Virtual Private CloudAn Alibaba Cloud Virtual Private Cloud (VPC) is a virtual private cloud built...

Virtual Private Cloud

User Guide

User Guide Product introduction Product overview The Alibaba Cloud Virtual Private Cloud (VPC) helps you establish an isolated network environmentbased on Alibaba Cloud. You have full control over your own VPC, including choosing a preferred IPaddress range, CIDR block, routing table and gateway. In addition, you can establish a customizablenetwork environment by connecting your VPC to your existing data center through a physicalconnection/VPN, enabling application migration to cloud. The difference of VPC and classic network

The cloud products based on classic network are uniformly deployed in the public networkinfrastructure of Alibaba Cloud, and Alibaba Cloud will plan and manage the network, whichrequires almost zero effort from customers for network management. VPC allows you to establish a customizable isolated private cloud network base on AlibabaCloud’s network.You can define the network topology and IP address of this VPC. Suchscenario is more suitable for advanced users with customized network requirements.

Available regions for VPC Singapore, China South 1 (Shenzhen), China North 2 (Beijing), China East 2 (Shanghai), US East 1(Virginia), Hong Kong, China East 1 (Hangzhou), and US West 1 (Silicon Valley). Please refer to the VPC console for the latest list of available regions. Products comparison

Function Point Classic Cloud VPC

Virtual Private Cloud User Guide

1

Product terminology VPC An Alibaba Cloud Virtual Private Cloud (VPC) is a virtual private cloud built and customized based onAlibaba Cloud. Full logical isolation is achieved between Alibaba VPCs. You can create and managethe cloud product instances, such as ECS, Intranet SLB and RDS, in your own VPC. VPC management

When creating a VPC, you need to specify the private network segments used in the VPC inCIDR block form. Then you must create a VSwitch for VPC before creating the cloud product instance (such asECS, SLB or RDS) in VPC. When creating VPC, you need to specify the CIDR block. When the the status of the createdVPC instance changes to “Available”, it indicates that the VPC is created successfully andyou can proceed with management operations. To delete a specific VPC, you must delete all the cloud product instances first(includingsecurity groups, VSwitches, cloud product instances and route entries) in the VPC.

CIDR block

For the detailed information on CIDR block, refer to the “CIDR blocks” section theWikipedia page for Classless Inter-Domain Routing.

L2 logical isolation No Yes

Customized CIDR block No Yes

Private IP addresses Intra-classic cloud unique Intra-VPC unique, but inter-VPC duplicable

Customer VPN No Yes

Instance communication Allowed for instances of thesame account and region

Allowed for instances withinthe same VPC, but notbetween VPCs

Customer NAT gateway No Yes


2

CIDR block cannot be modified once the VPC is created. To avoid subsequent resizing, youmay want to use large network segments (for example, directly use network segments192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8) as the CIDR blocks of the VPC. The system doesnot create system routes based on the CIDR block of the VPC. Therefore, use large addressranges to create the VPC to ensure the normal use of its services.

VRouter A VRouter is a hub in the VPC, connecting all VSwitches in the VPC and serving as a gateway devicethat connects the VPC to other networks as well. It forwards network traffic according to the specificrouting entries. Product constraints

Each VPC can only have one VRouter. The VRouter does not support the dynamic routing protocols such as BGP and OSPF. The VRouter only supports the static routes but does not support the ECMP equal-costroutes.

VRouter management

When creating VPCs, the system will automatically create a VRouter for each VPC. When a VPC is deleted, the corresponding VRouter is also deleted. A VRouter cannot be directly created or deleted.

VSwitches A VSwitch is a basic network device of the VPC network. It can be connected to the different cloudproduct instances. When creating a cloud product instance in the VPC network, you must specify theVSwitch where the cloud product instance is located. Product constraints

For the specific product constraints, refer to ECS API product and service restrictions. The VSwitch of a VPC is a Layer 3 switch that does not support Layer 2 broadcast or


3

multicast.

VSwitch management

A new VSwitch can be created only when the VPC is in the “Available” status. Multiple VSwitches cannot be created at the same time. VSwitches can only be created oneby one. CIDR block cannot be modified once the VSwitch is created. Before deleting a VSwitch, you must firstly delete the cloud product instances connected tothe VSwitch.

VSwitch CIDR block

When creating a VSwitch, you need to specify the CIDR block. The CIDR block used by the created VSwitch must belong to the CIDR block of the VPCwhere the VSwitch is located. The CIDR block used by the created VSwitch cannot conflict with any of the existing VSwitchCIDR blocks. The CIDR block used by the created VSwitch cannot contain the destination networksegments in any of the existing custom routes.

Routing Table A routing table refers to a list of routing entries on a VRouter. Product constraints

Each VRouter can only have one routing table. The routing entries of the routing table will affect all the cloud product instances in the VPC.Currently, the source-address policy routing is not supported for routing a VSwitch or cloudproduct instance.


4

Routing table management

When creating a VPC, the system will automatically create a routing table. When a VPC is deleted, the corresponding routing table is also deleted. The routing table cannot be directly created or deleted.

Routing entry Each entry in the routing table is a routing entry. A routing entry defines the next hop address for thenetwork traffic to be routed to the specified destination CIDR block. The routing entries arecategorized into system routes and custom routes. Routing entry management

When a VPC is created, a system route is automatically created for the cloud productinstances in the VPC to access cloud services outside the VPC. When a VSwitch is created, a corresponding system route is also created. Users can create and delete the routing entries of the custom route. The routing entries of the system route are automatically managed by the system andcannot be created or deleted by users.

Product features Security isolation

By the Tunneling technology, the same isolation effect is achieved compared with thatthrough the traditional VLAN. The broadcast domain is isolated at NIC.


5

Resource Access Management (RAM)

RAM provides flexible access control rules. RAM is compliant with the security isolation regulations for government and financial users.

Software Defined Network (SDN)

SDN provides customized network configurations. The management operations takes effect in real time.

Various network connection methods

The software VPN is supported. Lease line connection is supported.

Application scenarios Scenario 1: manage your exclusive network in Alibaba Cloud Firstly you need to create VPC and VSwitch. Then you can create and use the cloud product instances(for example ECS, RDS, SLB, OCS and so on) in this VPC. The following picture is an example.


6

Scenario 2: deploy resources in different available zones within a VPC By deploying resources to the VSwitches in different available zones, you can setup disaster recoverywith different available zones of Alibaba Cloud. The following picture is an example.

Scenario 3: access a VPC over a physical connection You can connect your own data center to your VPC through a physical connection, which enablesintranet communication between your network and your VPC. With two lines working in the linkaggregation mode, the two networks can be configured to work in active/active or active/passivemode. The following picture is an example.


7

Scenario 4: VPN access You can use an ECS self-built VPN gateway in a VPC to enable the intranet communication betweenyour network and your VPC. For details, refer to Constructing a VPN Gateway. The following picture isan example.

Technical principles Background information The evolving cloud computing technologies brings higher requirements for the virtual networks,including scalability, security, resilience, privacy, and much higher requirements for interconnectionperformance. This has given rise to a wide range of network virtualization technologies. Early solutions, such as large layer 2 networks, combine virtual machine networks and physicalnetwork to form a flat network architecture. As the scale of virtual networks increased, however, theproblems posed by ARP spoofing, broadcast storms, host scanning, and other such activities areworsen off for this type of solutions. Various network isolation technologies emerge to resolve thisproblem by completely isolating the physical networks from the virtual networks. One of thistechnology isolates users using VLANs. But because a VLAN only supports a maximum of 4096 nodes,the network scale cannot support the huge amount of users in a public cloud. Principles Based on the mainstream Tunneling technologies, a Virtual Private Cloud (VPC) can isolate the virtualnetworks. Each VPC has a unique tunnel ID, and a tunnel ID corresponds to only one VPC. A tunnelencapsulation that carries a unique tunnel ID is added to each data packet transmitted between theECS instances within a VPC. Then the data packet is transmitted over the physical network. Because


8

the tunnel IDs for the ECS instances in different VPCs are different and they are located on twodifferent routing planes, the communication is impossible between the two tunnels, thus achievingtheir isolation. Based on the Tunneling technologies, the Alibaba Cloud R&D team has developed the VSwitch,Software Defined Network (SDN) technology and hardware gateway, which are the basis for the teamto successfully design and develop the VPC product. Logical architecture The following picture shows the overall VPC architecture.

As shown above, the VPC architecture contains three main components, VSwitches, gateways andcontrollers.

The VSwitches and gateways form the key data path. The controllers use an Alibaba protocolto issue forwarding tables to the gateway and VSwitches, which completes the keyconfiguration path. In the overall architecture, the configuration and data paths are mutuallyseparated. The VSwitches are distributed nodes, while gateways and controllers are deployed in clustersand allow for mutual standby among multiple machine rooms. Redundant disaster toleranceis set up for all links. This improves the overall availability of the VPC product.


9

The performance of Alibaba Cloud VSwitch and gateway among the top within the industry.The Alibaba Cloud SDN protocol and controllers can easily control tens of thousands of VPCsin public cloud.

