By default, virtual private clouds (VPCs) are isolated from each other. A VPC peering connection lets two VPCs, which can be in same or different regions and accounts, connect over a private network.
How it works
A VPC peering connection connects two VPCs over a private network. This lets resources deployed in both VPCs to access each other using private IP addresses. Follow the steps below:
Create a VPC peering connection: If the VPCs are in the same account, the system automatically accepts the request and creates the connection. If the VPCs are in different accounts, the accepter account must accept the connection request on the peering connection details page.
Configure routes in both VPCs: To enable resource access, you must configure routes that point to the peer VPC.
To connect many VPCs that require high bandwidth at a low cost, use both VPC peering connections and CEN to create a complex hybrid network. For differences between CEN and VPC peering connections, see Connect VPCs.
Configure a peering connection
Console
Precheck:
Ensure the CIDR blocks of the two VPCs do not overlap. If they overlap, migrate your services to VPCs with non-overlapping CIDR blocks.
If this is your first time using a VPC peering connection, make sure that CDT is enabled for the accounts that own VPCs.
Create a peering connection:
Go to the VPC console - VPC peering connection page in the VPC console. Select the region where the VPC is located from the top navigation bar, and then click Create VPC Peering Connection.
Create a peering connection: Select the accepter account and region type.
Accepter account type:
Same Account: The system automatically accepts the request and establishes the connection.
Cross-Account: Using the accepter account, go to the VPC console - VPC Peering Connections page. In the top navigation bar, select the region where the VPC is located. In the Actions column of the target peering connection, click Accept.
The accepter can Reject or Delete the connection request. For more information, see VPC peering connection statuses.
If you set the accepter region type to Inter-region, configure the Link Type and Accepter Region.
Platinum and Gold provide different levels of data transfer quality and correspond to different billing unit prices.
Platinum (99.995% of availability commitment): For services highly sensitive to jitter and latency and require high connection quality, such as securities trading, online voice calls, video conferencing, and real-time games.
Gold (99.95% of availability commitment): For services that are not sensitive to connection quality, such as data synchronization and file transfer.
Configure routes:
To use IPv6 addresses, configure a route pointing to the IPv6 CIDR block of the peer VPC.
Use the requester VPC account:
On the VPC Peering Connections page, find the target peering connection and view its Accepter CIDR.
In the Requester VPC column, click Configure Route. Select the Route Table associated with the vSwitch that contains the resources that you want to connect. Set Destination CIDR Block to the accepter CIDR.
Use the accepter VPC account:
On the VPC Peering Connections page, view the Requester CIDR.
In the Accepter VPC column, click Configure Route. Select the Route Table associated with the vSwitch that contains the resources that you want to connect. Set Destination CIDR Block to the requester CIDR.
Verify connectivity:
Reachability Analyzer: No real packets are sent, not affecting your services.
In the Diagnose column for the peering connection instance, choose . Alternatively, click the instance ID of the peering connection to go to the tab.
Configure the source and destination. Specify the protocol and port number to simulate a real scenario and check the connectivity between the source and destination.
The system checks the route, security group, and network ACL configurations, and provides a diagnostic result.
If the path is reachable in one direction, click Reverse Path Analysis and configure the reverse path to check connectivity.
Manual verification: In an ECS instance in the requester VPC, run the
ping <private IP address of the peer ECS instance>command.
After creating an inter-region peering connection, you can click the instance ID and then click Edit to modify the Bandwidth (Mbit/s) and Link Type of the inter-region peering connection.
Both accounts can delete the VPC peering connection. After deletion, private access is interrupted. This operation cannot be undone. Make sure that it does not affect your services.
API
Create a peering connection
Call CreateVpcPeerConnection to create a VPC peering connection.
If the two VPCs belong to different accounts, use the accepter account to call AcceptVpcPeerConnection to accept the request.
The accepter can call RejectVpcPeerConnection to reject a connection request.
Call GetVpcPeerConnectionAttribute using either request or accepter account to retrieve the CIDR blocks of respective VPC.
Call CreateRouteEntry using either request or accepter account to create a route that points to the peering connection.
Modify an inter-region peering connection
Call ModifyVpcPeerConnection to modify the bandwidth or link type of an inter-region VPC peering connection.
Delete a peering connection
Call DeleteRouteEntry to delete the route that points to the peering connection.
Call DeleteVpcPeerConnection to delete the VPC peering connection.
Reachability Analyzer
Call the following API operations in sequence to check connectivity using Reachability Analyzer.
