This topic compiles frequently asked questions about virtual private cloud (VPC) to help you quickly solve problems, understand product capabilities, and optimize your network architecture.
Network connectivity issues
How do I resolve CIDR block conflicts when configuring peering connections?
How do I troubleshoot when some IP addresses cannot be accessed after adding a peering connection?
Why can the requester VPC ping the accepter VPC but not the other way around?
Why can't I access the Internet after deleting an IPv4 gateway?
Why doesn't the VIP migrate after binding a high-availability virtual IP address?
Why is the network still not connected after adding a route?
What should I do if an ECS instance cannot access the Internet after binding an EIP?
Why doesn't my ECS instance in a VPC have a public IP address?
Network planning and design issues
How do I implement privately used public CIDR blocks in a VPC?
Do VPC peering connections support cross-account and cross-region connections?
Do VPC peering connections support cross-border private network communication?
What are the differences between a VPC and a classic network?
How do I enable communication between a VPC and a classic network?
Can a VPC communicate with other VPCs or on-premises networks when CIDR blocks conflict?
How do I use a single public IP address for multiple ECS instances to access the Internet?
What are the differences between an IPv4 gateway and an Internet NAT gateway?
How do different security groups communicate with each other?
How do I troubleshoot when security group rules are not taking effect?
CIDR block configuration issues
VPC and vSwitch deletion issues
Routing issues
Network operations and monitoring issues
Billing issues
Network connectivity issues
How do I troubleshoot VPC peering connection issues?
You can use the following troubleshooting steps. You can also use the Network Intelligence Service - Path Analysis tool to help diagnose issues.
Check routes:
Ensure the peering connection status is "Active".
Check the route tables on both sides to verify that routes pointing to the peer VPC CIDR block are correctly configured with the peering connection instance as the next hop.
Check security groups & network ACLs:
Check the security groups and network ACL rules for both the source ECS and destination ECS (or RDS, etc.).
Ensure the inbound rules of the destination security group and network ACL allow traffic from the source VPC CIDR block (or specific source IP) to access the required service ports.
Ensure the outbound rules of the source security group and network ACL do not restrict outgoing traffic.
Check for CIDR block conflicts:
Check if the CIDR blocks of the two VPCs overlap. When using VPC peering connections, it is recommended that the CIDR blocks of the two VPCs do not overlap.
Pay special attention to Docker/Kubernetes container CIDR blocks within ECS instances, and check if they conflict with the peer VPC CIDR block. This is a very common but hidden cause. Even if routes, security groups, and network ACLs are correctly configured, the network will not work if there is a conflict.
How do I resolve CIDR block conflicts when configuring peering connections?
If two VPCs that need to communicate have conflicting CIDR blocks, you have the following options:
Redesign your network (recommended): Migrate resources from one VPC to a new VPC with non-conflicting CIDR blocks. This is the most thorough solution.
Use Cloud Enterprise Network (CEN) and VPC NAT gateway: For more complex CIDR block conflict scenarios, you can use CEN combined with the private NAT function of VPC NAT gateway to map addresses from one VPC to another address range before communication. This approach is architecturally complex and more expensive. For more information, see Enable private network communication between VPCs with conflicting CIDR blocks using VPC NAT Gateway.
How do I troubleshoot when some IP addresses cannot be accessed after adding a peering connection?
This situation is usually caused by more specific routes or security group rules.
Route issues: Check the route tables on both sides. There might be a more specific route with higher priority (based on the longest prefix match principle) that directs traffic elsewhere (such as a default route pointing to a NAT gateway).
Security group issues: Check the inbound rules of the destination security group to see if they only allow access from certain source IP addresses.
Network ACL issues: Check if the network ACL only allows traffic from certain subnets.
Why can the requester VPC ping the accepter VPC, but not the other way around?
One-way connectivity is usually caused by asymmetric configurations. Check the security group and network ACL rules of the ECS instances in both VPCs to make sure that both outbound and inbound traffic is allowed.
