A virtual private cloud (VPC) is a private network in the cloud that you can fully control. A VPC is a region-level resource within which you can create and deploy resources such as Elastic Compute Service (ECS), RDS, and Server Load Balancer (SLB) instances.
A vSwitch is a zone-level resource that you can use to divide your VPC into subnets. vSwitches in the same VPC can communicate with each other over the internal network. You can deploy cloud resources in vSwitches across different zones to prevent your applications from being affected by failures in a single zone.
Network planning
Proper network planning helps you prevent CIDR block conflicts, ensure network scalability, and avoid high reconstruction costs.
Create/Delete a VPC and a vSwitch
Console
Create a VPC and a vSwitch
Go to the Create VPC page in the VPC console.
Configure VPC:
Region: Select the region where you want to create cloud resources.
IPv4 CIDR Block: Select a recommended CIDR block or enter a custom CIDR block. In scenarios where multiple VPCs are connected, we recommend configuring a CIDR block that does not overlap with existing VPCs. To avoid CIDR block conflicts and ensure network scalability, we recommend creating a VPC with IPAM.
1. We recommend using a private IPv4 address specified in RFC1918 as the VPC CIDR block, with a subnet mask of 16 to 28. For example, 10.0.0.0/16, 172.16.0.0/16, and 192.168.0.0/16.
2. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as the VPC CIDR block.
Configure vSwitch:
Zone: Select a zone where you want to deploy resources. Consider the support status and inventory (whether it is sold out) when choosing a zone.
IPv4 CIDR Block: Use the default CIDR block or modify the CIDR block as needed.
Add vSwitches: To prevent your applications from being affected by failures in a single zone, create multiple vSwitches across different zones. You can either create vSwitches when setting up a VPC or add vSwitches later in the VPC Console - vSwitch.
Delete a VPC and a vSwitch
Click Delete in the Actions column or on the details page of the target VPC or vSwitch. The system will check whether there are any cloud resources or associated resources that have not been deleted. If there are dependent resources, release all of them before deleting the VPC and vSwitch.
1. Make sure the vSwitch is not shared and not attached to a custom route table or network ACL, and that all cloud resources in the vSwitch have been released.
2. Make sure that all resources in the VPC have been released and the VPC is not associated with network services such as Cloud Enterprise Network (CEN).
API
Unlike creating a VPC in the console, the CreateVpc operation only creates an empty VPC. You must call the CreateVSwitch operation to create a vSwitch.
Call CreateVpc and CreateVSwitch in sequence.
After a VPC is created, modify the
CidrBlockparameter of the ModifyVpcAttribute operation to enlarge or shrink the original IPv4 CIDR block. When shrinking it, make sure no active resources are using IPs outside the new CIDR block.You cannot modify the IPv4 CIDR block of a vSwitch.
Call DeleteVSwitch and DeleteVpc in sequence to delete a vSwitch and a VPC.
1. Make sure the vSwitch is not shared and not attached to a custom route table or network ACL, and that all cloud resources in the vSwitch have been released.
2. Make sure that all resources in the VPC have been released and the VPC is not associated with network services such as Cloud Enterprise Network (CEN).
Terraform
Resources: alicloud_vpc, alicloud_vswitch
Data Sources: alicloud_zones
# Specify the region where the VPC is created
provider "alicloud" {
region = "cn-hangzhou"
}
# Automatically get a list of zones where vSwitches can be created based on data sources
data "alicloud_zones" "available_zones" {
available_resource_creation = "VSwitch" # Query zones where vSwitches can be created
# available_instance_type = "ecs.g7.large" # Query zones where ECS instances can be created
# available_resource_creation = "slb" # Query zones where SLB instances can be created
}
# Create a VPC
resource "alicloud_vpc" "example_vpc" {
vpc_name = "example_vpc_name"
cidr_block = "10.0.0.0/16" # Specify the CIDR block
}
# Create a vSwitch
resource "alicloud_vswitch" "example_vswitch" {
vswitch_name = "example_vswitch_name"
cidr_block = "10.0.0.0/24" # Specify the CIDR block
vpc_id = alicloud_vpc.example_vpc.id # Specify the ID of the VPC to which the vSwitch belongs
zone_id = data.alicloud_zones.available_zones.zones.0.id # Specify the vSwitch zone
}
Enable/disable IPv6
After enabling IPv6 for a VPC and a vSwitch, the system automatically creates an IPv6 gateway and assigns an IPv6 CIDR block. By default, only internal network communication is supported. To access the Internet, enable IPv6 Internet bandwidth.