On top of an isolated VPC, Alibaba Cloud provides a VRouter and VSwitch for each VPC as well forbetter networking capabilities. For users having intranet security requirements, the security grouptechnology can also be used for finer-granularity access control and isolation in one VPC. By default,an ECS instance can communicate only with other ECS instances (or other cloud services) within thesame VPC. You can use the VPC-related EIP and ExpressConnect functions provided by Alibaba Cloudto connect your VPC to the Internet, other VPCs and your own networks (such as your office networkand data center). Best practices Manage your exclusive network in AlibabaCloud Application scenarios To manage your exclusive network in Alibaba Cloud, you can create a VPC and VSwitch, and thencreate and use the cloud product instances (for example ECS, RDS, SLB or OCS) in this VPC. Thefollowing example assumes to use the cloud resources in Zone A of the Shanghai region.


10

-

-

Network planning

Region: China East 2 (Shanghai) Zone: China East 2 Zone A VPC CIDR block: 10.0.0.0/8 Two applications are deployed on two VSwitches to provide services respectively to thepublic and private clouds. The respective subnet CIDR blocks are 10.0.1.0/24 and 10.0.2.0/24. Two private ECS instances, a public SLB instance and a private RDS instance, are deployed ontwo VSwitches respectively.

Operation procedure

Log on to the Alibaba Cloud VPC console. Click VPC in the left navigation bar and select the region China East 2 (Shanghai). Click Create VPC. Fill in the following information in the “Create VPC” dialog box, and then click OK.


11

VPC name: VPC_A CIDR: 10.0.0.0/8

Create two VSwitches in VPC_A. The steps are as follows:

Go to the Shanghai region VPC list. Click Manage in the Action column corresponding to VPC_A to go to the “VPCbasic info” page. Click VSwitch in the left navigation bar to go to the “VSwitch list” page. Click Create VSwitch to bring up the “Create VSwitch” dialog box. Fill in the information below and click OK to complete the creation of VSwitch 1.

Name: Business_VPC_A Zone: China East 2 Zone A CIDR: 10.0.1.0/24

Click Create VSwitch, fill in the information below and then click OK to completethe creation of VSwitch 2.

Name: Business_VPC_B Zone: China East 2 Zone A CIDR: 10.0.2.0/24

Configure the cloud product deployment for public cloud services. The steps are as follows:

Stay on the “VSwitch list” page to create the cloud product instances (twoprivate ECS instances, a public SLB instance and a private RDS instance) for the“Business_VPC_A” VSwitch. The steps are as follows:

Find the Business_VPC_A item in in the VSwitch list and click Create an


12

instance > Create ECS instance in the Action column. Follow theinstructions to create ECS 1 and ECS 2. Click Create an instance > Create RDS instance in the Action column.Follow the instructions to create RDS 1. Click Create an instance > Create SLB instance in the Action column.Follow the instructions to create SLB 1.

Go to the Alibaba Cloud Server Load Balancer console to add ECS 1 and ECS 2instances to the public SLB 1 instance. The steps are as follows:

Log on to the Server Load Balancer console. On the “Server Balancers list” page, select the region China East 2(Shanghai) and click the Manage button in the Operation columncorresponding to the instance SLB 1 created in step 5 to go to the“Instance Details” page. Click Backend server in the left navigatio bar. Click Servers not added tab. Find the instances ECS 1 and ECS 2 created just now and click Add in theOperation column corresponding to the two instances respectively toadd them to the public SLB 1 instance. Follow the instructions to complete this operation.

Return to the “VSwitch list” page of VPC_A (VPC list page). Configure the cloud productdeployment for private cloud services. The steps are as follows:

Create the cloud product instances (two private ECS instances, a public SLBinstance and a private RDS instance) for the “Business_VPC_B” VSwitch. Thesteps are as follows:

Find the Business_VPC_B item in in the VSwitch list and click Create aninstance > Create ECS instance in the Action column. Follow theinstructions to create ECS 3 and ECS 4.


13

-

Click Create an instance > Create RDS instance in the Action column.Follow the instructions to create RDS 2. Click Create an instance > Create SLB instance in the Action column.Follow the instructions to create SLB 2.

Go to the Alibaba Cloud Server Load Balancer console to add ECS 3 and ECS 4instances to the public SLB 2 instance. The steps are as follows:

Log on to the Server Load Balancer console. On the “Server Balancers list” page, select the region China East 2(Shanghai) and click the Manage button in the Operation columncorresponding to the instance SLB 2 created in step 5 to go to the“Instance Details” page. Click Backend server in the left navigatio bar. Click Servers not added tab. Find the instances ECS 3 and ECS 4 created just now and click Add in theOperation column corresponding to the two instances respectively toadd them to the public SLB 2 instance. Follow the instructions to complete this operation.

API The relevant API articles are as follow. VPC

Create a VPC Create a VSwitch

ECS

Create an instance

SLB


14

-

-

CreateLoadBalancer AddBackendServers

RDS

Create an RDS instance

Deploy resources in different available zoneswithin a VPC Application scenarios By deploying resources to VSwitches in different available zones, you can achieve to configuredisaster tolerance using the available zones of Alibaba Cloud. This article takes the Shanghai regionand its zone, China East 2 Zone A and China East 2 Zone B, as an example to demonstrate theresource deployment in different zones. In the case that the server room where China East 2 Zone A is located encounters an exception, yourservice will still be available if you have backup servers deployed in China East 2 Zone B. Thefollowing picture shows the example of the resources deployment.

Network planning

Region: Shanghai


15

-

Zones: China East 2 Zone A and China East 2 Zone B VPC CIDR block: 10.0.0.0/8 Two applications are deployed on two VSwitches in different zones. The respective subnetCIDR blocks are 10.0.1.0/24 and 10.0.2.0/24. Two private ECS instances, two public SLB instances, and one private RDS instance aredeployed on the two VSwitches respectively.

Operation Procedure

Log on to the Alibaba Cloud VPC console. Click VPC in the left navigation bar and select the region China East 2 (Shanghai). Click Create VPC. Fill in the following information in the “Create VPC” dialog box, and then click OK.

VPC name: VPC_B CIDR: 10.0.0.0/8

Create two VSwitches in VPC_B. The steps are as follows:

Go to the Shanghai region VPC list. Click Manage in the Action column corresponding to VPC_B to go to the “VPCbasic info” page. Click VSwitch in the left navigation bar to go to the “VSwitch list” page. Click Create VSwitch to bring up the “Create VSwitch” dialog box. Fill in the information below and click OK to complete the creation of VSwitch 1.


16

Name: Business_VPC_Primary Zone: China East 2 Zone A CIDR: 10.0.1.0/24

Click Create VSwitch, fill in the information below and then click OK to completethe creation of VSwitch 2.

Name: Business_VPC_Backup Zone: China East 2 Zone B CIDR: 10.0.2.0/24

Configure the cloud product deployment for your business. The steps are as follows:

Stay on the “VSwitch list” page to create the cloud product instances (twoprivate ECS instances and a private RDS, which serve as the primary servers andprimary database separately) for the “Business_VPC_Primary” VSwitch. The stepsare as follows:

Find the Business_VPC_Primary item in in the VSwitch list and click Create an instance > Create ECS instance in the Action column. Followthe instructions to create ECS 1 and ECS 2. Click Create an instance > Create RDS instance in the Action column.Follow the instructions to create RDS 1.

Create the cloud product instances (two private ECS instances and A private RDS,which serve as the backup servers and backup database separately) for the“Business_VPC_Backup” VSwitch. The steps are as follows:

Find the Business_VPC_Backup item in in the VSwitch list and click Create an instance > Create ECS instance in the Action column. Followthe instructions to create ECS 3 and ECS 4. Click Create an instance > Create RDS instance in the Action column.Follow the instructions to create RDS 2.


17

-

-

Go to the Server Load Balancer console to create two public instances in the“China East 2 (Shanghai)” region, and set China East 2 Zone A as the primaryzone and China East 2 Zone B as the backup zone. Add all the four ECS instances under the two VSwitches Business_VPC_Primaryand Business_VPC_Backup to their respective public Server Load Balanceinstances.

API The relevant API articles are as follows. VPC

Create a VPC Create a VSwitch

ECS

Create an instance

SLB

CreateLoadBalancer AddBackendServers

RDS

Create an RDS instance

Access a VPC over a physical connection Application scenarios You can connect your own data center to your VPC through a physical connection. This enables theintranet communication between your network and your VPC. With two lines working in linkaggregation mode, the two networks can be configured to work in active/active or active/passive


18

1.

mode. Assume that you have a physical data center (private CIDR block: 172.16.0.0/12) in the “China North2 (Beijing)” region and a VPC (name: Cloud_Data_Center, CIDR block: 192.168.0.0/16) in the “ChinaEast 1 (Hangzhou)” region. Also, assume that you have a 100 Mbps physical connection to connectyour physical data center to the Alibaba Cloud server room, allowing the intranet merger of your VPCand your data center. Your VPC communicates with your physical data center over a private cloud. Using the ExpressConnect access function, you can achieve the private communication between the two sides. Thisboth avoids the problems caused by the unstable quality of the public cloud and avoids the risk ofdata interception during transmission. The following picture is an example.

Operation procedure

Activate the Express Connect service. The steps are as follows:Go to the official website ofAlibaba Cloud ExpressConnect https://www.aliyun.com/product/expressconnect/. Apply and access your VPC over a physical connection. The steps are as follows:

Log on to the Express Connect console. Click Leased Line in the left navigation bar. Select the “China North 2 (Beijing)” region and click Apply for leased line access on the top-right corner of the page. Fill in the information as the following example.