I have established VPC peering connections from VPC A to VPC B and from VPC B to VPC C. Why can't VPC A and VPC C communicate with each other?
VPC peering connections are not transitive.
This means that if a peering connection is established between VPC A and VPC B, and another peering connection is established between VPC B and VPC C, VPC A and VPC C cannot communicate with each other through VPC B.
To enable full-mesh communication among multiple VPCs, for example, to build a star or mesh network topology, you can use Cloud Enterprise Network (CEN).
Why can't I access the peer's cloud services such as RDS or Redis even though the VPC peering connection is established?
This issue is similar to ECS connectivity issues. However, you also need to check the access control settings of the cloud service.
Perform basic connectivity troubleshooting: Follow the checklist in How do I troubleshoot VPC peering connection issues? to check the route, CIDR block, security group, and network ACL configurations to make sure that the network link is available.
Check the IP address whitelist of the cloud service: Most database and cache services, such as RDS, Redis, and MongoDB, provide an IP address whitelist. You must add the private IP address of the source ECS instance or the CIDR block of the vSwitch to which the ECS instance belongs to the whitelist of the destination cloud service.
Do VPC peering connections support cross-account and cross-region connections?
Yes. Note that cross-region usage is uniformly charged by Cloud Data Transfer based on outbound traffic.
Note that cross-site connections are not supported, for example, VPCs between the China site (aliyun.com) and international site (alibabacloud.com) cannot communicate with each other.
Why can't I access the Internet after deleting an IPv4 gateway?
The most common reason is that when deleting the IPv4 gateway, you selected "private mode" instead of "public mode". After selecting private mode for deletion, all resources within the VPC will be unable to communicate with the Internet.
To restore the VPC to a state without an IPv4 gateway but with Internet access, you can create a new IPv4 gateway, then delete it and select "public mode". For detailed logic, see IPv4 gateway.
Can an ECS instance in the primary CIDR block of a VPC communicate with an ECS instance in the secondary CIDR block of the same VPC?
ECS instances in both the primary and secondary CIDR blocks belong to the same VPC. If security group and network ACL rules allow, they can communicate with each other.
Can an ECS instance in a classic network communicate with cloud resources in the secondary CIDR block of a VPC if ClassicLink is enabled for the VPC?
No, secondary CIDR blocks are not compatible with the ClassicLink feature.
Why doesn't the VIP migrate after binding a high-availability virtual IP address?
When the primary node fails and the VIP does not automatically migrate to the backup node, it is usually due to one of the following reasons:
Keepalived service is not running: For example, in CentOS 7.9, run
systemctl status keepalivedto check the service status. If it's not running, you can start it withsystemctl start keepalived.Keepalived configuration errors: Check the
keepalived.confconfiguration file for errors, such as:The
virtual_router_idis inconsistent between primary and backup nodes.The
authenticationis inconsistent between primary and backup nodes.The peer IP address specified in
unicast_peeris incorrect.The virtual IP address specified in
virtual_ipaddressis not the high-availability virtual IP address.
Security group or network ACL blocking: Check if security group or network ACL rules are blocking traffic from the request source IP.
Instance firewall: Check if the firewall within the ECS instance (such as firewalld, iptables) is blocking traffic from the request source IP.
Why is the network still not connected after adding a route?
Adding the correct route is just one prerequisite for network connectivity. If the network is still not connected, follow these steps for systematic troubleshooting:
Check bidirectional routes: Ensure that routes for both request and response directions are correctly configured. For example, VPC peering connections must have routes configured on both sides.
Security group rule: Check whether the security groups of the source and destination ECS instances allow traffic on the corresponding protocols and ports (for example,
pingrequires that the ICMP protocol is allowed).Network ACL rules: If you have configured network ACLs, check their outbound and inbound rules to ensure they allow the relevant traffic.
