VPCs and vSwitches - Virtual Private Cloud - Alibaba Cloud Documentation Center

A virtual private cloud (VPC) is a private network established in the cloud that you can fully control. A VPC is a regional resource where you can create and use Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances and ApsaraDB RDS instances.

A vSwitch is a zonal resource that you can use to divide a VPC into subnets. vSwitches in the same VPC can communicate with each other. You can deploy cloud resources to vSwitches in different zones to improve application availability and prevent service interruptions caused by single points of failure (SPOFs) in a zone.

Network planning

Proper network planning is essential to avoid network segment conflicts and ensure network extensibility. Improper network planning can lead to high rebuilding costs. Therefore, we recommend that you plan your network before you create a VPC.

Create or delete a VPC and a vSwitch

Console

Create a VPC and a vSwitch

Go to the Create VPC page in the VPC console.
Configure the VPC:
1. Region: Select the region where you want to create cloud resources.
2. IPv4 CIDR block: Select a CIDR block suggested by the console or enter a custom CIDR block. For scenarios such as multi-VPC communication, we recommend that you configure a non-overlapping CIDR block to prevent conflicts with your existing VPCs. To prevent CIDR block conflicts and ensure network extensibility, we recommend that you create a VPC using IPAM.
  1. We recommend that you use the private IPv4 addresses specified in RFC 1918 as the CIDR block of the VPC. The network mask can be 16 to 28 bits in length. For example, you can use 10.0.0.0/16, 172.16.0.0/16, or 192.168.0.0/16.
  2. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as the IPv4 CIDR block of the VPC.
Configure the vSwitch:
1. Zone: The zone where you want to create cloud resources. You must select a zone based on the support status and resource inventory in that zone.
2. IPv4 CIDR block: Select the default CIDR block or specify a custom CIDR block.
3. Add More vSwitches: To prevent service interruptions caused by SPOFs in a zone, you can create multiple vSwitches in different zones. You can create vSwitches when you create a VPC or add more vSwitches later on the vSwitches page in the VPC console.

Delete a VPC and a vSwitch

In the Operation column or on the details page of the target VPC or vSwitch, click Delete. The system checks for existing cloud resources or associated resources. If dependent resources exist, you must release them before you can delete the VPC and vSwitch.

1. Before you delete a vSwitch, make sure that the vSwitch is not shared, is not associated with a custom route table or a network ACL, and contains no cloud resources.

2. Before you delete a VPC, make sure that all resources in the VPC are released and the VPC is not associated with network services such as CEN.

API

Unlike operations in the console, the CreateVpc operation creates only an empty VPC. You must also call the CreateVSwitch operation to create a vSwitch.

Call CreateVpc and CreateVSwitch to create a VPC and a vSwitch.
Call DeleteVSwitch and DeleteVpc in sequence to delete the vSwitch and the VPC.
1. Before you delete a vSwitch, make sure that the vSwitch is not shared, is not associated with a custom route table or a network ACL, and contains no cloud resources.
2. Before you delete a VPC, make sure that all resources in the VPC are released and the VPC is not associated with network services such as CEN.

Terraform

Resources: alicloud_vpc, alicloud_vswitch

Data Sources: alicloud_zones

# Specify the region where you want to create the VPC.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Use a data source to automatically obtain a list of zones where you can create vSwitches.
data "alicloud_zones" "available_zones" {
  available_resource_creation = "VSwitch" # Query the zones where vSwitches can be created in the VPC.
  # available_instance_type = "ecs.g7.large"  # Query the zones where ECS instances can be created in the VPC.
  # available_resource_creation = "slb"  # Query the zones where SLB instances can be created in the VPC.
}

# Create a VPC. 
resource "alicloud_vpc" "example_vpc" {
  vpc_name   = "example_vpc_name"
  cidr_block = "10.0.0.0/16" #Specify the CIDR block. 
}

# Create a vSwitch. 
resource "alicloud_vswitch" "example_vswitch" {
  vswitch_name = "example_vswitch_name"
  cidr_block   = "10.0.0.0/24"                                  # Specify the CIDR block. 
  vpc_id       = alicloud_vpc.example_vpc.id                       # Specify the ID of the VPC to which the vSwitch belongs. 
  zone_id      = data.alicloud_zones.available_zones.zones.0.id # Specify the zone to which the vSwitch belongs.
}

Enable or disable IPv6

After you enable IPv6 for a VPC and a vSwitch, the system automatically creates an IPv6 gateway and assigns an IPv6 CIDR block. By default, only private communication is supported. If you require Internet communication, you can enable IPv6 Internet bandwidth.

Regions that support the IPv4/IPv6 dual stack.

