side navigation pane, select .
In the top navigation bar, choose the region from which you want to remove the principals.
On the Shared By Me page, click the Resource Share tab, find the target resource share, and click its ID.
On the resource share page, click Edit Resource Share in the upper-right corner.
On the Configure Basic Information and Add Resources tab, click Next.
On the Add Permissions tab, click Next.
On the Add Principals tab, find the target principal ID in the Added Principals section. Click Remove in the Actions column, and then click Next.
On the Confirm and Submit tab, click OK.
Limits
Permissions of resource owners and principals
After a resource owner shares a vSwitch with a principal, both have specific permissions regarding the shared vSwitch and its resources, as described below.
Role | Supported | Unsupported |
Resource owner | Create, view, modify, and delete the resources in the shared vSwitch. View attributes of ENIs created by the principal in the shared vSwitch, which include the following: Instance ID Private IP address Resource owner account
| Modify or delete resources created by principals within the shared vSwitch. |
Principal | Create, modify, and delete resources in the shared vSwitch. | View, modify, or delete resources created by other accounts within the shared vSwitch. |
View, use, modify, and delete their resources when the vSwitch is unshared. | View resources associated with the vSwitch when it's unshared, such as VPCs, route tables, and network ACLs, or create resources in it. |
The resource owners and principals have specific permissions on other network resources.
Classification | Resource | Permissions of resource owner | Permissions of principals |
Classification | Resource | Permissions of resource owner | Permissions of principals |
VPC-related | VPC | All permissions. Note To delete the vSwitch, it must not be shared with principals. The resources created by the resource owner and principals in the vSwitch must be deleted. | View the VPC to which the shared vSwitch belongs. |
vSwitch | |
Route table | View route tables and route entries that are associated with the shared vSwitch. |
Network ACL | View network ACLs that are associated with the shared vSwitch. |
CIDR block | View the private CIDR block of the shared vSwitch. |
Security group | Unable to create resources by using the security groups that belong to principals. | Unable to create resources by using the security groups that belong to other principals or the resource owner, including the default security group. |
O&M | Flow log | Create flow logs for a VPC or a vSwitch. The flow logs apply to the ENIs of ECS instances in the vSwitch that belongs to the resource owner. Create flow logs for a specified ENI. The system records traffic information about ENIs that belong to the resource owner.
| Create flow logs for ENIs that belong to principals. |
Network connectivity | NAT Gateway | All permissions. Note For the NAT gateway, resources in the vSwitch (including resources created by the resource owner and principals) can communicate with the Internet through the gateway. It can be associated with only the elastic IP addresses (EIPs) that belong to the resource owner. Resources in the vSwitch (including resources created by the resource owner and principal) can communicate with the external networks through NAT Gateway, VPN gateway, Cloud Enterprise Network, and VPC peering connection.
| No permission. |
VPN Gateway |
Cloud Enterprise Network |
VPC peering connection |
Others | Tag | Resource sharing does not affect the tags added by the resource owner. When the vSwitch is shared, the resource owner and principal can add tags to their own resources. The principal cannot view the tags added by the owner, and vice versa. The tags added by the resource owner and principal do not affect each other. When the vSwitch is unshared, the system deletes the tags added by the principal. |
Supported regions
Area | Regions |
Asia Pacific - China | China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong) |
Asia Pacific - Others | Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok) |
Europe & Americas | Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia) |
Middle East | UAE (Dubai) and SAU (Riyadh - Partner Region) Important The SAU (Riyadh - Partner Region) region is operated by a partner. |
Quota limits
Note
The limits of standard VPCs also apply to the shared VPCs, which are not affected by the number of principals.
Name | Description | Default limit | Adjustable |
Name | Description | Default limit | Adjustable |
vpc_quota_sharedvpc_share_user_num_per_vpc | Maximum number of principals supported by each VPC | 50 | You can request a quota increase by using one of the following methods: |
vpc_quota_sharedvpc_share_user_num_per_vswitch | Maximum number of principals supported by each vSwitch in a VPC | 50 |
vpc_quota_sharedvpc_accept_shared_vswitch_num | Maximum number of shared vSwitches that can be received by each principal | 30 |
None | Maximum number of IP addresses that each VPC can use | Maximum number of IP addresses that the resource owner and principals can use in each VPC. | N/A |
Elastic Compute Service (ECS)
Lingma