ECS internal firewall: Check whether the firewall within the ECS instance's operating system (such as
iptables/firewalldfor Linux, or Windows Firewall) is blocking traffic.CIDR block conflicts: Check for network address conflicts, such as Docker CIDR blocks on ECS conflicting with the peer VPC CIDR block.
Use path analysis tool: Use the Network Intelligence Service - Path Analysis tool in the console to help you visually diagnose network connectivity between two points.
What should I do if an ECS instance cannot access the Internet after binding an EIP?
Please check the following:
IPv4 gateway and VPC route table: If the VPC has an IPv4 gateway enabled, check the route table of the vSwitch where the ECS instance is located to see if there is a default route (pointing to
0.0.0.0/0) pointing to the IPv4 gateway.Security group rules: Check the outbound rules of the security group to which the ECS instance belongs. By default, outbound rules allow all traffic (
0.0.0.0/0). Make sure you haven't mistakenly restricted outbound access.Network ACL rules: If you have configured a network ACL for the vSwitch, check if its outbound rules allow traffic to flow out.
Overdue payment: Check if your Alibaba Cloud account has any overdue payments, which might cause the EIP to stop working.
ECS internal network configuration: Confirm that the network configuration (such as gateway, DNS) within the ECS operating system is correct. This should typically be obtained automatically via DHCP.
Why doesn't my ECS instance in a VPC have a public IP address?
The core design of VPC is for network isolation and security. By default, ECS instances created in a VPC are only assigned a private IP address for communication within the VPC, and they do not have the ability to access the Internet. This is one of the core security features of VPC.
If you need it to access the Internet, you must explicitly configure public access capability, such as binding an EIP or configuring a NAT gateway as described in the Internet access document.
Network planning and design issues
Does VPC support multicast?
VPC itself does not support multicast capabilities. However, VPC can be combined with the Cloud Enterprise Network (CEN) product to implement multicast management.
How can a VPC use public IP addresses for private communication?
Some enterprises use non-RFC 1918 private CIDR blocks in their on-premises data centers or VPCs, such as 30.0.0.0/16. When establishing network connections with other VPCs or on-premises data centers, because VPC treats IP addresses outside RFC 1918 as public CIDR blocks, cloud resources in the VPC with Internet access capability will prioritize accessing the Internet even if routes pointing to 30.0.0.0/16 are configured to point to the on-premises data center or VPC, making it impossible to access the target VPC or on-premises data center.
You can implement privately used public CIDR blocks using the following methods:
Method 1: IPv4 gateway feature.
You can use an IPv4 gateway to centrally control VPC Internet access behavior, prioritizing routing to other VPCs or on-premises data centers when accessing
30.0.0.0/16. For a detailed solution, see Use an IPv4 gateway to implement privately used public CIDR blocks.Method 2: User CIDR block feature.
If you want the VPC to forward requests to
30.0.0.0/16according to the route table instead of directly to the Internet, you can use the CreateVpc API and pass theUserCidrparameter when creating a new VPC to set a user CIDR block for the VPC. After setting a user CIDR block, requests from the VPC to addresses in the user CIDR block will be forwarded according to the route table.1. User CIDR blocks can only be set through the API, not through the console. User CIDR blocks cannot be modified after creation.
2. When you only set the IPv4 CIDR block for a VPC, if you select a custom address CIDR block other than the three RFC standard private CIDR blocks (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8) and their subnets, the system will automatically set that primary CIDR block as the user CIDR block.
What are the differences between a VPC and a classic network?
The classic network is an early form of Alibaba Cloud networking that is being phased out and is not recommended for users. All purchased resources should be deployed in VPCs.
Feature | Classic network | Virtual private cloud (VPC) |
Network model | All users share a flat, large Alibaba Cloud public address space | Logically isolated networks based on tunneling technology, exclusive to each user |
Network isolation | Relies on security groups for isolation | Natural Layer 2 network isolation, more secure |
Network customization | Cannot customize network topology and IP addresses | Highly flexible, can customize CIDR blocks, routes, and network topology |
Security | Lower | Higher |
How do I enable communication between a VPC and a classic network?