Regions that support IPv4/IPv6 dual-stack.
Console
Enable IPv6
When creating a VPC and a vSwitch, select Assign BGP (Multi-ISP) from the IPv6 drop-down list to enable IPv6.
For an existing VPC, click Enable IPv6 in the IPv6 CIDR Block column of the target VPC, and set the type to Assign BGP (Multi-ISP). You can select Automatically Enable IPv6 for All vSwitches, or click Enable IPv6 in the IPv6 CIDR Block column of the target vSwitch to enable IPv6 for a specific vSwitch.
Disable IPv6
Click Disable IPv6 in the IPv6 CIDR Block column of the target VPC or vSwitch. To disable IPv6 for a VPC, you must disable the feature for all vSwitches and delete the IPv6 gateway.
API
When you create a VPC and a vSwitch, set the
EnableIPv6parameter of CreateVpc and CreateVSwitch to enable or disable IPv6.For existing VPCs and vSwitches, set the
EnableIPv6parameter of ModifyVpcAttribute and ModifyVSwitchAttribute to enable or disable IPv6.
Terraform
Resources: alicloud_vpc, alicloud_vswitch
Data Sources: alicloud_zones
# Specify the region where the VPC is created
provider "alicloud" {
region = "cn-hangzhou"
}
# Automatically obtain a list of zones where vSwitches can be created based on data sources
data "alicloud_zones" "available_zones" {
available_resource_creation = "VSwitch" # Query zones where vSwitches can be created in the VPC
# available_instance_type = "ecs.g7.large" # Query zones where ECS instances can be created in the VPC
# available_resource_creation = "slb" # Query zones where SLB instances can be created in the VPC
}
# Create a dual-stack VPC
resource "alicloud_vpc" "example_vpc" {
vpc_name = "example_vpc_name"
cidr_block = "10.0.0.0/16"
enable_ipv6 = true # Enable IPv6, false to disable IPv6
ipv6_isp = "BGP" # Specify the IPv6 CIDR block type
}
# Create a dual-stack vSwitch
resource "alicloud_vswitch" "example_vswitch" {
vswitch_name = "example_vswitch_name"
cidr_block = "10.0.0.0/24"
vpc_id = alicloud_vpc.example_vpc.id
zone_id = data.alicloud_zones.available_zones.zones.0.id
enable_ipv6 = true # Enable IPv6, false to disable IPv6
ipv6_cidr_block_mask = 1 # Specify the last 8 bits of the vSwitch IPv6 CIDR block
}
Use secondary CIDR blocks
The IPv4 CIDR block that you specify when creating a VPC is the primary CIDR block. When available IPs in the primary CIDR block are insufficient for your business, or when improper network planning leads to address shortage, use secondary CIDR blocks to expand the address space.
Secondary and primary CIDR blocks are effective at the same time. You can use secondary ones to create vSwitches and deploy resources such as ECS instances.
1. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as an IPv4 secondary CIDR block.
2. The secondary CIDR block cannot overlap with the primary CIDR block.
3. Each VPC supports up to five IPv4 and IPv6 secondary CIDR blocks respectively.
Console
Add a secondary CIDR block
On the Basic Information page of the VPC, click the CIDR Block Management tab. Add IPv4 or IPv6 secondary CIDR blocks.
For IPv4 secondary CIDR blocks, you can add them in three ways:
Recommended CIDR Block: Select a recommended CIDR block, 10.0.0.0/16, 172.16.0.0/16, or 192.168.0.0/16.
Advanced Configuration: Customize the secondary CIDR block.
IPv4 CIDR block allocated by IPAM: Use IPAM to avoid CIDR block conflicts. If you already have an IPAM pool with provisioned CIDR blocks, we recommend choosing an IPAM pool and configuring the Subnet Mask.
For IPv6 secondary CIDR blocks:
If IPv6 is not enabled for the VPC, click Enable IPv6 and select Assign BGP (Multi-ISP) as the type. You can select Automatically Enable IPv6 for All vSwitches, or click Enable IPv6 in the IPv6 CIDR Block column of the vSwitch to enable IPv6 for a specific vSwitch.
For a VPC with IPv6 already enabled, click Add IPv6 CIDR Block and select Assign BGP (Multi-ISP).
Delete a secondary CIDR block
On the Basic Information page of the target VPC, click the CIDR Block Management > IPv4 CIDR Block tab or IPv6 CIDR Block tab, find the secondary CIDR block that you want to delete, and click Delete in the Actions column.
