A virtual private cloud (VPC) is a private network established in the cloud that you can fully control. A VPC is a regional resource where you can create and use Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances and ApsaraDB RDS instances.
A vSwitch is a zonal resource that you can use to divide a VPC into subnets. vSwitches in the same VPC can communicate with each other. You can deploy cloud resources to vSwitches in different zones to improve application availability and prevent service interruptions caused by single points of failure (SPOFs) in a zone.
Network planningProper network planning is essential to avoid network segment conflicts and ensure network extensibility. Improper network planning can lead to high rebuilding costs. Therefore, we recommend that you plan your network before you create a VPC.
Create or delete a VPC and a vSwitch Console Create a VPC and a vSwitchGo to the Create VPC page in the VPC console.
Configure the VPC:
Region: Select the region where you want to create cloud resources.
IPv4 CIDR block: Select a CIDR block suggested by the console or enter a custom CIDR block. For scenarios such as multi-VPC communication, we recommend that you configure a non-overlapping CIDR block to prevent conflicts with your existing VPCs. To prevent CIDR block conflicts and ensure network extensibility, we recommend that you create a VPC using IPAM.
1. We recommend that you use the private IPv4 addresses specified in RFC 1918 as the CIDR block of the VPC. The network mask can be 16 to 28 bits in length. For example, you can use 10.0.0.0/16, 172.16.0.0/16, or 192.168.0.0/16.
2. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as the IPv4 CIDR block of the VPC.
Configure the vSwitch:
Zone: The zone where you want to create cloud resources. You must select a zone based on the support status and resource inventory in that zone.
IPv4 CIDR block: Select the default CIDR block or specify a custom CIDR block.
Add More vSwitches: To prevent service interruptions caused by SPOFs in a zone, you can create multiple vSwitches in different zones. You can create vSwitches when you create a VPC or add more vSwitches later on the vSwitches page in the VPC console.
In the Operation column or on the details page of the target VPC or vSwitch, click Delete. The system checks for existing cloud resources or associated resources. If dependent resources exist, you must release them before you can delete the VPC and vSwitch.
1. Before you delete a vSwitch, make sure that the vSwitch is not shared, is not associated with a custom route table or a network ACL, and contains no cloud resources.
2. Before you delete a VPC, make sure that all resources in the VPC are released and the VPC is not associated with network services such as CEN.API
Unlike operations in the console, the CreateVpc operation creates only an empty VPC. You must also call the CreateVSwitch operation to create a vSwitch.
Call CreateVpc and CreateVSwitch to create a VPC and a vSwitch.
Call DeleteVSwitch and DeleteVpc in sequence to delete the vSwitch and the VPC.
1. Before you delete a vSwitch, make sure that the vSwitch is not shared, is not associated with a custom route table or a network ACL, and contains no cloud resources.
2. Before you delete a VPC, make sure that all resources in the VPC are released and the VPC is not associated with network services such as CEN.
Resources: alicloud_vpc, alicloud_vswitch
Data Sources: alicloud_zones
# Specify the region where you want to create the VPC.
provider "alicloud" {
region = "cn-hangzhou"
}
# Use a data source to automatically obtain a list of zones where you can create vSwitches.
data "alicloud_zones" "available_zones" {
available_resource_creation = "VSwitch" # Query the zones where vSwitches can be created in the VPC.
# available_instance_type = "ecs.g7.large" # Query the zones where ECS instances can be created in the VPC.
# available_resource_creation = "slb" # Query the zones where SLB instances can be created in the VPC.
}
# Create a VPC.
resource "alicloud_vpc" "example_vpc" {
vpc_name = "example_vpc_name"
cidr_block = "10.0.0.0/16" #Specify the CIDR block.
}
# Create a vSwitch.
resource "alicloud_vswitch" "example_vswitch" {
vswitch_name = "example_vswitch_name"
cidr_block = "10.0.0.0/24" # Specify the CIDR block.
vpc_id = alicloud_vpc.example_vpc.id # Specify the ID of the VPC to which the vSwitch belongs.
zone_id = data.alicloud_zones.available_zones.zones.0.id # Specify the zone to which the vSwitch belongs.
}
After you enable IPv6 for a VPC and a vSwitch, the system automatically creates an IPv6 gateway and assigns an IPv6 CIDR block. By default, only private communication is supported. If you require Internet communication, you can enable IPv6 Internet bandwidth.
Regions that support the IPv4/IPv6 dual stack.Console Enable IPv6
When you create a VPC and a vSwitch, you can select Allocate BGP (Multi-ISP) from the IPv6 drop-down list to enable IPv6.