You can refer to: Use ClassicLink to connect a classic network to a VPC.
How do I enable communication between different VPCs? What are the differences between VPC peering connections and CEN?
You can refer to: Connect VPCs.
How do I connect an Alibaba Cloud VPC to an on-premises data center? How do I connect an Alibaba Cloud VPC to AWS/Tencent Cloud?
You can refer to: Connect a VPC to an on-premises data center, office terminals, or other clouds.
Can a VPC communicate with other VPCs or on-premises networks when CIDR blocks conflict?
You can refer to:
How do I allow an ECS server to access the Internet? How do I allow an ECS server to access the Internet using an IPv6 address?
You can refer to: Select a public IP address type.
How do I use a single public IP address for multiple ECS instances to access the Internet?
You can refer to:
What are the differences between an IPv4 gateway and an Internet NAT gateway?
Network component | IPv4 gateway | Internet NAT gateway |
Functional positioning | Public IPv4 traffic control component at the VPC boundary | Network Address Translation device within a VPC |
Usage scenarios | Centralized control of Internet access traffic | Unified Internet traffic egress |
Provides Internet access capability | No, only controls Internet traffic | Provides Internet access capability by binding EIPs (Internet access capability is provided by EIPs, not by the NAT gateway itself) |
The functions of IPv4 gateways and Internet NAT gateways do not overlap, and they can be used together. You can refer to Internet access for detailed information about the relationships between related network components.
How do I switch between public and private IP addresses?
An ECS instance with an EIP bound to it has both a public IP address and a private IP address. You do not need to manually "switch" between them.
Internal VPC communication: When other ECS instances within the VPC access this ECS instance, they should always use its private IP address. Traffic flows entirely within the VPC, which is fast and free.
Internet access and being accessed from the Internet: When users or other devices on the Internet access this ECS instance, or when this ECS instance actively accesses the Internet, they must use its public IP address (EIP).
How do I access OSS from an ECS instance through a VPC?
You can refer to: Access Alibaba Cloud services through private networks.
How do I allow only specific IP addresses to access an ECS instance? What are the differences between network ACLs and security groups?
You can refer to: Access control.
How do different security groups communicate with each other?
Basic security groups support using security groups as authorization objects, while enterprise security groups do not. For more information, see ECS documentation - Support security groups as authorization objects.
When configuring inbound or outbound rules for basic security groups, you can directly set another basic security group as the source of access. This approach is more flexible than authorizing IP address ranges. Even if new ECS instances are added to the security group or instance IPs change in the future, there is no need to modify the security group rules, as they automatically have access permissions.
How do I troubleshoot when security group rules are not taking effect?
Rule priority: Check if there is a conflict with a higher priority rule.
Direction error: Check whether the rule is configured for "inbound" or "outbound" direction. Accessing an ECS instance is inbound, while an ECS instance accessing external resources is outbound.
Target object error: Confirm that the security group is correctly applied to the network interface of the target ECS instance.
Network ACL blocking: Check if the vSwitch where the ECS instance is located is associated with a network ACL, and if the ACL rules deny that traffic.
ECS internal firewall: Check the firewall settings within the operating system.
Routing issues: Ensure that traffic can be correctly routed to the ECS instance.
How do I migrate an ECS instance to another VPC?
You can refer to: Change the VPC of an ECS instance.
Can I use a custom DNS server in a VPC?
Yes. Using the DHCP options set feature, you can change the default DNS server configuration of a VPC to your self-built DNS server on an ECS instance, a DNS server in your on-premises data center, or a third-party public DNS service (note that network connectivity is required). You can refer to: Use a self-built DNS service.
Can a VPC peering connection connect VPCs that belong to accounts on the China site and the international site?
No, it cannot.
Due to cross-account compliance requirements, VPC peering connections do not support private communication between VPCs that belong to accounts on the China site and the international site.
Do VPC peering connections support cross-border private network communication?
This is supported.
