A prefix list consists of one or more CIDR blocks. This topic describes how to share a prefix list and how to associate a prefix list with a virtual private cloud (VPC) route table or a transit router route table.
Prerequisites
A prefix list is created. For more information, see Create a prefix list.
The prefix lists that you created can be shared with Alibaba Cloud accounts or folders and members in a resource directory. If you want to use Resource Management to share a prefix list, perform the following steps:
Share a prefix list
Log on to the VPC console.
In the left-side navigation pane, click VPC Prefix List.
In the top navigation bar, select the region where the prefix list that you want to share is deployed.
On the VPC Prefix List page, find the prefix list that you want to share and click its ID.
On the details page of the prefix list, click the Sharing tab, and then click Create Resource Share.
In the left-side management pane of the Resources I Share page, click Resource Shares and then click Create Resource Share.
On the Create Resource Share page, set the following parameters and click OK.
Parameter
Description
Resource Share Name
Enter a name for the resource share.
Select Shared Resource
Region
Displays the region where you want to create the resource share.
Resource Type
Select the type of the resource that you want to share.
VPC Prefix List is selected in this example.
Resources
Select the prefix list that you want to share and click Add. The selected prefix list is displayed in the Selected Resources section.
Add Principals
Principal Scope
Select a sharing scope.
All Accounts: The selected resources can be shared with other Alibaba Cloud accounts.
Common scenarios:
An Alibaba Cloud account that is not the management account or a member of a resource directory can share resources with another Alibaba Cloud account that is not the management account or a member of a resource directory.
The management account or a member of a resource directory can share resources with an Alibaba Cloud account that is not the management account or a member of the resource directory.
The management account or a member of a resource directory can share resources with all members in the resource directory, all members in a specific folder in the resource directory, or a specific member in the resource directory.
ImportantResource sharing across resource directories is not supported.
Objects Within Resource Directory: The selected resources can be shared within a resource directory. In this case, the administrator or a member of the resource directory shares the selected resources with the folders and members within the resource directory.
NoteIf a resource share is created by an Alibaba Cloud account that does not belong to a resource directory, the Principal Scope parameter is set to All Accounts by default, and the Principal Type parameter is set to Alibaba Cloud Account. Then, you must enter the ID of the Alibaba Cloud account with which you want to share the selected resources for the Principal ID parameter.
Add Mode
Select the way in which you want to add a principal. If you create a resource share by using the management account of a resource directory, you must select Add Mode.
Add from Resource Directory: Select principals from the resource directory.
Details:
Root folder: If you select the Root folder, the selected resources are shared with all members in the resource directory.
Specific folder: If you select a folder other than the Root folder, the selected resources are shared with all members in the selected folder.
Member: If you select a member, the selected resources are shared only with the member.
Add Manually: Select an option from the Principal Type drop-down list, enter an ID in the field that appears, and then click Add.
Details:
Alibaba Cloud Account: If you select this option, you must enter a member ID in the Principal ID field that appears. In this case, the selected resources are shared only with the member.
Resource Directory: If you select this option, the ID of the current resource directory is automatically displayed for the Resource Directory ID parameter that appears. In this case, the selected resources are shared with all members in the resource directory.
Folder (Organization Unit): If you select this option, you must enter a folder ID in the Folder ID field that appears. In this case, the selected resources are shared with all members in the folder.
Principle Type
If you create a resource share by using an account other than the management account of a resource directory, select Principle Type.
Alibaba Cloud Account: If you select this option, you must enter a member ID in the Principal ID field that appears. In this case, the selected resources are shared only with the member.
Resource Directory: If you select this option, the ID of the current resource directory is automatically displayed for the Resource Directory ID parameter that appears. In this case, the selected resources are shared with all members in the resource directory.
Folder (Organization Unit): If you select this option, you must enter a folder ID in the Folder ID field that appears. In this case, the selected resources are shared with all members in the folder.
On the Resources I Share page, find the resource share and click View Details in the Actions column.
If you share the prefix list within the resource directory, all the principals automatically accept the prefix list. In the Shared Resources section, if the Status changes to Associated, the prefix list has been shared with the principals. The principals can use the prefix list.
If you share the prefix list with an Alibaba Cloud account outside the resource directory, the principal must accept the prefix list in the Resource Management console before the principal can use the prefix list. For more information, see Accept or reject a resource sharing invitation.
Log on to the Resource Management console.
In the left-side navigation pane, choose
.On the Resources Shared To Me page, find the prefix list to be accepted and click Accept in the Status column.
In the message that appears, click Accept.
After the prefix list is accepted, the Status changes to Enabled.
After the principal accepts the prefix list, you can navigate to the Shared Resources tab to view the status of the prefix list. If the Status of the prefix list changes to Associated, the prefix list has been shared with the principal. In this case, the principal can use the prefix list.
If the Status of the prefix list in the Shared Resources section is Failed, the prefix list is not shared with the principal.
Optional: You can perform the following operations to remove a shared prefix list from a resource share.
On the Resources I Share page, find the prefix list that you no longer want to share and click its ID.
In the Shared Resources section, click Edit.
In the Selected Resources section, find the prefix list that you want to remove, click Remove, and then click OK.