For an existing VPC, click Enable IPv6 in the IPv6 CIDR Block column of the VPC. Set the IPv6 CIDR block type to Allocate BGP (Multi-ISP). You can select Automatically Enable IPv6 For All vSwitches In The VPC. You can also click Enable IPv6 in the IPv6 CIDR Block column of the target vSwitch to enable IPv6 for the vSwitch.
You can click Disable IPv6 in the IPv6 CIDR Block column of the target VPC or vSwitch. Before you can disable IPv6 for a VPC, you must disable IPv6 for all vSwitches in the VPC and delete the IPv6 gateway of the VPC.
APIWhen you create a VPC and a vSwitch, set the EnableIPv6 parameter in the CreateVpc and CreateVSwitch API calls to enable or disable IPv6.
For existing VPCs and vSwitches, modify the EnableIPv6 parameter of ModifyVpcAttribute and ModifyVSwitchAttribute to enable or disable IPv6.
Resources: alicloud_vpc, alicloud_vswitch
Data Sources: alicloud_zones
# Specify the region where you want to create the VPC.
provider "alicloud" {
region = "cn-hangzhou"
}
# Use a data source to automatically obtain a list of zones where you can create vSwitches.
data "alicloud_zones" "available_zones" {
available_resource_creation = "VSwitch" # Query the zones where vSwitches can be created in the VPC.
# available_instance_type = "ecs.g7.large" # Query the zones where ECS instances can be created in the VPC.
# available_resource_creation = "slb" # Query the zones where SLB instances can be created in the VPC.
}
# Create a dual-stack VPC.
resource "alicloud_vpc" "example_vpc" {
vpc_name = "example_vpc_name"
cidr_block = "10.0.0.0/16"
enable_ipv6 = true # Enable IPv6. Set the value to false to disable IPv6.
ipv6_isp = "BGP" # Specify the type of the IPv6 CIDR block.
}
# Create a dual-stack vSwitch.
resource "alicloud_vswitch" "example_vswitch" {
vswitch_name = "example_vswitch_name"
cidr_block = "10.0.0.0/24"
vpc_id = alicloud_vpc.example_vpc.id
zone_id = data.alicloud_zones.available_zones.zones.0.id
enable_ipv6 = true # Enable IPv6. Set the value to false to disable IPv6.
ipv6_cidr_block_mask = 1 # Specify the last 8 bits of the IPv6 CIDR block for the vSwitch.
}
When you create a VPC, the IPv4 CIDR block that you specify becomes the primary CIDR block of the VPC. You cannot modify the primary CIDR block of a VPC in the console. However, you can call the ModifyVpcAttribute API operation and adjust the CidrBlock parameter to expand or shrink the primary CIDR block. You must ensure that the new, smaller CIDR block includes all IP addresses that are already in use.
You cannot modify the IPv6 CIDR block of a VPC or the IPv4/IPv6 CIDR block of a vSwitch.
Use a secondary CIDR block to add IP addressesIf a VPC has insufficient available IP addresses for your workloads, you can add a secondary CIDR block to expand its address space.
The secondary CIDR block and the primary CIDR block take effect at the same time. You can use them to create vSwitches and deploy cloud resources such as ECS instances.
1. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as a secondary IPv4 CIDR block.
2. The secondary CIDR block cannot overlap with the primary CIDR block.
3. By default, you can add up to five secondary IPv4 CIDR blocks and five secondary IPv6 CIDR blocks to each VPC.Console Add a secondary CIDR block
On the Basic Information page of the target VPC, click the CIDR Block Management tab. You can add a secondary IPv4 or IPv6 CIDR block.
You can add a secondary IPv4 CIDR block in one of the following ways:
Recommended CIDR Block: Select one of 10.0.0.0/16, 172.16.0.0/16, or 192.168.0.0/16 to quickly add a secondary CIDR block.
Advanced Configuration CIDR Block: Specify a custom secondary CIDR block.
IPv4 CIDR Block Allocated By IPAM: Using IPAM helps you avoid conflicts between allocated CIDR blocks. We recommend that you select this option if you already have an IPAM pool with a provisioned CIDR block. To configure this option, first select an address pool, and then configure the Network Mask.
For a secondary IPv6 CIDR block:
If IPv6 is disabled for the VPC, click the Enable IPv6 button and set the IPv6 CIDR block type to Allocate BGP (Multi-ISP). You can then select Automatically Enable IPv6 For All VSwitches In The VPC. Alternatively, you can click Enable IPv6 in the IPv6 CIDR Block column of a specific vSwitch to enable IPv6 only for that vSwitch.
For a VPC for which IPv6 is enabled, click Add IPv6 CIDR Block and set IPv6 CIDR Block Type to Allocate BGP (Multi-ISP).