For cross-border peering connections, you are charged for outbound data transfer by Cloud Data Transfer (CDT). To use the cross-border feature of CDT, you must go to Cross-border Leased Line to apply for an enterprise qualification. The cross-border leased line is provided by China Unicom.
What is the network latency of a VPC peering connection?
Intra-region peering connections: The network latency is low, typically in the low millisecond range.
Cross-region peering connections: The network latency is relatively high because data is transmitted across different regions. The specific latency depends on the physical distance and network conditions between the two regions. You can use the cross-cloud network performance monitoring tool to view the average network latency between regions for reference and select a link type that is more suitable for your business.
CIDR block configuration issues
What is CIDR?
Classless Inter-Domain Routing (CIDR) is a method for IP address allocation and route aggregation that can improve network management efficiency and simplify routing tables.
CIDR uses slash notation (such as 192.168.1.0/24):
The part before the slash is the network address, representing the starting IP address of the IP address range.
The number after the slash indicates the number of consecutive 1s in the subnet mask, which is the length of the network prefix. The remaining bits are used for host addresses.
A CIDR block is a collection of IP addresses that share the same network prefix and bit length. A large CIDR block can be divided into smaller CIDR blocks with different network prefixes and bit lengths, a process known as subnetting. CIDR blocks are the foundation of modern network planning, and VPC and vSwitch subnet division are based on this principle.
Examples:
192.168.0.0/16: The first 16 bits are for the network, the last 16 bits are for hosts (theoretically including 216 IP addresses). This CIDR block includes192.168.1.0/24,192.168.2.0/26, etc.10.0.0.0/8: The first 8 bits are for the network, the last 24 bits are for hosts (theoretically including 224 IP addresses). This CIDR block includes10.1.0.0/16,10.2.0.0/24, etc.172.16.0.0/12: The first 12 bits are for the network, the last 20 bits are for hosts (theoretically including 220 IP addresses). This CIDR block includes172.17.0.0/16,172.18.0.0/24, etc.
When creating a VPC and vSwitches, you need to specify CIDR blocks for them. Note that the actual number of usable IP addresses is less than the theoretical value because vSwitches have system reserved IP addresses.
How do I modify the CIDR block of a VPC?
Adjust the primary CIDR block:
When you create a VPC, the IPv4 CIDR block you specify is the primary CIDR block of the VPC. The console does not support modifying the primary CIDR block of a VPC, but you can adjust the
CidrBlockparameter of the ModifyVpcAttribute API to expand or shrink the CIDR block within the primary CIDR block. You need to ensure that the reduced CIDR block includes all IP addresses that are already in use.The IPv6 CIDR block assigned to a VPC after IPv6 is enabled cannot be modified.
Use secondary CIDR blocks: You can use secondary CIDR blocks to expand address space, adding secondary CIDR blocks to the VPC in addition to the primary CIDR block. Secondary CIDR blocks work alongside the primary CIDR block and can be used to create vSwitches and deploy cloud resources such as ECS instances.
How do I modify the CIDR block of a vSwitch?
The IPv4/IPv6 CIDR blocks of a vSwitch cannot be modified after creation.
To adjust the CIDR block of a vSwitch, you can only delete the vSwitch and create a new one with the desired CIDR block. Before deleting a vSwitch, you must first release or migrate all cloud resources within it, such as ECS instances, Server Load Balancer instances, ApsaraDB RDS instances, etc. This is a high-risk operation, so be sure to back up your data and prepare a business migration plan.
Which CIDR block should I select when creating a VPC?
Selecting a VPC CIDR block is a key step in network planning. It is recommended to follow these principles:
Use standard private CIDR blocks: It is recommended to use standard private CIDR blocks defined in RFC1918, such as:
10.0.0.0/16,172.16.0.0/16,192.168.0.0/16. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as VPC CIDR blocks.Avoid conflicts with on-premises data centers or other network environments: If you plan to connect your VPC with on-premises networks or other VPCs or other clouds, make sure the VPC CIDR block does not conflict with the CIDR blocks of these networks.
