What is a VPC peering connection - Virtual Private Cloud

A VPC peering connection is a fast and secure solution for creating a private network connection between two virtual private clouds (VPCs).

Overview

A VPC peering connection is a networking solution that allows two VPCs to interconnect, thus supporting both IPv4 and IPv6 traffic. This connection enables private network communication between VPCs within the same account or across different accounts, in the same region, or across different regions.

Scenarios

Secure access: VPC peering connections enhance security by allowing resources in different VPCs to communicate over a private network. This avoids Internet exposure and protects against common network attacks such as DDoS attacks.
Multi-account connections: Organizations can enable secure communication across VPCs. This fosters collaboration among teams and enhances resource-sharing efficiency.
Disaster recovery: Leverage cross-regional VPC peering connections for data synchronization and backup. This ensures data redundancy, disaster recovery, and business stability.

Requester and accepter

The two VPCs in a peering connection are the requester and the accepter. The requester initiates the peering request, while the accepter awaits the incoming request. These roles are solely for establishing the connection. After a VPC peering connection is established, both the requester and accepter can send and receive data as if they were in the same network.
For a same-account VPC peering connection, the system automatically accepts the request from the requester and establishes a connection. The accepter does not need to accept the request.
For a cross-account VPC peering connection, the accepter can either accept or reject the request. The VPC peering connection is activated only when the request is accepted.
Requester and accepter VPCs can be located in either the same or different regions.

Status of a VPC peering connection

The VPC peering connection process begins when the requester sends a connection request to the accepter. When the request is accepted, a connection is created.

Note

When the requester and accepter VPCs are both in the same Alibaba Cloud account, the peering connection request is automatically initiated and accepted, thus activating the connection upon establishment.

The status of a VPC peering connection changes throughout the connection process.

Status	Description
Creating	The status after the requester sends a connection request.
Peer Accepting	The status when the connection is waiting to be accepted by the accepter.
Updating	The status after the accepter accepts the connection request.
Activated	The status after the VPC peering connection is activated.
Rejected	The status after the accepter rejects the connection request.
Expired	The status after the connection request remains pending for more than seven days.
Deleting	The status when the VPC peering connection is being deleted.
Deleted	The status after the VPC peering connection is deleted.

Work with VPC peering connections

Create VPC peering connections

To create a peering connection between two VPCs for a simple and secure private network, follow the steps below. For more details, see Use VPC peering connection for private communication.

Before you connect VPCs, plan the network appropriately and ensure that the CIDR blocks do not overlap.

The requester sends a peering connection request to the accepter.
The accepter accepts the request and activates the peering connection.
Note
When the accepter account is Same Account, the system automatically creates the connection after a request is initiated, without any action from the accepter.
Configure routes at both ends of the peering connection for VPCs to communicate over a private network.

Configure routes

When configuring routes for a VPC peering connection, select one of the following methods based on your needs.

Use the CIDR block of the peer VPC as the destination to grant full access to resources. Elastic Compute Service (ECS) instances can communicate with all resources in the vSwitches of the peer VPC, which simplifies management.
For enhanced security, use the CIDR block of the vSwitch in the peer VPC as the destination and limit the bandwidth of peering connection traffic.

Example

Configuration example

After the VPC peering connection has been created and its status has changed to Activated, routes must be added at both ends of the connection to direct traffic and enable private network interconnectivity.

In this scenario, configure routes at both ends to point to the CIDR block of the peer VPC. For more examples, see Examples of VPC peering connections.

Route table	Destination address	Next hop
VPC1	192.168.0.0/16	pcc-aaabbb
VPC1	2408:XXXX:XXXX:4000::/56	pcc-aaabbb
VPC2	172.16.0.0/12	pcc-aaabbb
VPC2	2408:XXXX:XXXX:3f00::/56	pcc-aaabbb

Note

Ensure that the CIDR blocks of the VPCs and vSwitches at both ends do not overlap.

If the CIDR blocks of the two VPCs overlap but those of the vSwitches do not, configuring the destination address to point to the peer VPC may cause routing issues. The system route will override the route established by the peering connection. This means that any traffic intended for the peer VPC will be misrouted internally within the requester VPC and will not reach the accepter. You can set the non-overlapping CIDR block of the peer VPC's vSwitch as the destination to avoid the issue.
If the CIDR blocks of vSwitches overlap, you cannot use the CIDR block of the peer vSwitch as the destination, because it is not possible to configure more specific routes than the system route.