Leased line name: BeijingLocalConnection Access point: China North 2 (Beijing); ap-cn-beijing-dx-A Carrier: Other (China)


19

Access port type: 100Base-T-100M electrical port Access bandwidth: 100 Mbps Leased line peer address: No. XX, XX Street, XX District, Beijing Redundant physical leased line: (make selection as needed)

Click Confirm application and OK. The page returns to the leased line list page ofthe China North 2 (Beijing) region automatically. The status of the newly appliedleased line changes from “Application in progress” to “Approved” when it isapproved. Click Pay access fee to complete the access fee payment. The physical connection changes to “Access construction in progress” status. After the access construction is completed, confirm access over the physicalconnection.

The physical connection changes to “Waiting for confirmation” status. Click Confirm and the physical connection changes to “Normal” status. Thiscompletes the access over the physical connection.

Create a virtual border router on the physical connection. The steps are as follows:

Click Virtual Border Router in the left navigation bar of the ExpressConnect console. Select the “China North 2 (Beijing)” region and click Create VBR in the rop-rightcorner of the page. Select the physical leased line just constructed in step 2 and fill in the relevantparameters.

Name: BeijingBorderRouter Description: (Add as needed)


20

Physical leased line: pc-xxxxxx (the ID for “BeijingLocalConnection”) VLANID: 100 Circuit code: SDHXXX Addresses: Ali Cloud-side: 10.100.0.1; Customer-side: 10.100.0.10;Subnet mask: 255.255.255.0

Click Confirm creation and OK to return to the “Virtual border router list” pageof the region China North 2 (Beijing) . The status of the created virtual border router changes to “Normal”, whichindicates that the virtual border router has been created successfully.

Create router interface A on the virtual border router to act as an initiator. The steps are asfollows:

Go to the “Router interface list” page of the ExpressConnect console, and selectthe region China North 2 (Beijing). Click Create Router Interface and fill in the relevant parameters.

Scenario Scene: Custom Local Configuration

VRouter type: VPC router Region: China North 2 (Beijing)

Peer Configuration

VRouter type: VPC router Peer region: China East 1 (Hangzhou)


21

Role Specification

Connection role: Initiator Specifications: Large, Tier 1

Click Buy Now to purchase the router interface. Now you can view this router interface on the “Router interface list” page ofExpressConnect console. The interface status will be “Idle”. For ease of viewing, you can add a name to the router interface ID. Click More > Edit local interface information in the Operation column and change the name to“BeijingRouterInterface”.

Create a router interface in the Hangzhou VPC (name: Cloud Data Center) to serve as thereceiver. The steps are as follows:

Go to the “Router interface list” page of the ExpressConnect console, and selectthe region China East 1 (Hangzhou). Click Create Router Interface and fill in the relevant parameters.

Scenario: Scene: Custom Local Configuration

VRouter type: VPC router Region: China East 1 (Hangzhou)

Peer Configuration

VRouter type: VPC router Peer region: China North 2 (Beijing)


22

Role Specification

Connection role: Receiver Specifications: Default

Click Buy Now to purchase the router interface. Now you can view this router interface on the “Router interface list” page ofExpressConnect console. The interface status will be “Idle”. For ease of viewing, you can add a name to the router interface ID. Click More > Edit local interface information in the Operation column and change the name to“HangzhouRouterInterface”.

Configure and connect the two router interfaces. The steps are as follows

Mutually set the two router interfaces as each other's peer interface.

Go to the “Router interface list” page of the ExpressConnect console,and select the region China North 2 (Beijing). Click Add in the Peer Router Interface column corresponding to theinterface “BeijingRouterInterface” created on the virtual border router. Fill in the following parameters.

Account: Current account Peer Router Interface ID/name: HangzhouRouterInterface Check “Set the current router interface as the peer interface ofthe selected router”. Note: If you do not check “Set the current router interface asthe peer interface of the selected router”, you will have torepeat the above steps on the list page to configure the peer forthe VPC router interface “HangzhouRouterInterface”.

Click OK to complete the peer interface configuration. Now the two


23

router interfaces are set as each other's peer interface.

Establish a connection between the two router interfaces.

Go to the “Router interface list” page of the ExpressConnect console,and select the region China North 2 (Beijing). Click Initiate connection in the operation column corresponding to therouter interface “BeijingRouterInterface”. Click OK. After the connection initiation is confirmed, the status of thetwo router interfaces change to “Activated”.

Now, an intranet connection is achieved over the physical connection between thephysical data center in the “China North 2 (Beijing)” region and the AlibabaCloud VPC in the “China East 1 (Hangzhou)” region.

Configure routes to manage the traffic forwarding between the virtual border router andVPC. The steps are as follows.

Forward the traffic directed to “192.168.0.0/16” on the virtual border router tothe VPC.

Log on to the Express Connect console, and click Virtual Border Router inthe left navigation bar. Select the region and the and virtual border router. Click Manage in theOperation column to go to the “VBR details” page. Click Add route entry and fill in the following information.

Target CIDRBlock: 192.168.0.0/16 Next hop direction: To VPC Next hop: BeijingRouterInterface

Click OK to complete the configuration.


24

Forward the traffic directed to “172.16.0.0/12” on the virtual border router to thephysical connection.

Log on to the Express Connect console, and click Virtual Border Router inthe left navigation bar. Select the region and the and virtual border router. Click Manage in theOperation column to go to the “VBR details” page. Click Add route entry and fill in the following information.

Target CIDRBlock: 172.16.0.0/12 Next hop direction: To leased line


Forward the traffic directed to “172.16.0.0/12” from the VPC (name:CloudDataCenter) to the virtual border router.

Log on to the VPC console, and click VPC in the left navigation bar. Select a VPC and click Manage in the Action column to go to the “VPCbasic info” page. Click VRouter in the left navigation bar to go to the “VRouter info”page. Click Add route entry and fill in the following information.

Target CIDR: 172.16.0.0/12 Next Hop Type: Router Interface Router Interface: Route Entry; BeijingRouterInterface


Set networks as needed.


25

Note: You can configure the access control for resources on both sides. For example, you can addrules to ECS security groups (refer to Creating a Security Group) to allow the access to the ECSinstances on peer side over a physical connection. API Open API is not recommended for the access over a physical connection. Configuration Create port mapping in a VPC Application scenarios In the VPC environment, if you want to enable multiple back-end intranet hosts to provide servicesexternally with a limited number of EIPs, you can map the ports on the EIP-bound hosts to the back-end intranet hosts. Operation procedure

Bind an EIP to an ECS instance and then use the EIP to log on to SSH. After a successfullogon, the interface below will be displayed.


26

Enable the IP forwarding function for the ECS instance.

Make IP forwarding take effect.

Run the iptables command to add a DNAT rule. The steps are as follows:

Add a rule to forward all the requests for accessing the EIP's port 80 to host172.16.3.1 (the other host's ECS IP address).

Create a “two-way path” for the forwarded packets and set the correct returnchannel for the packets as follows.

sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf

sysctl –p

iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to 172.16.3.1

iptables -t nat -I POSTROUTING -p tcp --dport 80 -j MASQUERADE


27

Test if the IP address is accessible. Access to the EIP is redirected to the page on server 172.16.3.1 as the following picture.

Note: A route does not need to be added to a DNAT. If both are added at the same time, this willcause a conflict, requiring better route control. Use security groups to control ECS instances'access to public cloud for a VPC Application scenarios If a VPC ECS instance is bound to an EIP and you want to restrict the access of certain IP addresses tocertain ports, this can be done by directly controlling a security group's inbound intranet traffic. For example, the method below restricts access to the instance's remote port 3389. If withoutrestrictions, you can use netstat -an|findstr :3389 to see that the 123.114.113.18 client has connectedto the VPC instance via an IP address.

Operation procedure

Log on to the Alibaba Cloud ECS console


28

Click Security groups in the left navigation bar and select the appropriate region. Select the security group containing the instance and click Configuration rules in the Action column to go to the “Security group list” page. Click Add security group rules and select the protocol type and port range as needed. Click OK. After configuring the security group, try to use the EIP to connect to the instance and see ifthe connection fails.

Change the VSwitch or private IP address foran ECS instance in a VPC Application scenarios

In a VPC, you can change the mount VSwitch for an ECS instance. However, after changingthe mount VSwitch, the instance's IP address will change as well. The private IP address of the instance in the VPC must be changed.

Operation procedure

Log on to the ECS console. Click Instances in the left navigation bar and select the appropriate region. Disable this ECS instance so that its status changes to “Stopped”. Click Manage in the Action column to go to the “Basic Information” page. Find the “Configuration Information” area and click More on the right.


29

Select the VSwitch to connect to in the “Modify Private IP” pop-up. You may modify theprivate IP address as needed. If not, the system will allocate an address. Click Modify and the changes will take effect after the ECS instance is started.

Note: Because each VSwitch in a VPC has a unique CIDR block, an ECS instance's IP address willchange after it mounts to another VSwitch. Add a VPC ECS instance to a public ServerLoad Balancer instance Application scenarios

A Server Load Balancer instance in a classic cloud has a public IP address. You can add anECS instance in a VPC to such a Server Load Balancer instance. A VPC ECS instance cannot be added to a Server Load Balancer instance with a private IPaddress in a classic cloud.

Operation procedure

Log on to the Server Load Balancer console. Select a region and click Create Load Balancer. Fill in the information and click Buy Now. On the “Load Balancer list” page, click Manage in the Operation column corresponding tothe instance created just now. Click Backend server in the left navigation bar. Click the Servers not added tab and click Add corresponding to a VPC ECS instance to addit to the Server Load Balancer instance.