Terraform
Same-account peering connection
Resources: alicloud_vpc_peer_connection, alicloud_route_entry
Data sources: alicloud_account
# The account to which the VPC belongs data "alicloud_account" "default" {} provider "alicloud" { alias = "local" region = "cn-hangzhou" # The region where the requester VPC is located. } provider "alicloud" { alias = "accepting" region = "cn-beijing" # The region of the accepter VPC. It can be the same as the region of the requester VPC. Configure it based on the region of the accepter VPC. } # Requester VPC ID variable "local_vpc_id" { default = "vpc-bp1c******" } # Accepter VPC ID variable "accepting_vpc_id" { default = "vpc-2zev******" } # Create a VPC peering connection resource "alicloud_vpc_peer_connection" "example_peer_connection" { provider = alicloud.local peer_connection_name = "example_peer_connection_name" vpc_id = var.local_vpc_id # Requester VPC ID accepting_ali_uid = data.alicloud_account.default.id # Accepter account ID accepting_region_id = "cn-beijing" # The region where the accepter VPC is located accepting_vpc_id = var.accepting_vpc_id # Accepter VPC ID bandwidth = 1024 # The bandwidth in Mbit/s. You can configure this parameter only when the requester region and the accepter region are different. link_type = "Gold" # The link type. You can configure this parameter only when the requester region and the accepter region are different. } # Configure a route for the requester VPC resource "alicloud_route_entry" "example_local_route" { provider = alicloud.local route_table_id = "vtb-bp1a******" # The route table bound to the vSwitch where the requester instance is located destination_cidrblock = "172.16.0.0/12" # The CIDR block of the accepter VPC nexthop_type = "VpcPeer" # The next hop is a VPC peering connection nexthop_id = alicloud_vpc_peer_connection.example_peer_connection.id } # Configure a route for the accepter VPC resource "alicloud_route_entry" "example_acceptor_route" { provider = alicloud.accepting route_table_id = "vtb-2ze1******" # The route table bound to the vSwitch where the accepter instance is located destination_cidrblock = "10.0.0.0/8" # The CIDR block of the requester VPC nexthop_type = "VpcPeer" # The next hop is a VPC peering connection nexthop_id = alicloud_vpc_peer_connection.example_peer_connection.id } Cross-account peering connection
Resources: alicloud_vpc_peer_connection, alicloud_vpc_peer_connection_accepter, alicloud_route_entry
provider "alicloud" { alias = "local" region = "cn-hangzhou" # The region of the requester VPC } # The region of the accepter VPC. It can be the same as the region of the requester VPC. You need to configure it based on the region of the accepter VPC. variable "accepting_region" { default = "cn-beijing" } # The accepter account variable "accepting_uid" { default = "1234******" } # The AccessKey ID of the accepter account variable "access_key_id" { description = "The AccessKey ID for operating your infrastructure" } # The AccessKey secret of the accepter account variable "access_key_secret" { description = "The AccessKey Secret for operating your infrastructure" } provider "alicloud" { alias = "acceptor" region = var.accepting_region access_key = var.access_key_id secret_key = var.access_key_secret } # Requester VPC ID variable "local_vpc_id" { default = "vpc-2ze0******" } # Accepter VPC ID variable "accepting_vpc_id" { default = "vpc-wz9e******" } # Create a VPC peering connection resource "alicloud_vpc_peer_connection" "example_peer_connection" { provider = alicloud.local peer_connection_name = "example_peer_connection_name" vpc_id = var.local_vpc_id # Requester VPC ID accepting_ali_uid = var.accepting_uid # Accepter account ID accepting_region_id = var.accepting_region # Accepter region accepting_vpc_id = var.accepting_vpc_id # Accepter VPC ID bandwidth = 1024 # The bandwidth in Mbit/s. You can configure this parameter only when the requester region and the accepter region are different. link_type = "Gold" # The link type. You can configure this parameter only when the requester region and the accepter region are different. } # The accepter accepts the peering connection request resource "alicloud_vpc_peer_connection_accepter" "example_peer_connection_accepter" { provider = alicloud.acceptor instance_id = alicloud_vpc_peer_connection.example_peer_connection.id } # Configure a route for the requester VPC resource "alicloud_route_entry" "example_local_route" { provider = alicloud.local route_table_id = "vtb-2zel******" # The route table bound to the vSwitch where the requester instance is located destination_cidrblock = "192.168.0.0/24" # The CIDR block of the accepter VPC nexthop_type = "VpcPeer" # The next hop is a VPC peering connection nexthop_id = alicloud_vpc_peer_connection.example_peer_connection.id } # Configure a route for the accepter VPC resource "alicloud_route_entry" "example_acceptor_route" { provider = alicloud.acceptor route_table_id = "vtb-wz95******" # The route table bound to the vSwitch where the accepter instance is located destination_cidrblock = "172.16.0.0/12" # The CIDR block of the requester VPC nexthop_type = "VpcPeer" # The next hop is a VPC peering connection nexthop_id = alicloud_vpc_peer_connection.example_peer_connection.id } Troubleshoot network connectivity
Checklist | Verification | Solution |
Peering connection status | Check whether the Status of the peering connection is Activated. | If the status is Accepting, contact the accepter account to accept the connection. |
CIDR block | Check the Requester CIDR and Accepter CIDR:
|
|
Routes | In the Route Entry List of peering connection details page, check the following:
| Check and modify the routes in both VPCs. |
Access rules |
| Ensure that the security group, network ACL, and RDS whitelist all allow traffic from the peer IP address. |
Overlapping CIDR blocks:
If the CIDR blocks of the two VPCs overlap and you set the destination to the peer VPC CIDR block, traffic is matched by the system route first and forwarded within the source VPC. The traffic cannot reach the peer VPC.