Console

Enable IPv6

When you create a VPC and a vSwitch, you can select Allocate BGP (Multi-ISP) from the IPv6 drop-down list to enable IPv6.
For an existing VPC, click Enable IPv6 in the IPv6 CIDR Block column of the VPC. Set the IPv6 CIDR block type to Allocate BGP (Multi-ISP). You can select Automatically Enable IPv6 For All vSwitches In The VPC. You can also click Enable IPv6 in the IPv6 CIDR Block column of the target vSwitch to enable IPv6 for the vSwitch.

Disable IPv6

You can click Disable IPv6 in the IPv6 CIDR Block column of the target VPC or vSwitch. Before you can disable IPv6 for a VPC, you must disable IPv6 for all vSwitches in the VPC and delete the IPv6 gateway of the VPC.

API

When you create a VPC and a vSwitch, set the EnableIPv6 parameter in the CreateVpc and CreateVSwitch API calls to enable or disable IPv6.
For existing VPCs and vSwitches, modify the EnableIPv6 parameter of ModifyVpcAttribute and ModifyVSwitchAttribute to enable or disable IPv6.

Terraform

Resources: alicloud_vpc, alicloud_vswitch

Data Sources: alicloud_zones

# Specify the region where you want to create the VPC.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Use a data source to automatically obtain a list of zones where you can create vSwitches.
data "alicloud_zones" "available_zones" {
  available_resource_creation = "VSwitch" # Query the zones where vSwitches can be created in the VPC.
  # available_instance_type = "ecs.g7.large"  # Query the zones where ECS instances can be created in the VPC.
  # available_resource_creation = "slb"  # Query the zones where SLB instances can be created in the VPC.
}

# Create a dual-stack VPC. 
resource "alicloud_vpc" "example_vpc" {
  vpc_name    = "example_vpc_name"
  cidr_block  = "10.0.0.0/16"
  enable_ipv6 = true  # Enable IPv6. Set the value to false to disable IPv6.
  ipv6_isp    = "BGP" # Specify the type of the IPv6 CIDR block.
}

# Create a dual-stack vSwitch. 
resource "alicloud_vswitch" "example_vswitch" {
  vswitch_name         = "example_vswitch_name"
  cidr_block           = "10.0.0.0/24"
  vpc_id               = alicloud_vpc.example_vpc.id
  zone_id              = data.alicloud_zones.available_zones.zones.0.id
  enable_ipv6          = true # Enable IPv6. Set the value to false to disable IPv6.
  ipv6_cidr_block_mask = 1    # Specify the last 8 bits of the IPv6 CIDR block for the vSwitch. 
}

Modify a CIDR block

When you create a VPC, the IPv4 CIDR block that you specify becomes the primary CIDR block of the VPC. You cannot modify the primary CIDR block of a VPC in the console. However, you can call the ModifyVpcAttribute API operation and adjust the CidrBlock parameter to expand or shrink the primary CIDR block. You must ensure that the new, smaller CIDR block includes all IP addresses that are already in use.

You cannot modify the IPv6 CIDR block of a VPC or the IPv4/IPv6 CIDR block of a vSwitch.

Use a secondary CIDR block to add IP addresses

If a VPC has insufficient available IP addresses for your workloads, you can add a secondary CIDR block to expand its address space.

The secondary CIDR block and the primary CIDR block take effect at the same time. You can use them to create vSwitches and deploy cloud resources such as ECS instances.

1. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as a secondary IPv4 CIDR block.

2. The secondary CIDR block cannot overlap with the primary CIDR block.

3. By default, you can add up to five secondary IPv4 CIDR blocks and five secondary IPv6 CIDR blocks to each VPC.

Console

Add a secondary CIDR block

On the Basic Information page of the target VPC, click the CIDR Block Management tab. You can add a secondary IPv4 or IPv6 CIDR block.
You can add a secondary IPv4 CIDR block in one of the following ways:
- Recommended CIDR Block: Select one of 10.0.0.0/16, 172.16.0.0/16, or 192.168.0.0/16 to quickly add a secondary CIDR block.
- Advanced Configuration CIDR Block: Specify a custom secondary CIDR block.
- IPv4 CIDR Block Allocated By IPAM: Using IPAM helps you avoid conflicts between allocated CIDR blocks. We recommend that you select this option if you already have an IPAM pool with a provisioned CIDR block. To configure this option, first select an address pool, and then configure the Network Mask.
For a secondary IPv6 CIDR block:
- If IPv6 is disabled for the VPC, click the Enable IPv6 button and set the IPv6 CIDR block type to Allocate BGP (Multi-ISP). You can then select Automatically Enable IPv6 For All VSwitches In The VPC. Alternatively, you can click Enable IPv6 in the IPv6 CIDR Block column of a specific vSwitch to enable IPv6 only for that vSwitch.
- For a VPC for which IPv6 is enabled, click Add IPv6 CIDR Block and set IPv6 CIDR Block Type to Allocate BGP (Multi-ISP).