API
Call AssociateVpcCidrBlock to add a secondary CIDR block.
Call UnassociateVpcCidrBlock to delete a secondary CIDR block.
Terraform
Terraform currently supports only IPv4 secondary CIDR blocks.
Resources: alicloud_vpc_ipv4_cidr_block
# Specify the region where the VPC is created
provider "alicloud" {
region = "cn-hangzhou"
}
# Specify the VPC ID
variable "vpc_id" {
default = "vpc-xxx" # Replace with the actual VPC ID
}
# Create a secondary CIDR block in the VPC
resource "alicloud_vpc_ipv4_cidr_block" "example_secondary_cidr_block" {
vpc_id = var.vpc_id
secondary_cidr_block = "192.168.0.0/16" # Specify the secondary CIDR block
}Reserved CIDR blocks
Reserved CIDR blocks are not occupied by other resources. Currently, they are only used to assign IP prefixes to secondary private IP addresses of Elastic Network Interfaces (ENIs).
1. Reserved CIDR blocks cannot include system reserved addresses of the vSwitch.
2. Each vSwitch supports up to 100 IPv4 and IPv6 reserved CIDR blocks each.
3. The subnet mask of an IPv4 reserved CIDR block cannot exceed 28, and the subnet mask of an IPv6 reserved CIDR block cannot exceed 80.
Console
Create a reserved CIDR block
On the Basic Information page of the target vSwitch, click the Reserved CIDR Blocks tab. You can add IPv4 or IPv6 reserved CIDR blocks in two ways:
Specify CIDR Block: Specify the CIDR block to be reserved.
Specify Subnet Mask: The system automatically allocates a reserved CIDR block from available CIDR blocks.
For IPv6 CIDR blocks, if IPv6 is not enabled for the vSwitch, click Enable IPv6. In the Enable IPv6 dialog box, set the IPv6 CIDR block for the vSwitch.
If IPv6 is not enabled for your VPC, in the Enable IPv6 dialog box, first set IPv6 CIDR Block Type to the default Assign BGP (Multi-ISP), and then set the IPv6 CIDR block for the vSwitch.
View occupied IPs
On the Basic Information page of the target vSwitch, click the Reserved CIDR Blocks > IPv4 CIDR Block tab or IPv6 CIDR Block tab, find the target reserved CIDR block, and click View Occupied IPs in the Actions column to check the occupied IPs and the corresponding ENIs.
Delete a reserved CIDR block
Before you delete a reserved CIDR block, make sure that no IPs in the CIDR block are occupied.
On the Basic Information page of the target vSwitch, click the Reserved CIDR Blocks > IPv4 tab or IPv6 tab, find the reserved CIDR block that you want to delete, and click Delete in the Actions column.
API
Call CreateVSwitchCidrReservation to create a reserved CIDR block.
Call GetVSwitchCidrReservationUsage to view occupied IPs.
Call DeleteVSwitchCidrReservation to delete a reserved CIDR block.
Terraform
Resources: alicloud_vpc_vswitch_cidr_reservation
# Specify the region where the VPC is created
provider "alicloud" {
region = "cn-hangzhou" # The region where the resource is located
}
# Specify the vSwitch ID
variable "vsw_id" {
default = "vsw-xxx" # Replace with the actual vSwitch ID
}
# Create a reserved CIDR block
resource "alicloud_vpc_vswitch_cidr_reservation" "example_cidr_reservation" {
vswitch_id = var.vsw_id
ip_version = "IPv4"
cidr_reservation_cidr = "10.0.0.128/26" # Specify the reserved CIDR block
}Create a VPC with IPAM
Manually configuring IPv4 CIDR blocks is inefficient and may lead to potential address conflicts.
IPAM is a cloud-based IP address management tool that automates IP allocation and management, simplifies network management, and avoids address conflicts. You can plan with IPAM, create IPAM and IPAM pools, and allocate IPv4 CIDR blocks to VPCs from IPAM pools.
Console
Go to the Create VPC page in the VPC console, use IPv4 CIDR Block Assigned by IPAM, select an IPAM pool, and configure the subnet mask to allocate a CIDR block from the IPAM pool.
After configuring the subnet mask, the system automatically allocates the first available CIDR block within the specified subnet mask range. You can also adjust the IPv4 CIDR block within the provisioned CIDR block in the IPAM pool.