30

Note: The ECS instances added to a Server Load Balancer instance must be of the sametype, either from a classic cloud or from a VPC. Click the Servers added tab to see the servers added already.

Isolate the subnets of a VPC Application scenarios You can prevent each VSwitch from accessing the other two VSwitches within the same VPC byconfiguring the security groups. Prerequisites

The three VSwitches are in the same VPC. The three VSwitches have the CIDR blocks 172.16.1.0/16, 172.16.2.0/16 and 172.16.3.0/16respectively. The three VSwitches are created under the same VRouter with the default settings to allowmutual access.

Operation procedure

Log on to the ECS console. Click Security groups in the left navigation bar to go to the “Security group list”. Create three security groups respectively. The steps are as follows:

Select a region and click Create a security group. Fill in the information and Click OK.

Security group name: (name the groups with their CIDR blocks to help


31

identification) Network type: VPC VPC: (select a VPC for the security group)

On the “Security group list” page, click Configuration rules in the Action columncorresponding to the desired instance to go to the “Security group rules” page. Click Add security group rules to add a rule to allow the access from the CIDR block 0.0.0.0. Fill in the information and click OK. Note: Set the priority to 100. The smaller the value, the higher the priority. Click Add security group rules to add a rule to forbid the access from the CIDR block172.16.2.0/16. Fill in the information and click OK. Note: Set the priority to a value smaller than 100, so that the priority of this rule is higherthan the one created previously. Use the same method to add a rule to deny the access from the CIDR block 172.16.3.0/16.

Note: If this VPC has three CIDR blocks only, the above settings make it impossible for the CIDRblocks 172.16.2.0/16 and 172.16.3.0/16 to access 172.16.1.0/16. If you want to forbid the bilateral access between the three security groups, you must set the similarrules for the other two VSwitches. Access an OSS instance from an instance in aVPC VPC currently does not support the direct creation of OSS instances. If you want to access an OSSinstance from an instance in a VPC, you can do so by visiting its domain name. For the specificdomain names, refer to VPC Regions and Endpoints.


32

Switch the CIDR block for an RDS instance ina VPC Assume a VPC has two VSwitches with the CIDR blocks 172.16.0.0/24 and 172.18.0.0/24 respectively.An RDS instance mounted to the VSwitch at 172.16.0.0/24 can be switched to the VSwitch at172.18.0.0/24. Considerations

A change of the IP address will cause an instant disconnection of the RDS instance. The new IP address must be added to the RDS white list. You must set an automatic reconnection mechanism for the RDS program beforehand.

Operation procedure

Log on to the RDS console, and select a region. To switch the RDS instance from the VPC to a classic cloud, follow the following steps.

Select an RDS instance whose “Network type” is “classic”, and then click Manage in the Action column. Click Database Connection in the left navigation bar. In the “Connection information” part, click Switch to VPC. Select the desired VSwitch and click OK.

To switch the RDS instance from the classic cloud to the VPC, follow the following steps.

Select an RDS instance whose “Network type” is “VPC, and then click Manage in the Action column. Click Database Connection in the left navigation bar.


33

In the “Connection information” part, click Switch to classic network. Click OK.

Construct an SNAT gateway for a VPC Application scenarios In a VPC environment, an instance of a cloud product without a public IP address can access thepublic cloud through an ECS instance within the same VPC as long as the ECS instance is bound to anEIP. Operation procedure

Bind an EIP to an ECS instance. For the detailed steps, refer to Bind an Elastic IP address(EIP). Use the EIP to log on to SSH. After a successful login, the interface below will be displayed.


34

Enable the IP forwarding function using the following command.

Run the Sysctl –p command to make IP forwarding take effect.

Run the iptables command to add an SNAT rule. 172.16.3.0 is the intranet CIDR block and172.16.3.2 is the intranet IP address of the ECS instance bound to the EIP.

Add a VPC route. The steps are as follows:

Log on to the VPC console. Click VPC in the left navigation bar to go to the VPC list page and select a region. Select a VPC and click Manage in the Action column to go to the “VPC basicinfo” page. Click VRouter in the left navigation bar to go to the “VRouter info” page. Click Add route entry and fill in the information. Click OK.

Test if the IP address is accessible as that shown in the following picture.

sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf

iptables -t nat -I POSTROUTING -s 172.16.3.0/24 -j SNAT --to-source 172.16.3.2


35

Bind the EIP to the machine at 172.16.3.2 as that shown in the following picture.

Disable ip_forward and run the test again as that shown in the following picture.

The test is successful as that shown in the following picture.

Monitoring VPCs involve traffic monitoring. For the specific traffic monitoring metrics, refer to the EIP monitoringinformation in CloudMonitor. For details, refer to the “EIP Monitoring” section Here. CloudMonitor installation for VPCs For details, refer to New Agent Version Installation Method. Security


36

VPC security VPCs use the security isolation method to ensure the secure data transmission. Security isolation is described in detail as follows:

ECS instances of different users are in different VPCs. Different VPCs are isolated based on tunnel ID. Because of the existence of VSwitches andVRouters, a VPC can be divided into subnets as if in a conventional network environment.Different ECS instances in each subnet are interconnected through the same VSwitch.Different subnets are interconnected through VRouters. Different VPCs are completely isolated, and can be interconnected only by using a boundpublic IP address (EIP or NAT IP). Because Tunneling technology is used to encapsulate the IP packets of ECS instances, thedata link layer (Layer 2, MAC address) information of the ECS instances is not transferred tothe physical network, thus implementing Layer 2 network isolation between ECS instancesand further implementing Layer 2 network isolation between VPCs. The ECS instances in a VPC use security group firewalls for Layer 3 network access control.

Resource Access Management (RAM) VPCs support access control mechanisms for each cloud product instance.

Networking VPCs and VSwitches

Product Link

ECS Security group


37

VPCs A VPC is a private network defined by users based on Alibaba Cloud. Different VPCs are fully isolatedlogically. You can create and manage the cloud product instances, such as ECS, SLB and RDS, in yourown VPC. VPC management:

When creating a VPC, you need to specify the private network segments used in the VPC inCIDR block form. You must create a VSwitch for the VPC before creating any cloud product instance (such asECS, SLB and RDS) in the VPC. When creating the VPC, you need to specify CIDR block. When the status of the created VPCinstance changes to “Available”, it indicates that the VPC is created successfully, and youcan proceed with the management operations. To delete a specified VPC, you must firstly delete all the cloud product instances (includingsecurity groups, VSwitches, cloud product instances and route entries) from the VPC.

CIDR block:

Classless Inter-Domain Routing block. For details, please refer to the description on theWikipedia page for Classless Inter-Domain Routing. CIDR block cannot be modified once the VPC is created. You are advised to use largenetwork segments (for example, directly use the network segments 192.168.0.0/16,172.16.0.0/12 and 10.0.0.0/8) as CIDR blocks of the VPC to try to avoid the subsequentresizing. The system does not create system routes based on CIDR block of the VPC.Therefore, use large address ranges to create the VPC to ensure the normal use of theservices.

VSwitches A VSwitch is a basic network device of the VPC network. It can be connected to different cloudproduct instances. When creating a cloud product instance in the VPC network, you must specify theVSwitch where the cloud product instance is located. VSwitch management:


38

A new VSwitch can be created only when the VPC is in “Available” status. Multiple VSwitches cannot be created at the same time. VSwitches can only be created oneby one. CIDR block cannot be modified once the VSwitch is created. Before deleting a VSwitch, you must firstly delete the cloud product instances connected tothe VSwitch.

VSwitch CIDR block:

When creating a VSwitch, you need to specify the CIDR block. The CIDR block used by the created VSwitch must belong to the CIDR block of the VPCwhere the VSwitch is located. The CIDR block used by the created VSwitch cannot conflict with any of the existing VSwitchCIDR blocks. The CIDR block used by the created VSwitch cannot contain the destination networksegments in any of the existing custom routes.

Create a VPC You can create VPCs on the console. Considerations

When creating a VPC, you must specify the private network segments used in the VPC inCIDR block form. After creating a VPC, you must create a VSwitch so as to create the cloud product instances(such as ECS, SLB and RDS) in the VPC. When creating a VPC, you need to specify the CIDR block. When the status created VPCinstance changes to “Available”, the VPC has been created successfully, and you canproceed with the management operations.


39

Operation procedure

Log on to the Alibaba Cloud VPC console. At the top of the page, see the regions with active VPCs and find the region in which youwant to create a VPC. Note: As instances cannot be launched in VPCs of a different region, be sure to create a VPCin the appropriate region. Click VPC in the left navigation bar to enter the “VPC list” page. Select a region and click Create VPC in the top-right corner to bring up the “Create VPC”window. On the configuration page, enter the relevant information for the following fields and click OK.

VPC Name: This helps you conveniently identify the VPCs and subnets you havecreated on the console. Description: Optional. You can enter information in this field as you wish to makeVPCs more identifiable on the console. CIDR: There are three options: 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8.

When the status of a VPC is “Available”, it indicates that the VPC has been completelycreated.

Modify VPC information Application scenarios You can easily manage VPCs in the VPC List by modifying their names and descriptions. Operation procedure

Log onto the VPC console.


40

Click VPC in the left navigation bar to go to the “VPC list” page. Select an instance and click the Edit button to its right to bring up the “Edit VPC” dialogbox. Rename the VPC and change the descriptive information as needed. Click Submit.