If the vSwitch CIDR blocks do not overlap, you can set the destination to the CIDR block of the peer vSwitch. However, this approach can cause issues when you create new vSwitches because their CIDR blocks must not overlap with existing ones. We recommend migrating the services to VPCs with non-overlapping CIDR blocks and re-create the peering connection.
If the vSwitch CIDR blocks overlap, you must migrate the services to VPCs with non-overlapping CIDR blocks and re-create the peering connection. This is because you cannot configure routes that are more specific than system routes.
Using a non-RFC 1918 standard private CIDR block:
VPCs treat IP address spaces outside RFC 1918 as public CIDR blocks, such as 30.0.0.0/16. When resources in a VPC have Internet access, traffic is routed to the Internet first and cannot reach the destination VPC through the peering connection. To resolve this, you must use an IPv4 gateway to enable private communication over the Internet to ensure that traffic is correctly routed to the destination VPC.
Examples
Connect three VPCs
When configuring routes for a VPC peering connection:
Set the destination CIDR block to the CIDR block of the peer VPC. This allows all instances to access each other and simplifies management.
Configure more specific routes, and set the destination CIDR block to the vSwitch CIDR block or the IP address of a specific instance in the peer VPC. However, if a new instance requires communication, you must manually update the route table.
For example, VPC1 is configured with routes that point to the vSwitch 3 CIDR block in VPC2 and ECS04 in VPC3. Therefore, resources in VPC1 can communicate only with resources in vSwitch 3 and ECS04 over the private network. VPC2 and VPC3 are configured with routes that point to the CIDR blocks of their peer VPCs. This allows for full interconnection between their resources.
Connect multiple VPCs and a central VPC
In this scenario, branch VPCs can access services deployed in the central VPC, but the branch VPCs cannot communicate with each other. Typical scenarios include:
Multi-department isolation: VPCs for different business departments cannot communicate with each other, but they need to access shared services in the central VPC.
Multi-user isolation: Services are deployed in a dedicated VPC and provided to multiple users. Each user VPC can communicate with the service VPC, but the user VPCs cannot communicate with each other.
Monitoring and O&M
For inter-region peering connections, you can view monitoring data, such as traffic bandwidth and packet loss rate. By leveraging CloudMonitor, you can create threshold-based alert rules to monitor the connection status in real time. This helps you promptly detect and resolve network congestion or faults.
You cannot view the metrics of an intra-region peering connection.
Console
Monitor peering connection
Go to the VPC console - VPC Peering Connection page in the VPC console. In the top navigation bar, select the region where the VPC is located.
Click the
icon in the Monitoring column of the target inter-region VPC peering connection to view metrics such as bandwidth and packet loss.
CloudMonitor alerts
Go to the Alert Rules page in the CloudMonitor console, and click Create Alert Rule.
Configure thresholds for each alert level of the VPC peering connection metrics. When a metric reaches its threshold, an alert notification is sent to the specified Alert Contact Group. You can also view the alert timeline by clicking Alert History in the Actions column of the alert rule.
You can Modify, Disable, or Delete an alert rule in the Actions column.
API
Call PutResourceMetricRules to set multiple threshold-based alert rules for the metrics of a VPC peering connection. For more information, see CloudMonitor metrics for peering connections.
Call EnableMetricRules to enable one or more alert rules.
Call DisableMetricRules to disable alert rules.
Call DeleteMetricRules to delete one or more alert rules.
Terraform
See CloudMonitor metrics for peering connections to configure threshold-based alert rules.