Before creating a VPC, make sure that you have created IPAM and IPAM pools on the IPAM console.
API
If you have already created an IPAM pool, specify the IPAM pool by passing the
Ipv4IpamPoolIdparameter when you call CreateVpc, and pass theIpv4CidrMaskparameter to specify the subnet mask to allocate an address from the IPAM pool as the CIDR block of the new VPC. You can also pass theCidrBlockparameter to specify the VPC CIDR block, instead of automatically allocating a CIDR block by specifying the subnet mask.If you have not created an IPAM pool, call the following API operations in sequence to create one, and create a VPC as described above.
Terraform
Resources: vpc_ipam_ipam, alicloud_vpc_ipam_ipam_pool, alicloud_vpc_ipam_ipam_pool_cidr, alicloud_vpc
# Specify the region where IPAM, IPAM pool, and VPC are created
provider "alicloud" {
region = "cn-hangzhou"
}
# Create IPAM
resource "alicloud_vpc_ipam_ipam" "example_ipam" {
ipam_name = "example_ipam_name"
operating_region_list = ["cn-hangzhou"] # Specify the effective region of IPAM
}
# Create an IPAM address pool
resource "alicloud_vpc_ipam_ipam_pool" "example_parentIpamPool" {
ipam_scope_id = alicloud_vpc_ipam_ipam.example_ipam.private_default_scope_id # Specify the scope of the IPAM pool
ipam_pool_name = "example_parentIpamPool_name"
pool_region_id = alicloud_vpc_ipam_ipam.example_ipam.region_id # Specify the effective region of the IPAM pool
ip_version = "IPv4" # Specify the version of the IPAM pool
}
# Allocate a CIDR block to the IPAM address pool
resource "alicloud_vpc_ipam_ipam_pool_cidr" "example_ipamPoolCidr" {
cidr = "10.0.0.0/16" # Specify the CIDR block
ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id # Specify the ID of the IPAM pool
}
# Create a VPC
resource "alicloud_vpc" "example_ipam_vpc" {
vpc_name = "example_ipam_vpc_name"
ipv4_ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id # Specify the ID of the IPAM pool
ipv4_cidr_mask = 24 # IPv4 subnet mask
}
More information
Default VPC and vSwitch
Default VPCs and vSwitches help you quickly validate and deploy your business. However, if you need long-term network service support or to host core production systems, we recommend creating custom VPCs and vSwitches based on your business architecture. Through fine-grained network planning, you can achieve resource isolation, security control, and elastic scaling.
You can create only one default VPC in each region and only one default vSwitch in each zone. Default VPCs and vSwitches do not count against your quota.
When creating ECS, CLB, or RDS instances in a region without VPCs, you can let the system create a default VPC and vSwitch. The CIDR block of the default VPC created in this way is 172.16.0.0/12.
In a region where you have not created a default VPC, you can call CreateDefaultVpc and CreateDefaultVSwitch to create a default VPC and vSwitch. The CIDR block of the default VPC is 172.xx.0.0/16.
Apart from these methods, VPCs and vSwitches that you create yourself are non-default. You can delete default VPCs and vSwitches, but you cannot convert between default and non-default VPCs and vSwitches.
System reserved IPs
There are system reserved IPs in the address space of a vSwitch. You cannot assign these addresses to resources such as ECS instances.
For IPv4, the first and the last three IPs of each vSwitch are reserved addresses.
For example, if the CIDR block of a vSwitch is 192.168.1.0/24, the system reserved addresses include 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255.
For IPv6, the first and the last nine IPs of each vSwitch are reserved addresses.
For example, if the IPv6 CIDR block of a vSwitch is 2408:xxxx:xxxx:6eff::/64, the reserved addresses include the first IP address 2408:xxxx:xxxx:6eff:: and the last nine IP addresses, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fff7, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fff8, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fff9, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffa, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffb, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffc, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffd, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffe, and 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:ffff.
Cross-account authorization
Before connecting a VPC to a CEN instance, virtual border router (VBR), or Express Connect Router (ECR) that belongs to a different account, you must perform cross-account authorization in the VPC.
For details, see Authorize CENs, Authorize VBRs, and Authorize ECRs.
Only after the authorization can the other account select the VPC instance when creating a VPC or VBR connection, or associating a VPC with ECR.
1. The account refers to an Alibaba Cloud account, not a RAM user.
2. Cross-account authorization is not supported between accounts of the China site (aliyun.com) and accounts of the international site (alibabacloud.com).