On the Basic Information page of the target VPC, go to the CIDR Block Management >IPv4 CIDR Block tab or the IPv6 CIDR Block tab. Find the secondary CIDR block that you want to delete and click Delete in the Operation column.
APICall AssociateVpcCidrBlock to add a secondary CIDR block.
Call UnassociateVpcCidrBlock to delete a secondary CIDR block.
Terraform supports only secondary IPv4 CIDR blocks. Secondary IPv6 CIDR blocks are not supported.
Resources: alicloud_vpc_ipv4_cidr_block
# Specify the region where you want to create the VPC.
provider "alicloud" {
region = "cn-hangzhou"
}
# Specify the ID of the VPC.
variable "vpc_id" {
default = "vpc-xxx" # Replace the value with the actual ID of the VPC.
}
# Create a secondary CIDR block in the VPC.
resource "alicloud_vpc_ipv4_cidr_block" "example_secondary_cidr_block" {
vpc_id = var.vpc_id
secondary_cidr_block = "192.168.0.0/16" # Specify the secondary CIDR block.
}You can reserve a network segment in a vSwitch to ensure that this segment is not occupied by other resources. The reserved network segment is currently used only to assign an IP prefix to a secondary private IP address of an Elastic Network Interface (ENI).
1. A reserved CIDR block cannot contain the system reserved IP addresses of the vSwitch.
2. You can reserve up to 100 IPv4 CIDR blocks and 100 IPv6 CIDR blocks for each vSwitch.
3. The mask of a reserved IPv4 CIDR block cannot be larger than 28 bits in length. The mask of a reserved IPv6 CIDR block cannot be larger than 80 bits in length.Console Create a reserved CIDR block
On the Basic Information page of the target vSwitch, click the Reserved CIDR Block tab. You can add a reserved IPv4 or IPv6 CIDR block. You can add a reserved CIDR block in one of the following two ways:
Specify A CIDR Block: Specify the exact CIDR block that you want to reserve.
Specify A Mask Length: The system automatically allocates a reserved CIDR block from the available CIDR blocks.
For an IPv6 CIDR block, if IPv6 is disabled for the vSwitch, click the Enable IPv6 button. In the Enable IPv6 dialog box that appears, set the IPv6 CIDR block for the vSwitch.
If IPv6 is also disabled for your VPC, in the Enable IPv6 dialog box that appears, first set IPv6 CIDR Block Type to the default value Allocate BGP (Multi-ISP), and then set the IPv6 CIDR block for the vSwitch.
On the Basic Information page of the target vSwitch, go to the Reserved CIDR Block >IPv4 CIDR Block tab or IPv6 CIDR Block tab. Find the reserved CIDR block that you want to manage and click View Used IPs in the Operation column to view the used IP segments and their corresponding ENIs.
Delete a reserved CIDR blockBefore you delete a reserved CIDR block, make sure that no IP segments in the reserved CIDR block are in use.
On the Basic Information page of the target vSwitch, go to the Reserved CIDR Block >IPv4 CIDR Block tab or IPv6 CIDR Block tab. Find the reserved CIDR block that you want to delete and click Delete in the Operation column.
APICall CreateVSwitchCidrReservation to create a reserved CIDR block.
Call GetVSwitchCidrReservationUsage to view the occupied IP segments.
Call DeleteVSwitchCidrReservation to delete a reserved CIDR block.
Resources: alicloud_vpc_vswitch_cidr_reservation
# Specify the region where you want to create the VPC.
provider "alicloud" {
region = "cn-hangzhou" # The region where the resource resides.
}
# Specify the ID of the vSwitch.
variable "vsw_id" {
default = "vsw-xxx" # Replace the value with the actual ID of the vSwitch.
}
# Create a reserved CIDR block.
resource "alicloud_vpc_vswitch_cidr_reservation" "example_cidr_reservation" {
vswitch_id = var.vsw_id
ip_version = "IPv4"
cidr_reservation_cidr = "10.0.0.128/26" # Specify the reserved CIDR block.
}Manually configuring IPv4 CIDR blocks may be inefficient and cause potential address conflicts.
IPAM is a cloud-based IP address management tool that helps you automate the allocation and management of IP addresses, simplify network management processes, and avoid address conflicts. You can plan with IPAM. After you create an IPAM instance and an IPAM pool, you can assign an IPv4 CIDR block to a virtual private cloud (VPC) from the IPAM pool.
ConsoleGo to the Create VPC page in the VPC console. Use the IPv4 CIDR Block Allocated By IPAM option. Select an IPAM pool and configure a mask to allocate a CIDR block from the IPAM pool to the VPC.
After you configure the network mask, the system allocates the first available CIDR block within the specified mask range by default. You can also adjust the IPv4 CIDR block within the provisioned CIDR block of the address pool.