View VPC Information Application scenarios On the VPC console, you can view the basic information of the deployed instances and the associatedresource deployment information. Operation procedure

Log onto the VPC console. Click VPC in the left navigation bar to go to the “VPC list” page and select a region. Select a VPC instance and click the Manage button on the right side to go to the “VPCbasic info” page. On this page, you can view the basic VPC information (such as Name, ID, Status, Region,CIDR, Default VPC, Created time and Note) and the resource deployment information (suchas ECS instances, SLB instances, VSwitch, Security Group).

Delete VPCs You can delete a VPC that you no longer want to maintain from the console. Considerations To delete a specified VPC, you must firstly delete all the cloud product instances (including securitygroups, VSwitches, cloud product instances, and route entries) from the VPC.


41

Operation procedure

Log onto the VPC console. Click VPC in the left navigation bar to go to the “VPC list” page and select a region. Select the VPC you want to delete and click Delete to its right in the Action column. In the “Delete VPC” confirmation dialog box, click Confirm to delete the VPC.

Create VSwitches You can create VSwitches on the VPC console. Considerations

A new VSwitch can be created only when the VPC is in “Available” status. Multiple VSwitches cannot be created at the same time. VSwitches can only be created oneby one. The CIDR block cannot be modified once the VSwitch is created.

Operation procedure

Log onto the VPC console. Click VPC in the left navigation bar to go to the “VPC list” page and select a region. Select a VPC and click Manage to its right in the Action column to go to the “VPC basicinfo” page. Click VSwitch in the left navigation bar to go to the “VSwitch list” page. Click Create VSwitch in the top-right corner to bring up the “Create VSwitch” window. Fill in the following information and click OK.


42

Name: This helps you conveniently identify the VSwitch. VPC: It takes the default value and cannot be modified. This is generatedautomatically when the VPC is created. VPC CIDRBlock: It takes the default value and cannot be modified. This isgenerated automatically when the VPC is created. Zone: The zones in the region are shown in a drop-down list. Select theappropriate zone based on your networking plan. CIDR: It must be equal to or belong to the VPC CIDR. The subnet mask must bebetween 16 and 29. Available Private IPs: Automatically calculated by the system. Description: You can enter a description as needed to facilitate future reference.

Modify VSwitch Information Application scenarios You can modify the VSwitch names and descriptions on the VPC console to facilitate the VSwitchmanagement. Operation procedure

Log onto the VPC console. Click VPC in the left navigation bar to go to the “VPC list” page and select a region. Select a VPC instance and click Manage in the Action column to enter the “VPC basicinfo” page. Click VSwitch in the left navigation bar to go to the “VSwitch list” page. Select a VSwitch and click Edit in the Action column to bring up the “Edit VSwitch” dialogbox.


43

Modify the VSwitch name and description as needed and click Submit.

Delete VSwitches Application scenarios You no longer need this VSwitch. Considerations Before deleting a VSwitch, you must delete the cloud product instances connected to the VSwitch. Operation procedure

Log onto the VPC console. Click VPC in the left navigation bar to go to the “VPC list” page and select a region. Select a VPC instance and click Manage in the Action column to enter the “VPC basicinfo” page. Click VSwitch in the left navigation bar to go to the “VSwitch list” page. Select the VSwitch and click Delete in the Action column to bring up the “Delete VSwitch”confirmation dialog box. Note: Make sure that the ECS instances under the VSwitch have been released already. Click Confirm to delete the VSwitch.

Create a product instance of VPC type You can create the cloud product instances on the VPC console. Considerations When creating a cloud product instance in a VPC, you must specify its VSwitch.


44

Operation procedure

Log onto the VPC console. Click VPC in the left navigation bar to go to the “VPC list” page and select a region. Select a VPC instance and click Manage in the Action column to enter the “VPC basicinfo” page. Click VSwitch in the left navigation bar to go to the “VSwitch list” page. Select a VSwtich and click Create an instance > Create ECS instance (here taking the ECSinstance as an example) in the Action column. On the purchase page, select the region and zone of the VPC, specify the network type asVPC, and select the VPC and VSwitch you have created.

For how to create an ECS instance, refer to Create an Instance Running Windows or Create anInstance Running Linux. Default VPCs and default VSwitches Background information Before the availability of the default VPC function, users needed to specify the instance's VPC orswitch when creating a VPC cloud product instance. Therefore, they had to learn about the functionsand usage of the VPC product, plan and create VPCs and switches before creating an instance. In order to simplify the creation process for the VPC cloud products, Alibaba Cloud has released thedefault VPC function, which removes the need to create VPCs and switches before creating cloudproduct instances. When you choose to create a cloud product instance using the default VPC anddefault switch, Alibaba Cloud will create the required default VPC for you to create the cloud productinstance. Further information on default VPCs and switches is introduced in the following parts. If you onlywant to use a cloud product on a VPC and you do not need to plan and manage the VPC itself so youcan skip these sections, which will not affect your understanding and comprehension of theremaining sections herein. Customer benefitsThe default VPCs and VSwitches determine the only default network location when you use VPC


45

instances. If you do not specify the instance's VSwitch when creating a VPC instance, a new instancewill be created at this unique default network location. The instance will be created on theappropriate default VPC and switch based on the selected region and zone if a certain cloud productsupports the default VPC function (for example ECS) and when you select the default VPC and defaultswitch on the purchase page on creating this type of cloud product instance, you select the VPCnetwork type or do not indicate a specific switch used to create a VPC instance while using Open API. For instance, when an ECS is created, the parameters may be as follows:

Region: Beijing Zone: Beijing Zone A Network Type: VPC

In this case, because no switch is specified, the default switch for Beijing Zone A in the default BeijingVPC will be used when an ECS instance is created. You must note that, even if you have already created a VPC and switch, but you do not specify aswitch when creating a VPC cloud product instance, the instance will still be created on the defaultswitch. To create a cloud product instance on a non-default switch, you must specify the correctswitch. Restrictions About default VPCs

There is only one default VPC for each region. Default VPCs are not counted as part of the VPC quota that you are allocated from AlibabaCloud. Default VPCs are created for you by Alibaba Cloud. All other VPCs you create are non-defaultVPCs. The CIDRs of default VPCs are 16-bit masked network segments, such as 172.31.0.0/16,which can provide up to 65,536 private IP addresses. Default and non-default VPCs have the same operating methods and specificationconstraints.


46

About default VSwitches

There is only one default switch for each zone. Default VSwitches are not counted as part of the switch creation quota for a VPC. Default switches are created for you by Alibaba Cloud. Any switches you create are non-default switches. Default switches can only be created in default VPCs. The CIDRs of default VSwitches are 20-bit masked network segments, such as 172.16.0.0/20,which can provide up to 4,096 private IP addresses. Default and non-default VSwitches have the same operating methods and specificationconstraints.

Create default VPCs and default VSwitches Alibaba Cloud will create default VPCs and switches for you as needed. You cannot manually thedefault VPCs and switches, so you do not need to bothered with the creation process. When youneed to use the default VPC function to create a cloud product instance:

If the required default VPC and default switch already exist in your account, the cloudproduct instance will be created on the corresponding default switch. If the required VPC does not exist in your account, Alibaba Cloud will create the requireddefault VPC and switch for you to create the cloud product instance. If the required default VPC exists, but no default switch has been created for thecorresponding zone, Alibaba Cloud will create the required default switch for you to createthe cloud product instance.

Delete the default VPCs and default VSwitches The default VPCs and switches can be deleted. If you have deleted the default VPC for a certainregion or the default switch for a certain zone, Alibaba Cloud will recreate the VPC or switch for you.Other cloud products in the default VPCs are used in the same way as in a classic network. For details,please refer to the introduction of the relevant cloud product.


47

View the default VPCs and default VSwitches You can use the console or DescribeVpcs interface in the VPC Open API to view your VPCs. On theconsole, the default VPCs are marked as “Default” or have the value “IsDefault = true” in theOpen API query results. You can use the console or DescribeVSwitches interface in the VPC Open API to view your switches.On the console, default switches are marked as “Default” or have the value “IsDefault = true” inthe Open API query results. Your query results showing no default VPC or VSwitch does not prevent you from creating cloudproduct instances in default VPCs. Alibaba Cloud will create a default VPC or VSwitch you require. API VPC related interfaces:

Create a VPC Delete a VPC Query the VPC List Modify VPC Properties

VSwitch related interfaces:

Create VSwitches Delete VSwitches Query the VSwitch List Modify VSwitch Properties

IP addresses IP addresses provide an important way for you to access cloud product instances and for the cloudproduct instances to offer external services. Currently, a VPC provides two types of IP addresses,


48

private IP address and EIP address. Private IP addresses The private IP addresses are allocated to the VPC cloud product instances when they are created. Forexample, VPC-type ECS, Server Load Balancer and RDS instances provide the private IP addresses. These private IP addresses differ from the private IP addresses of the classic network that are centrallyallocated by Alibaba Cloud. VPC private IP addresses are allocated from the VSwitch CIDR block towhich an instance belongs, so an instance's private IP address is unique within the VPC. The private IPaddress allocated to a cloud product instance can be viewed in the instance attributes. Private IP addresses can be used to provide intranet access for the VPC cloud product instances, suchas the intranet access between ECS instances, between an ECS instance and another cloud service (forexample OSS or RDS), or to provide intranet SLB. EIP addresses The Elastic IP addresses (EIPs) are public IP address resources that can be dynamically bound todifferent ECS instances. The instance does not have to be stopped for binding or unbinding. An EIP can be bound to an ECS instance of VPC type, so that the ECS instance can be connected tothe Internet. You can also further implement the following scenarios as required:

Use the ECS as the SNAT Gateway to provide the Internet access for other instances in thesame VPC. Use the ECS as the DNAT Gateway, so that other instances in the same VPC can provideservices via the Internet.