Reserve sufficient address space: Based on your future business scale, estimate the number of IP addresses needed and select a CIDR block that is large enough to avoid complex network restructuring due to insufficient addresses later.
Avoid conflicts with commonly used container network CIDR blocks: If you plan to use Docker or Kubernetes (K8s) in your VPC, it is recommended to avoid using
172.17.0.0/16and other default container CIDR blocks to prevent communication issues.
How do I assign an IPv6 CIDR block to a VPC? How do I access the Internet using IPv6?
After enabling IPv6 for a VPC and vSwitch, the system automatically creates an IPv6 gateway and assigns an IPv6 CIDR block, which by default only supports private network communication. For Internet communication, you can enable IPv6 Internet bandwidth. For detailed operations, see Enable/disable IPv6.
Can I assign only an IPv6 CIDR block to a VPC (IPv6 only)?
No. VPC currently supports IPv4 only and dual-stack (IPv4+IPv6), but does not support IPv6 only.
How do I assign a specific private IP address to an existing ECS instance?
You can refer to: Modify the primary private IPv4 address of an existing ECS instance.
Why can't Docker networks communicate with VPC networks when their CIDR blocks conflict?
This is a very typical issue in cloud network planning. When Docker (or Kubernetes pod) networks deployed on ECS instances overlap with other vSwitch CIDR blocks in your VPC or with the peer VPC CIDR block in a peering connection, it causes routing conflicts and prevents normal communication.
Reason: Suppose the default Docker CIDR block is
172.17.0.0/16, and there is a vSwitch B in the VPC with a CIDR block of172.17.0.0/24. When an application in a Docker container tries to access an IP in vSwitch B, the ECS operating system will, based on its own routing table, incorrectly route this traffic to the localdocker0bridge instead of forwarding it through the VPC route, causing communication failure.Solution:
Modify Docker/Kubernetes network configuration: Modify the Docker daemon configuration file (such as
/etc/docker/daemon.json) to specify a private CIDR block that does not conflict with your overall cloud network environment (including all interconnected VPCs and on-premises data centers). This is the most fundamental solution.Avoid pitfalls when planning VPC CIDR blocks: When planning VPC and vSwitch CIDR blocks, actively avoid
172.17.0.0/16,10.0.0.0/8, and parts of these CIDR blocks commonly used by Kubernetes.
How do I configure IPAM address pools to avoid conflicts between new VPCs and existing CIDR blocks in on-premises data centers or other clouds?
Before enabling IPAM, comprehensively review all network environments that need to be interconnected, including on-premises data centers, office networks, other clouds, etc., and record all CIDR blocks that are already in use.
When provisioning a CIDR block in the IPAM address pool, include these already used CIDR blocks.
Create custom allocations in the IPAM address pool to reserve these address ranges.
Allocate all new VPC CIDR blocks through IPAM. Since IPAM has recorded all used CIDR blocks, the new CIDR blocks it allocates will naturally not conflict with existing CIDR blocks.
Does high-availability virtual IP address support IPv6?
No. Currently, it only supports IPv4.
VPC and vSwitch deletion issues
What should I do when I receive a message indicating dependent resources exist when I try to delete a VPC or vSwitch?
You can follow the console prompts to delete the dependent resources first, and then delete the VPC or vSwitch.
You can view the current resources on the "Resource Management" page of the VPC instance details page, or on the "Cloud Resource Management" page of the vSwitch instance details page.
What should I do when I cannot delete an ENI when deleting a VPC?
Elastic Network Interfaces (ENIs) are one of the most common remaining resources when deleting a VPC or vSwitch.
Primary ENI: The primary ENI is created with the ECS instance, and its lifecycle is bound to the ECS instance. It cannot be detached or deleted separately. You must first release the ECS instance, and then the primary ENI will be deleted with it.
Secondary ENI: If it is a secondary ENI, you need to detach it from the ECS instance before you can delete it.