Before you create a VPC, make sure that you have created an IPAM instance and an IPAM pool in the IPAM console.API
If you have created an IPAM pool, you can specify the IPAM pool using the Ipv4IpamPoolId parameter and specify a mask using the Ipv4CidrMask parameter when you call CreateVpc. A network segment is then allocated from the IPAM pool for the new VPC. Alternatively, you can specify the CidrBlock parameter to assign a specific network segment to the VPC, instead of automatically allocating one by specifying a mask.
If you do not have an IPAM pool, you can call the following API operations in sequence to create an IPAM pool and then create a VPC.
Resources: vpc_ipam_ipam, alicloud_vpc_ipam_ipam_pool, alicloud_vpc_ipam_ipam_pool_cidr, alicloud_vpc
# Specify the region where you want to create the IPAM instance, IPAM pool, and VPC.
provider "alicloud" {
region = "cn-hangzhou"
}
# Create an IPAM instance.
resource "alicloud_vpc_ipam_ipam" "example_ipam" {
ipam_name = "example_ipam_name"
operating_region_list = ["cn-hangzhou"] # Specify the region where the IPAM instance takes effect.
}
# Create an IPAM pool.
resource "alicloud_vpc_ipam_ipam_pool" "example_parentIpamPool" {
ipam_scope_id = alicloud_vpc_ipam_ipam.example_ipam.private_default_scope_id # Specify the scope of the IPAM pool.
ipam_pool_name = "example_parentIpamPool_name"
pool_region_id = alicloud_vpc_ipam_ipam.example_ipam.region_id # Specify the region where the IPAM pool takes effect.
ip_version = "IPv4" # Specify the IP version of the IPAM pool.
}
# Allocate a CIDR block to the IPAM pool.
resource "alicloud_vpc_ipam_ipam_pool_cidr" "example_ipamPoolCidr" {
cidr = "10.0.0.0/16" # Specify the CIDR block.
ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id # Specify the ID of the IPAM pool.
}
# Create a VPC.
resource "alicloud_vpc" "example_ipam_vpc" {
vpc_name = "example_ipam_vpc_name"
ipv4_ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id # Specify the ID of the IPAM pool.
ipv4_cidr_mask = 24 # The IPv4 network mask.
}
Default VPCs and vSwitches help you quickly verify and deploy services. However, if you require long-term network services or need to run core production systems, we recommend that you create custom VPCs and vSwitches based on your business architecture. This allows for fine-grained network planning, resource fencing, security control, and scalability, which helps you build a cloud network environment that meets your business requirements.
You can create only one default VPC in each region and only one default vSwitch in each zone. Default VPCs and vSwitches do not consume your quotas.
When you create an ECS, SLB, or RDS instance in a region where no VPC has been created, you can choose to have Alibaba Cloud create a default VPC and a default vSwitch. The CIDR block of the default VPC created in this way is fixed at 172.16.0.0/12.
In a region where you have not yet created a default VPC, you can call CreateDefaultVpc and CreateDefaultVSwitch to create a default VPC and a vSwitch. The CIDR block of a default VPC created in this way is 172.xx.0.0/16.
VPCs and vSwitches that you create are non-default VPCs and vSwitches. You can delete default VPCs and vSwitches, but you cannot convert default VPCs and vSwitches to non-default ones, or vice versa.
System reserved IP addressesThe address space of a vSwitch CIDR block contains system reserved IP addresses. You cannot assign system reserved IP addresses to cloud resources such as ECS instances.
For IPv4, the first IP address and the last three IP addresses of each vSwitch are reserved by the system.
For example, if the CIDR block of a vSwitch is 192.168.1.0/24, 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255 are reserved by the system.
For IPv6, the first IP address and the last nine IP addresses of each vSwitch are reserved by the system.
For example, if the IPv6 CIDR block of a vSwitch is 2408:xxxx:xxxx:6eff::/64, the first IP address 2408:xxxx:xxxx:6eff:: and the last nine IP addresses from 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fff7 to 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:ffff are reserved by the system.
Before you connect a VPC to a cross-account CEN instance, virtual border router (VBR), or Express Connect Router (ECR), you must grant cross-account permissions in the VPC.
For more information about authorization, see Authorize a cross-account CEN instance, Authorize a cross-account VBR instance, and Authorize a cross-account ECR instance.
Once authorized, the other account can select your VPC-connected instance when creating a VPC connection, creating a VBR connection, or associating a VPC with an ECR.
1. The account mentioned here refers to an Alibaba Cloud account, not a RAM user.
2. Cross-account authorization across different sites is not supported. For example, you cannot grant permissions to an account on the China site (aliyun.com) from an account on the international site (alibabacloud.com).
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4