Request EIPs

Log on to the Alibaba Cloud EIP console. Click Request Elastic IP in the top-right corner. On the “EIP Activation” page, specify the region, network traffic, max bandwidth, billingcycle and purchase quantity. Then, click Buy Now and Activate.

Check EIP traffic


49

Log on to the Alibaba Cloud EIP console and select a region. Select an instance from the “EIP List”. Click the icon in the “Monitor” column to bring up “Network Monitoring Information”.And then you can view the traffic and bandwidth monitoring information by samplingperiod.

Modify EIP bandwidth

Log on to the Alibaba Cloud EIP console and select a region. Select an instance from the “EIP List”. Click More > Modify bandwidth in the Actions column to enter the page of modifyingbandwidth. Adjust the max bandwidth value as needed and click Activate to adjust the bandwidth.

Bind an EIP to an ECS instance

Log on to the Alibaba Cloud EIP console and select a region. Select an instance from the “EIP List” and click Bind to its right in the Actions column. Select the ECS instance you want to bind and click OK to bind the EIP to the ECS.

Unbind an EIP from an ECS instance

Log on to the Alibaba Cloud EIP console and select a region. Select an instance from the “EIP List” and click Unbind to its right in the Actions column.

Release EIPs


50

-

Log on to the Alibaba Cloud EIP console and select a region. Select an instance from the “EIP List” and make sure that the instance status is“Available”. Click More > Release in the Actions column. Click OK.

API Network related interfaces:

Request EIPs Bind EIPs Query the List of EIPs Modify EIP Attributes Unbind EIPs Release EIPs

Monitoring related interfaces:

Query EIP Monitoring Information

Modify the private IP addresses of VPC-type ECS instance You can use the console or Open API to modify the VSwitch and the private IP address of an ECSinstance within the VPC. Modify on the management console

Log on to the ECS console. Click Instances in the left navigation bar to enter the “Instance List” page.


51

Select the region and the ECS instance for private IP modification and make sure its status is“Stopped”. If not, stop the instance. Click More > Modify Private IP in the Action column corresponding to the ECS instance. Select the instance's VSwitch and specify your desired private IP address. If no private IPaddress is specified, the system will automatically allocate an unused IP address in theVSwitch CIDR block to the instance.

API Use Open API to call the Modify Instance VPC Attributes interface. Instance related interfaces: Modify Instance VPC Attributes VRouters and routing tables Core concepts VRouters VRouters are hubs in a VPC. As an important functional component of a VPC, VRouters can connectall the VSwitches in the VPC and also serve as a gateway that connects the VPC to other networks.Each VRouter maintains a routing table and forwards the network traffic according to specific routingentries. Product constraints

Each VPC can only have one VRouter. VRouter does not support the dynamic routing protocols such as BGP or OSPF.

VRouter management

When creating VPCs, the system will automatically create a VRouter for each VPC. When a VPC is deleted, the corresponding VRouter is also deleted.


52

A VRouter cannot be directly created or deleted.

Routing tables A routing table refers to a list of routing entries on the VRouter. Product constraints

Each VRouter can only have one routing table. The routing entries of the routinge table will affect all the cloud product instances in theVPC. At present, the source-address policy routing is not supported for routing a VSwitch orcloud product instance.

Routing table management

When creating a VPC, the system will automatically create a routing table. When a VPC is deleted, the corresponding routing table is also deleted. The routing table cannot be directly created or deleted.

Routing entries Each item in the routing table is a routing entry. A routing entry defines the next hop address for thenetwork traffic to be routed to the specified destination CIDR block. Routing entries are categorizedinto system routes and custom routes. Note: VRouters only support the static routes instead of ECMP equal-cost routes. Routing entry management

When a VPC is created, a system route is automatically created for the cloud productinstances in the VPC to access the cloud services outside the VPC. When a VSwitch is created, the system will create a route to the VSwitch's CIDR blockaccordingly. Users can create and delete custom routing entries. System routing entries are automatically managed by the system and cannot be created or


53

deleted by users.

Routing Rules The routing table uses the longest prefix matching as the rule for selecting the traffic routing. Thelongest prefix matching refers to a method used for matching IP addresses, that is, when multipleentries in a routing table can match the target IP in the IP network, the route with the longest (themost precise) mask will be used as the matched item to confirm the next hop. For example, the routing entries of a routing table in a VPC network are shown as the following table.

The explanation of the above table is as follows:

The two routes with the destination addresses 100.64.0.0/10 and 192.168.0.0/24 respectivelyare both system routes. The former is the address segment reserved by the system and thelatter is the configured system route for VPC VSwitches. The two routes with the destination address 0.0.0.0/0 and 10.0.0.0/24 respectively arecustom routes. It indicates to forward the traffic accessing the 0.0.0.0/0 address segment tothe ECS instance with the ID i-12345678; and forward the traffic accessing the 10.0.0.0/24address segment to the ECS instance with the ID i-87654321. Based on the longest prefix matching rules, in this VPC network, the traffic accessing the10.0.0.1 address segment will be forwarded to the ECS instance with the ID i-87654321; andthe traffic accessing the 10.0.1.1 address segment will be forwarded to the ECS instance withthe ID i-12345678.

Configure routing tables Routing tables can be configured through the VPC console or Open API. The operation procedure onthe VPC console is shown as follows. Create custom routing entries

DestinationCidrBlock NextHopType NextHopId Type

100.64.0.0/10 System

192.168.0.0/24 System

0.0.0.0/0 Instance i-12345678 Custom

10.0.0.0/24 Instance i-87654321 Custom


54

Log on to the VPC console. Click VPC in the left navigation bar and select a region. Select the VPC for route configuration in the VPC list, and then click Manage in the Actioncolumn corresponding to this VPC. Click VRouter in the left navigation bar to enter the “VRouter info” page where you canview the existing routes. To add a custom route, click Add route entry in the top-right corner and fill in theinformation in the pop-up box. Click OK.

Delete custom routing entries

Log on to the VPC console. Click VPC in the left navigation bar and select a region. Select the VPC for route configuration in the VPC list, and then click Manage in the Actioncolumn corresponding to this VPC. Click VRouter in the left navigation bar to enter the “VRouter info” page. Select the custom routing entry you want to delete and click Delete in the Action columncorresponding to this entry. Click Confirm to delete the custom routing entry.

Edit VRouters You can only edit the name and description fields that provide basic information about the VRouter.

Log on to the VPC console. Click VPC in the left navigation bar and select a region.


55

Select the VPC for route configuration in the VPC list, and then click Manage in the Actioncolumn corresponding to this VPC. Click VRouter in the left navigation bar to enter the “VRouter info” page. Click Edit in the “VRouter basic info” part. Enter the desired VRouter name and description in the pop-up dialog box. Click Submit to edit the VRouter basic information.

API VRouter related interfaces:

Query the Router List Modify VRouter Properties

Routing table related interfaces:

Create a Custom Route Delete a Custom Route Query the routing table List

VPC Via Express Connect Overview Express Connect can be used to interconnect VPCs. Communication is allowed between your ownVPCs or with other VPCs in the same or a different region. Express Connect enables the physical IDCs and Alibaba Cloud VPCs to communicate via intranet,making the network convergence possible. This facilitates data transmission in a file sharing network.


56

Configuration Network the VPCs in the same region Express Connect can be used to support the communication between VPCs in the same region. Thebenefits of this networking model include preventing the unstable networking quality as a result ofgoing through the Internet and protecting the data from theft during transmission. The followingpicture shows an example.

Data planning

Same region: Region A. This document takes the VPCs created in the region “China North 2(Beijing)” as an example. Two VPCs: VPC 1 and VPC 2. VRouter interface CIDR blocks: VRouter1 (192.168.0.0/16) andVRouter2 (172.16.0.0/12). ECS instance private IPs: ECS 1 (192.168.0.100) and ECS 2 (172.16.0.10).

Operation procedure

Log on to the VPC console.


57

Click VPC in the left navigation bar to enter the “VPC list” page and select the region“China North 2 (Beijing)”. Click Create VPC and fill in the following information respectively to create VPC1 and VPC2.And then click OK. VPC1:

VPC name: VPC1 CIDR: 192.168.0.0/16 VPC2: VPC name: VPC2 CIDR: 172.16.0.0/12

Select a VPC instance on the “VPC list” page and click Manage in the Action column toenter the “VPC basic info” page. Click VSwitch in the left navigation bar to go to the “VSwitch list” page. Select a VSwtich and click Create an instance > Create ECS instance in the Action column. Follow the instructions to complete the creation of the ECS instance. Log on to the ExpressConnect Console and select the region “China North 2 (Beijing)”. Click Create Router Interface in the top-right corner and fill in the following information.

Scene: Same account VPC networking Region: China North 2 (Beijing) VPC: VPC1 Peer region: China North 2 (Beijing) Peer VPC: VPC2


58

-

-

-

-

-

Click Buy Now and Activate. When the status changes to “Activated”, VPCs arenetworked in the same region.