Delete a secondary CIDR block

On the Basic Information page of the target VPC, go to the CIDR Block Management >IPv4 CIDR Block tab or the IPv6 CIDR Block tab. Find the secondary CIDR block that you want to delete and click Delete in the Operation column.

API

Call AssociateVpcCidrBlock to add a secondary CIDR block.
Call UnassociateVpcCidrBlock to delete a secondary CIDR block.

Terraform

Terraform supports only secondary IPv4 CIDR blocks. Secondary IPv6 CIDR blocks are not supported.

Resources: alicloud_vpc_ipv4_cidr_block

# Specify the region where you want to create the VPC.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Specify the ID of the VPC.
variable "vpc_id" {
  default = "vpc-xxx" # Replace the value with the actual ID of the VPC.
}

# Create a secondary CIDR block in the VPC.
resource "alicloud_vpc_ipv4_cidr_block" "example_secondary_cidr_block" {
  vpc_id               = var.vpc_id
  secondary_cidr_block = "192.168.0.0/16" # Specify the secondary CIDR block.
}

Reserved CIDR block

You can reserve a network segment in a vSwitch to ensure that this segment is not occupied by other resources. The reserved network segment is currently used only to assign an IP prefix to a secondary private IP address of an Elastic Network Interface (ENI).

1. A reserved CIDR block cannot contain the system reserved IP addresses of the vSwitch.

2. You can reserve up to 100 IPv4 CIDR blocks and 100 IPv6 CIDR blocks for each vSwitch.

3. The mask of a reserved IPv4 CIDR block cannot be larger than 28 bits in length. The mask of a reserved IPv6 CIDR block cannot be larger than 80 bits in length.

Console

Create a reserved CIDR block

On the Basic Information page of the target vSwitch, click the Reserved CIDR Block tab. You can add a reserved IPv4 or IPv6 CIDR block. You can add a reserved CIDR block in one of the following two ways:
- Specify A CIDR Block: Specify the exact CIDR block that you want to reserve.
- Specify A Mask Length: The system automatically allocates a reserved CIDR block from the available CIDR blocks.
For an IPv6 CIDR block, if IPv6 is disabled for the vSwitch, click the Enable IPv6 button. In the Enable IPv6 dialog box that appears, set the IPv6 CIDR block for the vSwitch.
If IPv6 is also disabled for your VPC, in the Enable IPv6 dialog box that appears, first set IPv6 CIDR Block Type to the default value Allocate BGP (Multi-ISP), and then set the IPv6 CIDR block for the vSwitch.

View used IP segments

On the Basic Information page of the target vSwitch, go to the Reserved CIDR Block >IPv4 CIDR Block tab or IPv6 CIDR Block tab. Find the reserved CIDR block that you want to manage and click View Used IPs in the Operation column to view the used IP segments and their corresponding ENIs.

Delete a reserved CIDR block

Before you delete a reserved CIDR block, make sure that no IP segments in the reserved CIDR block are in use.

On the Basic Information page of the target vSwitch, go to the Reserved CIDR Block >IPv4 CIDR Block tab or IPv6 CIDR Block tab. Find the reserved CIDR block that you want to delete and click Delete in the Operation column.

API

Call CreateVSwitchCidrReservation to create a reserved CIDR block.
Call GetVSwitchCidrReservationUsage to view the occupied IP segments.
Call DeleteVSwitchCidrReservation to delete a reserved CIDR block.

Terraform

Resources: alicloud_vpc_vswitch_cidr_reservation

# Specify the region where you want to create the VPC.
provider "alicloud" {
  region = "cn-hangzhou" # The region where the resource resides.
}

# Specify the ID of the vSwitch.
variable "vsw_id" {
  default = "vsw-xxx" # Replace the value with the actual ID of the vSwitch.
}

# Create a reserved CIDR block.
resource "alicloud_vpc_vswitch_cidr_reservation" "example_cidr_reservation" {
  vswitch_id                    = var.vsw_id 
  ip_version                    = "IPv4" 
  cidr_reservation_cidr         = "10.0.0.128/26" # Specify the reserved CIDR block. 
}

Create a VPC using IPAM

Manually configuring IPv4 CIDR blocks may be inefficient and cause potential address conflicts.

IPAM is a cloud-based IP address management tool that helps you automate the allocation and management of IP addresses, simplify network management processes, and avoid address conflicts. You can plan with IPAM. After you create an IPAM instance and an IPAM pool, you can assign an IPv4 CIDR block to a virtual private cloud (VPC) from the IPAM pool.

Console

Go to the Create VPC page in the VPC console. Use the IPv4 CIDR Block Allocated By IPAM option. Select an IPAM pool and configure a mask to allocate a CIDR block from the IPAM pool to the VPC.

After you configure the network mask, the system allocates the first available CIDR block within the specified mask range by default. You can also adjust the IPv4 CIDR block within the provisioned CIDR block of the address pool.

