If your business requires network communication between Elastic Compute Service (ECS) and Elastic Desktop Service, you can use Cloud Enterprise Network (CEN) to achieve this purpose. This topic describes how to use CEN and Enterprise Edition transit routers to establish network communication between ECS and Elastic Desktop Service that are activated in the same region.
Background
ECS is a high-performance, stable, reliable, and scalable Infrastructure as a Service (IaaS)-level service provided by Alibaba Cloud. ECS eliminates your need to invest in hardware beforehand. You can create as many or as few instances as you need in response to changes in requirements or popularity of your workloads. For more information, see What is ECS?
CEN is a highly available network built on the global private network of Alibaba Cloud. CEN uses transit routers to establish inter-region connections between virtual private clouds (VPCs). This formulates flexible and stable enterprise-class networks in the cloud. For more information, see What is CEN?
Limits
You can attach CEN instances only to advanced office networks.
Sample scenario
Company A created ECS instances in the China (Hangzhou) region and deployed its services on the ECS instances. At the same time, Company A created cloud computers in the China (Hangzhou) region. ECS instances and cloud computers of Company A cannot communicate over networks.
Now, Company A wants to establish network communication between ECS instances and cloud computers to allow mutual access. For the purpose of network communication, Company A can create CEN instances to connect the virtual private cloud (VPC) of the ECS instances, which is VPC1, and the VPC of the cloud computers, which is VPC2, to the Enterprise Edition transit routers in the China (Hangzhou) region.
Prerequisites
The IPv4 CIDR blocks of ECS instances and cloud computers are planned. Make sure that the planned IPv4 CIDR blocks do not conflict with the route CIDR blocks of the CEN instances. For more information, see Plan a CIDR block.
The following table lists the planned CIDR blocks that are used in the sample scenario. These CIDR blocks are for reference only. Plan CIDR blocks based on your actual business requirements.
The security group rules that are applied to VPC1 and VPC2 are obtained. For more information, see View security group rules.
Preparations
VPC1 is created based on the planned CIDR block. For more information, see Create a VPC with an IPv4 CIDR block.
ECS instances are created in the China (Hangzhou) region and VPC1 is configured for the ECS instances. For more information about how to create ECS instances, see Get started with Windows instances.
NoteIn this example, ECS instances that run Windows are created. You can also create ECS instances that run other types of OSs based on your business requirements.
VPC2 is created based on the planned IPv4 CIDR block. For more information, see Create and manage convenience office networks.
Procedure
In this section, the planned CIDR blocks of the preceding sample scenario are used to describe how to establish network communication between ECS instances and cloud computers.
You can configure the related parameters based on your business requirements.
Step 1: Create a CEN instance
Create a CEN instance. For more information, see CEN instances.
The following table describes the parameters of the CEN instance.
Parameter | Example |
Name | test-cen |
Description | Establishes network connection between ECS instances and cloud computers. |
Step 2: Attach VPCs to CEN
Attach VPC1 and VPC2 to a transit router in the China (Hangzhou) region. This allows VPC1 and VPC2 to automatically learn routes of each other to enable network communication.
Perform the following steps to attach the VPCs to CEN:
Attach VPC1 to the CEN instance.
Create an Enterprise Edition transit router. For more information, see Create a transit router.
The following table describes the parameters of the transit router.
Parameter
Example
Region
China (Hangzhou)
Edition
The edition of the transit router. The system displays the transit router edition that is supported in the selected region.
NoteYou can create only one transit router in each region. If you have created a Basic Edition transit router in the region, you can update the transit router to the Enterprise Edition on the transit router details page. For information about how to view the edition of a transit router, see View the edition of a transit router.
Activate Multicast
In this example, the default setting is used.
Transit Router CIDR
10.10.10.0/24
Use the Enterprise Edition transit router to create a VPC connection and attach VPC1 to the CEN instance. For more information, see Create a VPC connection.
The following table describes the parameters of the VPC connection.
Parameter
Description
Network Type
In this example, VPC is selected.
Region
China (Hangzhou)
Transit Router
The ID of the transit router that is created in the previous step.
Network Instance
The VPC that you want to connect. In this example, VPC1 is selected.
vSwitch
The vSwitch that resides in VPC1 and is available in the specified zone.
NoteWe recommend that you select a vSwitch in each zone to reduce network latency and improve network performance because data can be transmitted over a shorter distance.
Advanced Settings
In this example, the default settings are used.
Attach VPC2 to the CEN instance
Log on to the EDS Enterprise console.
In the left-side navigation pane, choose
.In the upper-left corner of the top navigation bar, select a region.
On the Office Network (Formerly Workspace) page, find the office network in which the cloud computers reside and click Attach to CEN Instance in the Actions column.
In the Attach to CEN Instance dialog box, follow the on-screen instructions to complete the attachment.
The following table describes the parameters of the attachment operation.
Parameter
Description
Select Region
China (Hangzhou)
Connection Method
Select one of the following connection methods:
VPC: allows access from clients to cloud computers only over VPCs.
Internet and VPC: allows access from clients to cloud computers over Internet and VPCs. When end users connect to cloud computers from Alibaba Cloud Workspace terminals, the end users can select a connection method based on their business requirements.
CEN Instance ID
In this example, the CEN instance created in Step 1 is selected.
If you want to establish network connection between cloud computers and ECS instances across regions, you must attach the VPCs of the regions to the transit routers and then use bandwidth plans to enable cross-region communication of transit routers. This way, ECS instances and cloud computers can communicate with each other over networks between regions. For more information, see Use Enterprise Edition transit routers to connect VPCs in different regions and accounts.
Step 3: Configure security group rules
By default, cloud computers deny all inbound traffic. However, you can create security group rules to allow inbound traffic. In this case, if client requests comply with the security group rules, cloud computers can receive the client requests.
If only a specific number of cloud computers that reside in an office network need to communicate with ECS instances, we recommend that you allow only the IP addresses of specific cloud computers that require the communication when you create security group rules. This ensures data security.
If all cloud computers that reside in an office network need to communicate with ECS instances, you can allow the CIDR block of the entire office network VPC when you create security group rules.
In the ECS console, set the inbound rule of VPC2 to allow. For more information, see Create a security group and Add a security group rule.
In the Elastic Desktop Service console, set the inbound rule of VPC1 to allow. For more information, see Configure a security group.
Step 4: Test network connectivity
After you establish the network connection between all the cloud computers that reside in VPC2 and all the ECS instances that reside in VPC1 and configure the required security group rules, you can test the network connectivity.
Connect to a cloud computer.
Run the
ping
command on the cloud computer to test the network connectivity.ping <IP address of the ECS instance with which the cloud computer communicates>
If a message that is similar to the following figure appears, the network connectivity is normal and mutual resource access is achieved.