Network the VPCs in different regions You can use Express Connect to support the communication between VPCs in different regions. Thefollowing picture is an example.

Data planning

Region A: China North 2 (Being). Region B: China East 1 (Hangzhou). VPC1 is in the “China North 2 (Beijing)” region and VPC 2 is in the “East China 1(Hangzhou)” region. VRouter interface CIDR blocks: VRouter1 (192.168.0.0/16) and VRouter2 (172.16.0.0/12). ECS1 private IP of VPC1: 192.168.0.100. ECS2 private IP of VPC2: 172.16.0.1. Custom VRouter1 CIDR block of VPC1: 172.16.0.0/12. Custom VRouter2 CIDR block of VPC2: 172.16.0.0/16.


59

Operation procedure

Log on to the VPC console. Click VPC in the left navigation bar to enter the “VPC list” page and select the region“China North 2 (Beijing)”. Click Create VPC and fill in the following information to create VPC1. And then click OK.

VPC name: VPC1 CIDR: 192.168.0.0/16

On the “VPC list” page, select VPC1 and click Manage in the Action column to its right toenter the “VPC basic info” page. Click VSwitch in the left navigation bar to go to the “VSwitch list” page. Select a VSwtich and click Create an instance > Create ECS instance in the Action column.Follow the instructions to create an ECS with the private IP address as 192.168.0.100. Click VRouter in the left navigation bar and click Add route entry to create a custom routewith the CIDR block as 172.16.0.0/12. Ruturn to the VPC list page and select the region “China East 1 (Hangzhou)”. Click Create VPC and fill in the following information to create VPC1. And then click OK.


On the “VPC list” page, select VPC2 and click Manage in the Action column to its right toenter the “VPC basic info” page. Click VSwitch in the left navigation bar to go to the “VSwitch list” page. Select a VSwtich and click Create an instance > Create ECS instance in the Action column.Follow the instructions to create an ECS with the private IP address as 172.16.0.1.


60

-

-

Click VRouter in the left navigation bar and click Add route entry to create a custom routewith the CIDR block as 172.16.0.0/16. Log on to the Express Connect Console. Click Create Router Interface in the top-right corner and fill in the following information.

Scene: Same account VPC networking Region: China North 2 (Beijing) VPC: VPC1 Peer region: China East 1 (Hangzhou) Peer VPC: VPC2

Click Buy Now and Activate. When the status changes to “Connected”, VPCs arenetworked across different regions.

Network the VPCs of different accounts Express Connect can also support the communication between two VPCs in different Alibaba Cloudaccounts. This can prevent the unstable quality caused by having to go through the Internet andprevent data leakage during transmission. Data planning

Users: Account A and Account B. VPCs: VPC1 under Account A and VPC2 under Account B. VPC1 region: China North 2 (Beijing). VPC2 region: China East 1 (Hangzhou). The VRouter interface of VPC1 is the connection initiator and the VRouter interface of VPC2is the connection receiver. VRouter interface CIDR blocks: VRouter1 (192.168.0.0/16) and VRouter2 (172.16.0.0/12).


61

-

Operation procedure

Log on to the VPC console with Account A. Click VPC in the left navigation bar to enter the “VPC list” page and select the region“China North 2 (Beijing)”. Click Create VPC and fill in the following information to create VPC1. And then click OK.


On the “VPC list” page, select VPC1 and click Manage in the Action column to its right toenter the “VPC basic info” page. Click VSwitch in the left navigation bar to go to the “VSwitch list” page. Select a VSwtich and click Create an instance > Create ECS instance in the Action column.Follow the instructions to create an ECS. Log on to the ExpressConnect Console. Click Create Router Interface in the top-right corner and fill in the following information.

Scene: Custom Region: China North 2 (Beijing) VPC: VPC1 Peer region: China East 1 (Hangzhou) Connection role: InitiatingSide

Click Buy Now and Activate to set up Account A. Log on to the VPC console with Account B. Click VPC in the left navigation bar to enter the “VPC list” page and select the region


62

-

“China East 1 (Hangzhou)”. Click Create VPC and fill in the following information to create VPC1. And then click OK.


On the “VPC list” page, select VPC1 and click Manage in the Action column to its right toenter the “VPC basic info” page. Click VSwitch in the left navigation bar to go to the “VSwitch list” page. Select a VSwtich and click Create an instance > Create ECS instance in the Action column.Follow the instructions to create an ECS. Log on to the Express Connect Console. Click Create Router Interface in the top-right corner and fill in the following information.

Scene: Custom Region: China East 1 (Hangzhou) VPC: VPC2 Peer region: China North 2 (Beijing) Connection role: AcceptingSide

When the above operations are complete, the ECS instances under Accounts A and B cancommunicate with each other.

Restrictions


63

Limits of Use VPC For performance and security purposes, VPC does not support multicast or broadcast. To use themulticast and broadcast functions, you must submit a ticket to obtain the multicast and broadcasttools.

VRouter

Each VPC can only have one VRouter. VRouter does not support the dynamic routing protocols such as BGP or OSPF.

VSwitch

The VSwitch of a VPC is a Layer 3 switch that does not support Layer 2 broadcast ormulticast. The VSwitch itself does not limit the quantity of cloud product instances. The quantity ofinstances that can be mounted to a VSwitch depends on the quantity of cloud product

Restriction Restrictions on Normal Users Application for Exemption

Maximum VPCs for anaccount 2 Ticket

CIDR blocks available forVPCs

192.168.0.0/16,172.16.0.0/12, 10.0.0.0/8, andtheir subnets

Ticket

Maximum VRouters for aVPC 1 No exceptions

Maximum VSwitches for aVPC 24 No exceptions

Maximum route tables for aVPC 1 No exceptions

Maximum route entries for arouting table 48 Ticket

Maximum cloud products fora VPC 5000 No exceptions


64

instances in the particular VPC. Currently, a maximum of 5000 cloud product instances canbe created for a VPC. VSwitch CIDR blocks cannot be modified.

ECS instance migration for a VPC VPC allows you to migrate an ECS instance from a VSwitch to another under the same VRouter withinthe same VPC. The following operations are not supported:

ECS instance migration across VRouters. ECS instance migration between clouds of different types, for example from a VPC to aclassic cloud, or vice versa.

EIP

EIPs can be created in the these regions: China East 1 (Hangzhou), China North 2 (Beijing),China South 1 (Shenzhen), China East 2 (Shanghai), US West 1 (Silicon Valley), Singapore, USEast 1 (Virginia) and Hong Kong. At present, EIPs can only be bound to ECS instances. An EIP can only be bound to an ECS instance in a VPC, not to that in a classic cloud. One ECS instance can be bound to only one EIP. One EIP can be bound to only one ECS instance. EIPs for a VPC can only be bound to ECS instances in the same region. A single account has an EIP quota of 20.


65

Exception handling Failure in connecting to OSS Problem descriptions A user wants to allow the communications between an ECS instance and an OSS instance within aVPC, but the following failures occur.

Ping the OSS address as follows. The connection to oss-cn-beijing-internal.aliyuncs.com(intranet address of Beijing OSS node) fails.

Use Telnet to connect to port 80 of the OSS address as follows. The attempt to ping orconnect to its port 80 fails as well.

Common causes OSS has a set of fixed intranet addresses for VPC. These addresses are required in the connection toOSS. Using other addresses of the OSS will fail. Solution Do not connect from an ECS in a VPC to an OSS by using the oss-cn-beijing-internal.aliyuncs.comaddress. Similarly, do not use the following addresses to connect the OSS in the indicated region:

China North 1 (Qingdao) intranet address node: oss-cn-qingdao-internal.aliyuncs.com China North 2 (Beijing) intranet address node: oss-cn-qingdao-internal.aliyuncs.com: oss-cn-beijing-internal.aliyuncs.com

$ping oss-cn-beijing-internal.aliyuncs.com

$telnet oss-cn-beijing-internal.aliyuncs.com 80


66

China East 1 (Hangzhou) intranet address node: oss-cn-qingdao-internal.aliyuncs.com: oss-cn-hangzhou-internal.aliyuncs.com Intranet address of the Hong Kong node: oss-cn-hongkong-internal.aliyuncs.com China South 1 (Shenzhen) intranet address node: oss-cn-qingdao-internal.aliyuncs.com: oss-cn-shenzhen-internal.aliyuncs.com US West 1 (Silicon Valley) intranet address node: oss-cn-qingdao-internal.aliyuncs.com: oss-us-west-1-internal.aliyuncs.com

Use the following OSS intranet addresses for VPC:

China North 2 (Beijing): vpc100-oss-cn-beijing.aliyuncs.com China South 1 (Shenzhen): vpc100-oss-cn-shenzhen.aliyuncs.com China East 1 (Hangzhou): vpc100-oss-cn-hangzhou.aliyuncs.com China East 2 (Shanghai): vpc100-oss-cn-shanghai.aliyuncs.com China North 1 (Qingdao): vpc100-oss-cn-qingdao.aliyuncs.com US West 1 (Silicon Valley): vpc100-oss-us-west-1.aliyuncs.com Singapore: vpc100-oss-ap-southeast-1.aliyuncs.com

Connect to the corresponding OSS intranet address can achieve the successful communication. If the problem persists, contact After-Sales Technical Support. Failure in accessing RDS in a classic network By default, an ECS instance in a VPC cannot access an RDS instance in a classic cloud via the intranet.There are two solutions to this limitation:

Bind an EIP to the VPC ECS instance and set a public address for the RDS instance. Thenaccess the RDS instance's public address from the ECS instance via the Internet.