Before you create a VPC, make sure that you have created an IPAM instance and an IPAM pool in the IPAM console.

API

If you have created an IPAM pool, you can specify the IPAM pool using the Ipv4IpamPoolId parameter and specify a mask using the Ipv4CidrMask parameter when you call CreateVpc. A network segment is then allocated from the IPAM pool for the new VPC. Alternatively, you can specify the CidrBlock parameter to assign a specific network segment to the VPC, instead of automatically allocating one by specifying a mask.
If you do not have an IPAM pool, you can call the following API operations in sequence to create an IPAM pool and then create a VPC.

Terraform

Resources: vpc_ipam_ipam, alicloud_vpc_ipam_ipam_pool, alicloud_vpc_ipam_ipam_pool_cidr, alicloud_vpc

# Specify the region where you want to create the IPAM instance, IPAM pool, and VPC.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Create an IPAM instance.
resource "alicloud_vpc_ipam_ipam" "example_ipam" {
  ipam_name             = "example_ipam_name"
  operating_region_list = ["cn-hangzhou"] # Specify the region where the IPAM instance takes effect.
}

# Create an IPAM pool.
resource "alicloud_vpc_ipam_ipam_pool" "example_parentIpamPool" {
  ipam_scope_id  = alicloud_vpc_ipam_ipam.example_ipam.private_default_scope_id # Specify the scope of the IPAM pool.
  ipam_pool_name = "example_parentIpamPool_name"
  pool_region_id = alicloud_vpc_ipam_ipam.example_ipam.region_id # Specify the region where the IPAM pool takes effect.
  ip_version     = "IPv4"                                     # Specify the IP version of the IPAM pool.
}

# Allocate a CIDR block to the IPAM pool.
resource "alicloud_vpc_ipam_ipam_pool_cidr" "example_ipamPoolCidr" {
  cidr         = "10.0.0.0/16"                                       # Specify the CIDR block.
  ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id # Specify the ID of the IPAM pool.
}

# Create a VPC.
resource "alicloud_vpc" "example_ipam_vpc" {
  vpc_name          = "example_ipam_vpc_name"
  ipv4_ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id # Specify the ID of the IPAM pool.
  ipv4_cidr_mask    = 24                                                 # The IPv4 network mask.
}

More information

Default VPCs and default vSwitches

Default VPCs and vSwitches help you quickly verify and deploy services. However, if you require long-term network services or need to run core production systems, we recommend that you create custom VPCs and vSwitches based on your business architecture. This allows for fine-grained network planning, resource fencing, security control, and scalability, which helps you build a cloud network environment that meets your business requirements.

You can create only one default VPC in each region and only one default vSwitch in each zone. Default VPCs and vSwitches do not consume your quotas.

When you create an ECS, SLB, or RDS instance in a region where no VPC has been created, you can choose to have Alibaba Cloud create a default VPC and a default vSwitch. The CIDR block of the default VPC created in this way is fixed at 172.16.0.0/12.
In a region where you have not yet created a default VPC, you can call CreateDefaultVpc and CreateDefaultVSwitch to create a default VPC and a vSwitch. The CIDR block of a default VPC created in this way is 172.xx.0.0/16.

VPCs and vSwitches that you create are non-default VPCs and vSwitches. You can delete default VPCs and vSwitches, but you cannot convert default VPCs and vSwitches to non-default ones, or vice versa.

System reserved IP addresses

The address space of a vSwitch CIDR block contains system reserved IP addresses. You cannot assign system reserved IP addresses to cloud resources such as ECS instances.

For IPv4, the first IP address and the last three IP addresses of each vSwitch are reserved by the system.
For example, if the CIDR block of a vSwitch is 192.168.1.0/24, 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255 are reserved by the system.
For IPv6, the first IP address and the last nine IP addresses of each vSwitch are reserved by the system.
For example, if the IPv6 CIDR block of a vSwitch is 2408:xxxx:xxxx:6eff::/64, the first IP address 2408:xxxx:xxxx:6eff:: and the last nine IP addresses from 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fff7 to 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:ffff are reserved by the system.

Cross-account authorization

Before you connect a VPC to a cross-account CEN instance, virtual border router (VBR), or Express Connect Router (ECR), you must grant cross-account permissions in the VPC.

For more information about authorization, see Authorize a cross-account CEN instance, Authorize a cross-account VBR instance, and Authorize a cross-account ECR instance.

Once authorized, the other account can select your VPC-connected instance when creating a VPC connection, creating a VBR connection, or associating a VPC with an ECR.

1. The account mentioned here refers to an Alibaba Cloud account, not a RAM user.

2. Cross-account authorization across different sites is not supported. For example, you cannot grant permissions to an account on the China site (aliyun.com) from an account on the international site (alibabacloud.com).