Resources: alicloud_cms_alarm_contact, alicloud_cms_alarm_contact_group, alicloud_cms_alarm
# The ID of the peering connection instance to be monitored variable "vpc_peer_id" { default = "pcc-28cv******" } # Create an alert contact resource "alicloud_cms_alarm_contact" "example_cms_alarm_contact" { alarm_contact_name = "example_cms_alarm_contact_name" describe = "example_vpc_peer_alarm" channels_mail = "xxx@xxx.com" # Change it to your email address. lifecycle { ignore_changes = [channels_mail] } } # Create an alert contact group resource "alicloud_cms_alarm_contact_group" "example_cms_alarm_contact_group" { alarm_contact_group_name = "example_cms_alarm_contact_group" contacts = [alicloud_cms_alarm_contact.example_cms_alarm_contact.id] # Alert contact } # Create an alert rule resource "alicloud_cms_alarm" "example_cms_alarm" { name = "example_cms_alarm_name" project = "acs_vpcpeer" # The data namespace of the cloud service metric = "IntranetRX" # The name of the metric period = 60 # The statistical period contact_groups = [alicloud_cms_alarm_contact_group.example_cms_alarm_contact_group.alarm_contact_group_name] effective_interval = "06:00-20:00" # The effective period metric_dimensions = <<EOF [ { "instanceId": "${var.vpc_peer_id}" } ] EOF escalations_critical { # Info-level alert statistics = "Sum" # The statistical method for the alert comparison_operator = ">=" # The comparison operator for the threshold threshold = 104857600 # The threshold times = 2 # The number of retries for the alert } }FAQs
Do peering connections support cross-border connection?
Yes. Both non-cross-border and cross-border connections are supported.
Non-cross-border: Connect two regions in Chinese mainland or two regions outside the Chinese mainland.
Cross-border: From a region in the Chinese mainland to a region outside the Chinese mainland. Go to Cross-border Leased Line to apply for enterprise qualification. The cross-border leased lines are provided by China Unicom.
What is the network latency of a peering connection?
Intra-region: Low. latency.
Inter-region: Because data is transferred across regions, the latency depends on the physical distance and network conditions between the two regions. Use cloud network monitoring to view the average latency between regions as a reference and select a link type for your business.
Why can't I select the destination VPC when creating a peering connection?
Ensure that the selected region and account match the Region and Owner of the destination VPC.
The requester region is displayed at the top of the page, and the account with which you are currently logged on is the requester account. You must specify the accepter account and region when you create the peering connection.
More information
Limits
You cannot create a VPC peering connection in the following cases:
One VPC belongs to an account created on the China site (aliyun.com) and the other on the International site (alibabacloud.com).
VPC peering connections do not support routing propagation.
For example, if VPC 2 and VPC 3 are both connected to VPC 1 using peering connections, VPC 2 and VPC 3 cannot communicate with each other through VPC 1.
In a multi-account shared VPC, the resource owner can create, modify, or delete peering connections, but the principal does not have these permissions.
Billing
No fees are charged for intra-region VPC peering connections, regardless of whether the two VPCs belong to the same or different accounts.
For inter-region VPC peering connections, CDT charges data transfer fees for outbound traffic.
The unit price is determined by the region granularity and link type. Platinum and Gold, two available link types, provide different levels of data transfer quality.
The billing cycle is hourly. If you switch the link type within a billing cycle, you are billed at the unit price of the higher level for that cycle.
As shown in the figure, a VPC peering connection is established between VPC1 and VPC2. These VPCs are in different regions and belong to different accounts. Assume that the outbound traffic through the VPC peering connection is 200 GB from VPC1 and 100 GB from VPC2. The link type is Gold. The inter-region data transfer fee from China (Hohhot) to China (Guangzhou) is 0.072 USD/GB. Based on the billing rule:
Fee for Account A: USD 0.072/GB × 200 GB = USD 14.4
Fee for Account B: USD 0.072/GB × 100 GB = USD 7.2
Stages of a VPC peering connection
A VPC peering connection goes through several stages, starting from when a creation request is sent.
If you create a VPC peering connection within the same account, the system automatically initiates and accepts the connection request, and the VPC peering connection becomes active.
Status description
Supported regions
Area | Regions |
Asia Pacific - China | China (Hangzhou), China (Shanghai), China (Nanjing - Local Region, Closing Down), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), and China (Fuzhou - Local Region, Closing Down) |
Asia Pacific - Others | Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok) |
Europe & Americas | Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia) |
Middle East | UAE (Dubai) and SAU (Riyadh - Partner Region) Important The SAU (Riyadh - Partner Region) region is operated by a partner. |
Quotas
Quota name | Description | Default quota | Increase quota |
vpc_quota_cross_region_peer_num_per_vpc | The number of inter-region VPC peering connections for a VPC. | 20 | Go to the Quota Management page or Quota Center to request an increase. |
vpc_quota_intra_region_peer_num_per_vpc | The number of intra-region VPC peering connections for a VPC. | 10 | |
vpc_quota_peer_num | The number of VPC peering connections created by an Alibaba Cloud account in a region. | 20 | |
vpc_quota_peer_cross_border_bandwidth | The maximum cross-border bandwidth. | 1024 Mbps | |
vpc_quota_peer_cross_region_bandwidth | The maximum inter-region bandwidth. | 1024 Mbps |