Troubleshooting

Use CloudMonitor to collect metrics such as traffic bandwidth and packet loss for inter-region VPC peering connections. You can create alert rules to monitor the instance status in real-time, ensuring business stability.
For access issues with a VPC peering connection instance, use Network Intelligence Service (NIS) for bidirectional path analysis to diagnose configuration errors.
Note
NIS currently does not support simultaneous bidirectional path analysis. You can verify connectivity using Reverse Path Analysis.
- Unreachable: Check the route configuration and ensure that the route table has an entry whose destination is the CIDR block of the peer VPC and the next hop is the VPC peering connection.
- The request matches security group rules or is denied by default: Ensure the security group of the ECS instance in the VPC permits traffic from the peer VPC. Modify the inbound or outbound rules as necessary.
- The request matches network ACL deny rules or is denied by default: Check if the network ACLs of vSwitches permit traffic from the peer VPC. Modify the inbound or outbound rules as necessary.

Billing

VPC peering connections can be created in four scenarios: same-region same-account, same-region cross-account, inter-region same-account, and inter-region cross-account. There is no charge for connections in the same region, whereas inter-region connections incur data transfer fees, which are calculated based on outbound traffic and billed by Cloud Data Transfer (CDT). For more information, see Cross-region data transfers.

Note

The Service-Level Agreement (SLA) guarantees a minimum availability of 99.95% for cross-region VPC peering.
CDT only provides billing and invoicing features, while cross-VPC connectivity is supported by the VPC peering connection.

Billing examples for inter-region connections

As shown in the image, Customer 1 created VPC1 in China (Hohhot), and Customer 2 set up VPC2 in China (Guangzhou). Consequently, an inter-region, cross-account peering connection between the two VPCs is established. According to outbound traffic billing rules, Customer 1 is billed for traffic sent to VPC2, and Customer 2 is billed for traffic sent to VPC1.

When 200 GB of data is transferred from VPC1 and 100 GB from VPC2 through the peering connection, and the inter-region traffic fees incurred for data transfer between China (Hohhot) and China (Guangzhou) is 0.6 RMB/GB, the two customers are charged in the following ways:

Customer 1: CNY 0.6/GB × 200 GB = CNY 120

Customer 2: CNY 0.6/GB × 100 GB = CNY 60

Limits

Feature limits

Only one VPC peering connection can be created between two VPCs at a time.
VPC peering connections do not support routing propagation. After establishing a VPC peering connection, you must manually configure route entries for both the requester and accepter to enable connectivity.
Assume that three VPCs are created, VPC1, VPC2, and VPC3. A peering connection is established between VPC1 and VPC2 and another between VPC2 and VPC3. Because VPC2 cannot function as a transit router, you must create a peering connection between VPC1 and VPC3, and configure route entries to connect them.
In a multi-account shared VPC scenario, the resource owner can create, modify, or delete a VPC peering connection. However, the principal does not have the permission to manage it.

Supported regions

Area	Region
Asia Pacific	China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), Hong Kong (China), China (Wuhan - Local Region), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok).
Europe & Americas	Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia).
Middle East	UAE (Dubai) and SAU (Riyadh - Partner Region). Important The SAU (Riyadh - Partner Region) region is operated by a partner.

Limits and quotas

Name/ID	Description	Default value	Adjustable
vpc_quota_cross_region_peer_num_per_vpc	Maximum number of inter-region VPC peering connections for each VPC	20	You can increase the quota by performing the following operations: Go to the Quota Management page to request an increase. For more information, see Manage VPC quotas. Go to the Quota Center page to submit a quota increase request. For more information, see Request a quota increase.
vpc_quota_intra_region_peer_num_per_vpc	Maximum number of intra-region VPC peering connections for each VPC	10
vpc_quota_peer_num	Maximum number of VPC peering connections that can be created by each account in each region	20
vpc_quota_peer_cross_border_bandwidth	Maximum bandwidth for cross-border VPC peering connections	1,024 Mbps
vpc_quota_peer_cross_region_bandwidth	Maximum bandwidth for inter-region VPC peering connections	1,024 Mbps
N/A	Default maximum bandwidth for intra-region connections	-1 Mbps, which indicates unlimited bandwidth	N/A