ENIs used and managed by other cloud services: Some cloud services (such as Application Load Balancer, Network Load Balancer, Container Service for Kubernetes, Function Compute, etc.) automatically create and manage ENIs. You need to go to the console of the corresponding cloud service to delete the service instance (such as deleting an ACK cluster), and these services will automatically clean up the ENIs they created.
Routing issues
Do CEN/transit router automatically add routes for secondary CIDR blocks?
If route learning is enabled for the VPC connection on the transit router, and vSwitches are created in the VPC using secondary CIDR blocks, the transit router will automatically learn the system routes corresponding to the secondary CIDR blocks of the vSwitches.
Currently, transit routers only support automatic learning of system route entries in VPCs. For custom route entries, you can manually publish the entries from the VPC route table to CEN, or manually add route entries in Cloud Enterprise Network.
Does a VPC have a router?
Each VPC has one and only one router. Each router can maintain multiple route tables.
You can view the router ID to which a route table belongs on the VPC console - Route Tables page or through the DescribeRouteTables API.
How do I configure routes for VPC peering connections?
After a VPC peering connection is established and activated, by default, the networks between the two VPCs are not connected because they do not know how to send traffic destined for the peer VPC to the peering connection. Therefore, you must add routes pointing to the peering connection in the route tables on both sides.
For operation steps, see: Configure routes.
What should I specify as the destination CIDR block in a route entry?
The destination CIDR block defines which destination IP addresses this route rule applies to.
Exact match: Fill in the specific network range you want the packets to be sent to. For example, to access a peer VPC (
192.168.0.0/16), enter192.168.0.0/16.Default route:
0.0.0.0/0represents all IPv4 addresses. Directing0.0.0.0/0traffic to a NAT gateway allows ECS instances without public IP addresses in the VPC to access the Internet through the NAT gateway.
Why do I need to configure routes on both sides of a peering connection?
Network communication is bidirectional, with both outgoing and incoming traffic. When configuring routes, you need to consider not only the request traffic (outgoing) but also the response traffic (incoming). If routes are configured on only one side but not on the other, the network may not work properly.
Can I specify a vSwitch CIDR block as the destination CIDR block in a route table?
Yes, but it is not recommended.
Best practice: When configuring routes for VPC peering connections, VPN gateways, etc., the destination CIDR block should be the entire VPC CIDR block of the peer network, rather than a specific vSwitch CIDR block within the peer network. This simplifies management, unless you have specific, fine-grained access control requirements.
Network operations and monitoring issues
How do I monitor Internet traffic in a VPC?
You can use the VPC flow log feature or the Network Intelligence Service - Traffic Analyzer feature to collect traffic information from Internet NAT gateways, IPv4 gateways, and other public network components to monitor Internet traffic. For more information, see Flow logs, Traffic Analyzer.
How do I view the network topology of a VPC?
You can use the Network Intelligence Service - VPC Topology feature to generate a VPC network topology diagram.
Billing issues
How is a VPC billed?
VPC billable features:
The VPC feature is currently in public preview and is available free of charge:
IP Address Manager (IPAM)
High-availability virtual IP address (HaVip)
Free features:
VPC and vSwitch, secondary CIDR block, reserved segments
DNS hostname, DHCP options set
Route table, prefix list
Shared VPC
ClassicLink, gateway endpoint
IPv4 gateway, network ACL
If you create cloud product resources in a VPC, you need to pay for the cloud product resources that you use. For more information, see the billing document of the corresponding resource.
Are VPC peering connections charged?
Same region: Within the same region, creating and using VPC peering connections is completely free, regardless of whether they are within the same account or across different accounts.
Cross-region: For cross-region VPC peering connections, you are charged for outbound data transfer by Cloud Data Transfer (CDT).
How do I stop billing for a VPC peering connection to save costs?
Intra-region peering connections are free of charge. Deleting them does not affect your fees.
For cross-region peering connections, you must delete the peering connection to stop being charged for data transfer.