All Products
Search

This Product

    Virtual Private Cloud:Using IPv4 gateway to route traffic from Internet to private network

    Document Center

    Virtual Private Cloud:Using IPv4 gateway to route traffic from Internet to private network

    Last Updated:Oct 09, 2024

    When you use a non-RFC 1918 private CIDR block for on-premises data centers or virtual private clouds (VPCs), such as 30.0.0.0/16, the VPCs treat non-RFC 1918 as public addresses when creating network connections by default. Consequently, even with a route entry for the destination CIDR block 30.0.0.0/16 that points to the on-premises data center or VPC, traffic may still be routed to the Internet rather than the intended on-premises destination. An IPv4 gateway can be used for proper traffic routing, ensuring traffic reaches the intended private network. This prevents unintended Internet exposure and enhances network security.

    Scenario

    A company has VPC1 and VPC2 deployed in China (Hangzhou) on Alibaba Cloud and VPC2 uses a non-RFC 1918 private CIDR block 30.0.0.0/16. To enable network communication, a peering connection between VPC1 and VPC2 is created. However, when ECS1 with an Elastic IP Address (EIP) attempts to access ECS2, traffic is routed to the Internet instead of the intended ECS2. This is because VPCs treat non-RFC 1918 address space as public addresses, allowing ECS1 to have Internet access and not be controlled by a centralized public traffic gateway. By creating an IPv4 gateway, setting up routes pointing to it, and activating the gateway, the company ensures proper routing for private network use.

    image

    Usage notes

    After creating an IPv4 gateway, you need to configure routes that point to it and activate the gateway. Instances in the VPC can access the Internet only after the IPv4 gateway is activated and the route table includes routes directed to it:

    • Gateway activation does not disrupt intra-VPC traffic. However, transient connection interruptions may occur during activation due to traffic rerouting.

    • A default route entry with the destination CIDR block 0.0.0.0/0 is automatically created to point to the IPv4 gateway upon activation. This allows the associated vSwitch to access the Internet and prevents access failures caused by a lack of configuration.

    • If a route entry with the destination CIDR block 0.0.0.0/0 already exists in the route table, you cannot add another default route to point to the gateway and the route table cannot be selected upon gateway activation. We recommend that you plan the routing configuration cautiously if vSwitches require access to the Internet.

    Prerequisites

    • Two VPCs are created in China (Hangzhou). The CIDR blocks of VPC1 and VPC2 are 10.0.0.0/16 and 30.0.0.0/16 respectively. For more information, see Create and manage a VPC.

    • ECS1 is created in VPC1 and ECS2 in VPC2. For more information, see Create and manage an ECS instance in the console.

    • An Elastic IP Address (EIP) is associated with ECS1. For more information, see Associate an EIP with an ECS instance.

    • A VPC peering connection is established, with VPC1 being the initiator and VPC2 the accepter. Route entries directing traffic towards the other end of the peering connection are configured in each VPC For more information, see Create and manage a VPC peering connection.

    • A custom route table is created for vSwitch1. Set the next hop of the destination CIDR block 30.0.0.0/16 to the peering connection. For more information, see Create and manage a route table.

    • A custom route table is created for vSwitch2. Set the next hop of the destination CIDR block 10.0.0.0/16 to the peering connection.

    Procedure

    Step 1: Create an IPv4 gateway

    1. Log on to the VPC console.

    2. In the left-side navigation pane, click IPv4 Gateway.

    3. On the top navigation bar, select a region for the IPv4 gateway.

    4. On the IPv4 Gateway page, click Create IPv4 Gateway.

    5. In the Create IPv4 Gateway page, set the following parameter, and click Create.

      • VPC: Choose the VPC to which IPv4 gateway belongs. VPC1 is selected in this example.

    Step 2: Activate the IPv4 gateway

    In the Activate IPv4 Gateway page, select the route table associated with vSwitch 1, and click Activate. A default route is automatically created with the destination CIDR block 0.0.0.0/0 pointing to the IPv4 gateway.

    Step 3: Verify results

    Use Network Intelligence Service (NIS) to check the connectivity of VPC peering connections.

    Select VPC Peering Connection in the left-side navigation pane in VPC Console, and find the VPC peering connection instance. In the Diagnosis column, click Diagnosis> > Reachability Analyzer and set the following parameters.

    • Source: Choose Source Type. For this example, select ECS Instance ID and choose the ECS1 instance.

    • Destination: Choose the Destination Type. For this example, select ECS Instance ID and choose the ECS2 instance.

    • Protocol: Choose the protocol for reachability analysis. The ICMP protocol is selected here.

    According to the analysis results, when ECS1 with an EIP attempts to access ECS2, which is in VPC2 that has a non-RFC 1918 private CIDR block 30.0.0.0/16, the traffic is routed to the Internet (see screenshot on the left). After the IPv4 gateway is created and activated, the traffic is directed to the intended destination in the private network (see screenshot on the right).

    路径.png

    Reference

    For more information about the IPv4, the available regions, limits, and how to use it, refer to IPv4 gateways.