For more information, see Add or remove a shared resource.
Associate a prefix list with a VPC route table
Prefix lists can be associated with VPC route tables.
Log on to the VPC console.
In the left-side navigation pane, click Route Tables.
On the Route Tables page, find the route table with which you want to associate a prefix list and click its ID.
On the details page of the route table, choose and click Add Route Entry.
In the Add Route Entry dialog box, set the following parameters and click OK.
Parameter
Description
Name
Enter a name for the route.
Destination CIDR Block
Select a destination CIDR block type and enter a destination CIDR block.
In this example, VPC Prefix List is selected. Then, select a prefix list from the drop-down list on the right.
Next Hop Type
Select a next hop type and configure a next hop.
After the VPC route table is associated with the prefix list, you can perform the following operations:
On the Custom Route tab, view the information about the route that points to the prefix list.
On the Association tab of the prefix list details page, view the VPC route table that is associated with the prefix list. For more information, see View a prefix list.
Optional: If the VPC route table no longer needs to be associated with the prefix list, you can navigate to the Custom Route tab, find the route that points to the prefix list, and click Delete in the Actions column. In the message that appears, click OK.
Associate a prefix list with a transit router route table
Prefix lists can be associated with route tables of Enterprise Edition transit routers. After the route table of an Enterprise Edition transit router is associated with a prefix list, the system automatically adds the routes that point to the CIDR blocks in the prefix list to the route table of the transit router. The CIDR blocks in the prefix list cannot overlap with the CIDR blocks of routes in the route table of the Enterprise Edition transit router. If the route table of an Enterprise Edition transit router needs to be associated with multiple prefix lists, make sure that the CIDR blocks in the prefix lists do not overlap.
Associate the route table of an Enterprise Edition transit router with a prefix list
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the tab and click the ID of the transit router that you want to manage.
On the details page of the transit router, click the Route Table tab.
In the left-side section, click ID of the route table that you want to manage. On the details page of the route table, click the CIDR Block tab and then click Associate With Route Prefix.
In the Associate With Route Prefix dialog box, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Route Prefix ID
Select a prefix list.
Blackhole Route?
Select a next hop for the CIDR blocks in the prefix list. Valid values:
Yes: specifies that all CIDR blocks in the prefix list are blackhole routes. Packets that are sent to the CIDR blocks in the prefix list are dropped.
No: specifies that the CIDR blocks in the prefix list are not blackhole routes. If you select this option, you must select a next hop.
All CIDR blocks in a prefix list share the same next hop.
Next Hop
Select a next hop.
After you associate a route table of an Enterprise Edition transit router with a prefix list, the system automatically adds routes that point to the CIDR blocks in the prefix list to the route table of the Enterprise Edition transit router. You can view the routes on the Route Entry tab of the route table details page.
Disassociate the route table of an Enterprise Edition transit router from a prefix list
After you disassociate a route table of an Enterprise Edition transit router from a prefix list, the system automatically withdraws all routes that point to the CIDR blocks in the prefix list from the route table of the Enterprise Edition transit router. Before you disassociate a route table of an Enterprise Edition transit router from a prefix list, you must migrate workloads that use the routes to prevent service interruptions.
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the tab and click the ID of the transit router that you want to manage.
On the details page of the transit router, click the Route Table tab.
In the left-side section, click the ID of the route table that you want to manage.
On the details page of the route table, click the Route Prefix tab and find the prefix list that you want to manage. Click Delete in the Actions column.
In the Delete message, review the information and click OK.
Associate a prefix list with an Elastic Compute Service (ECS) security group
Prefix lists can be associate with ECS security groups in the following regions: China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia), UAE (Dubai), and Saudi Arabia (Riyadh).
Saudi Arabia (Riyadh) is operated by a partner.
Log on to the ECS console.
In the left-side navigation pane, choose .
In the upper-left corner of the top navigation bar, select a region.
On the Security Groups page, find the security group with which you want to associate a prefix list and click its ID.
In the Access Rule section of the Security Group Details tab, configure security group rules that support prefix lists.
On the Inbound or Outbound tab, select a security group rule.
Click Add Rule, configure an inbound or outbound rule and set Authorization Object to the prefix list to be associated, and then click Save.
For more information, see Security group rules.
After the prefix list is associated with the security group, you can view the security group in the VPC console.
Log on to the VPC console.
In the left-side navigation pane, click VPC Prefix List.
In the top navigation bar, select the region of the prefix list.
On the VPC Prefix List page, click the ID of the prefix list.
On the details page of the prefix list, click the Association tab to view the resource group associated with the prefix list.
Optional: To disassociate the security group from the prefix list, delete the rule whose inbound or outbound Authorization Object is set to the prefix list. For more information, see Delete a security group rule.
References
GetVpcPrefixListAssociations: queries the association of a prefix list.
RetryVpcPrefixListAssociation: re-applies a prefix list.
CreateTransitRouterPrefixListAssociation: associates a prefix list with the route table of an Enterprise Edition transit router.
ListTransitRouterPrefixListAssociation: queries the prefix list that is associated with the route table of an Enterprise Edition transit router.
DeleteTransitRouterPrefixListAssociation: disassociates a prefix list from the route table of an Enterprise Edition transit router.