67

Switch the RDS instance from the classic cloud to a VPC. Note that this operation will preventECS instances in the classic cloud from accessing the RDS instance.

Failure in binding EIP attempt Problem descriptions When a user purchases an EIP and wants to bind it, the console interface does not show any ECSinstances, as shown below.

Common causes

The target ECS instance is not in a VPC. ECS instances have been created for the classic cloud, not for the target VPC in the region towhich the EIP belongs. The target ECS instance is not in the “Running” or “Stopped” status.

Solution


68

On the ECS console, check that there are VPC-type ECS instances. If not, log on to the VPC console, choose a VPC in the appropriate region and create an ECSinstance. Log on to the EIP console to bind the EIP.

Suggestions and summary During network planning, create a VPC, VSwitch and ECS instance in sequence, and then bind the EIPto the ECS instance to avoid the above problem. Failure during VSwitch creation Problem descriptions During VSwitch creation on the VPC console, the prompt 'Specified CIDR block overlapped with othersubnets' appears as shown below.


69

Common causes The specified CIDR block of the VSwitch overlaps with that of an existing VSwitch within the sameVPC.


70

Solution

Log on to the VPC console. Click VPC in the left navigation bar to go to the “VPC list” page. Click Manage corresponding to the desired instance to go to the “VPC basic info” page. Click VSwitch in the left navigation bar to go to the “VSwitch list” page. Click Create VSwitch in the top-right corner to bring up the “Create VSwitch” dialog box. Modify the “CIDR block” as needed and click OK.

Failure in connecting to the FTP set up withIIS in a VPC Problem descriptions An FTP is set up with the IIS in a VPC. The connection to this FTP using Windows Explorer in theexternal network fails and the following message appears:

But at the same time, you can still use FileZilla and other clients to connect to FTP normally.


71

1.

1.

Solution

You can solve this problem by installing an FTP firewall. Refer to the following method.

Input EIP in the specified position.

Failure in EIP connection Causes and solution for the failure in EIP connection are as follows.

Check whether the EIP is bound to an ECS instance. For details about binding an EIP, click here. Check whether the host has a security policy.


72

If the ECS instance has a security group policy, such as prohibiting the access to port 80, theEIP will be unaccessible through port 80. Then you need to modify the security group policy. For details, see Security GroupApplications.

Terms of service Product SLA VPC does not provide independent SLA. SLAs and fault compensation terms for various products arealso applicable to cloud product instances (such as ECS, RDS, SLB, OCS, and OSS) in VPC. Terms of Service Preface Welcome to the Alibaba Cloud VPC service Before activating Virtual Private Cloud (VPC), please read the relevant norms, rules, and useprocesses (together "rules") and these terms of service ("terms") posted on Alibaba Cloud website atwww.aliyun.com. If you do not agree to any of the terms or cannot understand the interpretationprovided by Alibaba Cloud, please do not continue with subsequent operations. Alibaba Cloud treatsyour activation or actual use of the VPC service as constituting your full understanding and consentto the rules and terms. Afterwards, you may not invalidate or request to cancel these terms ongrounds of failing to fully read and understand, failing to receive answers to your questions fromAlibaba Cloud, or of any other reasons. 1 Contracting Entities These terms of service form a valid contract between yourself and Alibaba Cloud Computing Co. Ltd.on the basis of your use of the Alibaba Cloud VPC service. 2 Agreement Establishment and Validity Once you click "Free Activation" and perform subsequent operations, this constitutes your agreementto abide by all the provisions in these terms of service. These terms of service form a valid contractbetween the two parties regarding use of the VPC service.


73

3 VPC Service Use 3.1. Prior to using Alibaba Cloud VPC service, you shall carefully read the relevant service descriptions,technical specifications, and use processes posted on Alibaba Cloud website. You shall understandthe content and the consequences that may occur. When using the VPC service, you shall performoperations in accordance with the relevant instructions. Please be aware of the relevant risks andperform operations with caution. 3.2. You understand and agree that the use of Alibaba Cloud VPC is the result of your ownindependent and careful judgment and will assume the associated responsibilities, including, but notlimited to: 3.2.1. When using the VPC service, you shall be responsible for all the results of your independentoperations, for example, setting VRouters, VSwitches, custom routes and security groups; 3.2.2. In the process of using the VPC service, you shall be responsible for your own devices, forexample, a physical connection and VPN; 3.2.3. Even though you do not have to pay the VPC service, if you use any other Alibaba Cloud paidservices, including but not limited to EIP, you shall pay the services in accordance with the AlibabaCloud charging rules. 3.3. You understand and acknowledge that, when using the VPC service: 3.3.1. You shall not conduct any behaviors that undermine or attempt to undermine network security(including but not limited to phishing, hacker attacks, network fraud, suspected involvement in thespreading of viruses/trojans/malicious code to websites or cyberspace, and suspected involvement inattack behaviors against other websites and servers by using virtual servers, such as scanning,sniffing, ARP spoofing, and DDoS); 3.3.2. You shall not modify or attempt to modify the system configurations provided by AlibabaCloud or undermine system and network security; 3.3.3. You shall not modify, translate, edit, lease, sublicense, or transmit/transfer on networks thesoftware or services provided by Alibaba Cloud, or obtain the source code of the software providedby Alibaba Cloud through reverse engineering, decompilation, or other methods; 3.3.4. The VPC service provided by Alibaba Cloud may not be copied, propagated, transferred,licensed or provided for use to any third party without the prior written consent of Alibaba Cloud; 3.3.5. You shall not use the VPC service in any way or for any purpose that violates national or locallaws and regulations, industry practices, or public morality, or that affects or damages, or may affector damage, the interests of Alibaba Cloud or the Alibaba Group. 4 Limitation of Liability You understand and agree that, even though Alibaba Cloud provides availability support for the VPCservice during the free period, it disclaims all warranties, in any way, for any error or vulnerability anddoes not assume any responsibility for your work or results because of your use of the VPC service.


74

5 Changes and Termination 5.1. You understand and acknowledge that Alibaba Cloud retains the right to modify, cancel, orenhance any number of VPC service functions at its discretion. Alibaba Cloud also has the right torequire you to use the latest version. Notice of any such modification shall be posted on the ourwebsite, sent by an onsite message, or in some other way. 5.2. If you violate these terms of service in any way or, Alibaba Cloud has good reason to believe youhave breached these rules and terms during your use of the VPC service, Alibaba Cloud may suspendor terminate your right to use the VPC service at its discretion without warning. At the same time, ifyour use of the service has caused losses to Alibaba Cloud, it has the right to require you tocompensate such losses. 6 Confidentiality You and Alibaba Cloud both shall be responsible for the confidentiality of the other party'sconfidential information, unless the disclosure of such information is required by the nationalgovernment, courts, or another institution with the relevant authority, or if this information is alreadyin the public domain. 7 Miscellaneous 7.1. You understand and agree that Alibaba Cloud currently provides the VPC service for free (alsoknown as no charges for activation or use). Alibaba Cloud does not rule out the possibility of chargesin the future. At such a time, Alibaba Cloud shall publish the charge policy and norms within 10calendar days by posting an announcement on the appropriate website forum, sending an in-sitenotification, or by some other means. If you continue to use the VPC service, you shall pay the feesaccording to the valid charging policy and norms and abide by the valid terms of service published atsuch time. 7.2. Alibaba Cloud has the right to modify the terms at any time in accordance with changes torelevant laws and regulations, its business conditions and its policy adjustments. The modified termsof service shall be posted on Alibaba Cloud website at www.aliyun.com. If you do not agree with themodified content, you must cease use of the VPC service. Your continued use of the VPC serviceconstitutes your acceptance of the changes to the terms of service. 7.3. If, for whatsoever reason, any provision of these terms, in full or in part, is found to be invalid,unenforceable, or in violation of any applicable law, the provision is deemed to have been removed,and other provisions of the terms shall remain in full force and effect. 7.4. These terms of service shall be governed by the law of the People's Republic of China.Anydispute arising during the performance of these terms of service shall be settled by both partiesthrough consultation in due time.and if no solution is reached, a complaint may be directly lodged byeither party to Hangzhou West Lake District People's Court.


75

Related resources Forum To visit the forum, click here. Contact us

Ticket: https://workorder.console.aliyun.com/console.htm?spm=5176.1879446.1001.2.j4NqcG#/ticket/list/ Presales consultation: 400-118-3456 (5×8) Customer service:

Cloud product (such as ECS, RDS and SLB) consultation: 0571-85025885 HiChina product (such as domain names, mailboxes, virtual machines) consultation:400 600 8500

Filing assistance: 400 600 8500 (ext. 3)

Release notes

Release Date Changes

August 4, 2015Alibaba Cloud fully launched, providing theVirtual Private Cloud (VPC), VRouter,RouteTable, and VSwitch services.

December 28, 2015 VPC supports Resource Access Management(RAM).

March 29, 2016 Did an overall review.


76

March 30, 2016 The function default VPC was released.


77

Virtual Private CloudAn Alibaba Cloud Virtual Private Cloud (VPC) is a virtual private cloud built...

Documents

Transcript of Virtual Private CloudAn Alibaba Cloud Virtual Private Cloud (VPC) is a virtual private cloud built...