As your business grows or security policies change, your existing network architecture may no longer meet your business requirements. You can use virtual private clouds (VPCs) to group your business and isolate network traffic. In this case, you may need to change the VPC of some Elastic Compute Service (ECS) instances by migrating the ECS instance from one VPC to another without changing the region or zone of the ECS instance.
Scenarios
You want to re-plan the VPCs of your instances because the original VPCs are unable to meet the growing requirements of your business.
In the early business stage, only one VPC was planned. Different projects and usage environments shared this VPC, which resulted in risks stemming from data operations. You want to use different VPCs for different projects and environments.
When you implement VPC peering by using Cloud Enterprise Network or VPC peering connections, we recommend that you make sure that the CIDR blocks that need to communicate with each other do not overlap. If IP address conflicts occur between the instances that communicate with each other, you can replace the VPC of one of the instances.
Requirements
After the VPC is changed, the new vSwitch of the instance must be in the same zone as the original vSwitch.
If you need to migrate an ECS instance to another zone in the same region for business purposes, see Cross-zone migration.
If you need to migrate an ECS instance from one account or region to another due to insufficient inventory in the region, cost optimization, disaster recovery, or instance disk scaling, see Migration between ECS instances across Alibaba Cloud accounts or within the same account.
When you change the VPC of an instance, you must select one to five security groups of the same type for the instance. The security group can be of the basic or advanced type.
NoteThe quota of security groups is related to the limit on the number of security groups that an instance can join. For more information, see Limits.
When an ECS instance switches between security groups of different types, you need to fully understand the configuration differences between the two security group rules to avoid affecting the instance network. For more information, see Security group overview.
You can change the VPCs of up to 20 ECS instances at a time.
Effects after the change
Private IP address: After you change the VPC of an ECS instance, the primary private IP address of the instance becomes an IP address within the CIDR block of the destination vSwitch.
If your private IP address is used by other services or applications (such as security groups, DNS, firewall rules, or database whitelists), update them with the new primary private IP address.
The public IP address of the instance does not change. However, if you have configured the instance to use static IP configuration internally, after the change, your instance may experience network configuration errors (setting inconsistencies, such as the IP address and gateway), resulting in connection or communication failures.
We recommend setting the IP acquisition method in the network configuration to automatic before change. After the modification, the instance automatically obtains settings, such as the IP address, subnet mask, and default gateway.
Windows instances: Set automatic IP address acquisition.
Connect to the Windows ECS instance.
For more information, see Use Workbench to connect to a Windows instance over RDP.
Open Network and Sharing Center.
Click Change adapter settings.
Double-click the primary ENI named Ethernet. Then, click Properties in the Ethernet Status dialog box.
In the Ethernet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Obtain an IP address automatically.
Linux instances: Configure DHCP to dynamically obtain an IP address. For example, in RHEL, set
BOOTPROTOtodhcpin the/etc/sysconfig/network-scripts/ifcfg-eth0network configuration file. Network configuration files vary based on the operating system type. For more information, see How to configure DHCP networking in Linux images.
Alternatively, after the VPC change, connect to the instance by using Virtual Network Computing (VNC), and then modify the network configuration by enabling automatic IP address acquisition or modifying the static IP address settings to match the actual IP address assigned after the change.
Network connectivity: After you change the VPC of an ECS instance, the instance can no longer communicate with other ECS instances in the original VPC. To establish connectivity between them, see Overview of VPC connections.
Access control: If the original VPC and the destination VPC use different network ACLs and security groups, check and modify them to ensure that applications can run as expected. For more information, see Access control.
Routing table configuration: The new VPC may have different routing table configurations than the original one. For applications that require specific routes, you must reconfigure or add route entries to ensure network connectivity. For more information, see Route tables.
Private DNS resolution: If private DNS resolution is enabled for the ECS instance whose VPC you want to change, domain name resolution may fail when you change the VPC. Make sure that the hostname feature is enabled for both the source and destination VPCs. This ensures that the private DNS resolution feature is available. For more information, see Step 1: Enable the DNS hostname feature in a VPC.
Prechecks
Before you change the VPC, perform the following checks on the ECS instance to ensure a smooth transition:
The ECS instance must be in the Stopped state. For more information, see Stop an instance.
NoteThe instance cannot be in the Locked, To Be Released, Expired, Expired and Being Recycled, or Overdue and Being Recycled state. For more information, see Instance lifecycle.
The ECS instance is not attached with secondary Elastic Network Interfaces (ENIs). If the ECS instance is attached with secondary ENIs, detach the ENIs from the instance.
The primary ENI of the ECS instance can have only one primary private IPv4 address. If you have assigned IPv6 addresses or secondary private IPv4 addresses to the primary ENI, delete the assigned IPv6 addresses and revoke the secondary private IP addresses.
The ECS instance is not connected over the private network. If the ECS instance has generated a private link for a private network connection, such as Workbench, see Release authorized links.
The ECS instance is not added as a backend server to the server group of a Server Load Balancer (SLB) instance. For information about how to remove backend servers in SLB, see Manage default server groups.
The ECS instance is not in a custom route entry. If an ECS instance is configured in a custom route table, you cannot change the VPC even if the vSwitch to which the instance belongs is not associated with the route table to which the route entry belongs. Remove the ECS instance from the custom route table entry. For more information, see Remove an ECS instance from route table entries.
The ECS instance is not associated with a high-availability virtual IP address (HAVIP). If the ECS instance is associated with a HAVIP, you can dissociate the ECS instance from the HAVIP. For more information, see High-availability virtual IP addresses (HAVIPs).
The ECS instance is not bound to Global Accelerator (GA) instances as backend service nodes. If you use GA to provide acceleration services for an ECS instance, you must delete the endpoint on which the ECS instance resides. For more information, see Add and manage endpoint groups and endpoints.
The instance is not used in other Alibaba Cloud services. For example, the instance cannot be in the process of being migrated or having its VPC changed, or the databases deployed on the instance cannot be managed by Data Transmission Service (DTS).
VPCs, vSwitches, and security groups are created and available for the ECS instance.
If no vSwitch is available in the destination VPC, create a vSwitch in the destination VPC and in the zone where the ECS instance resides. For more information, see Create and manage vSwitches.
If no security group is available in the destination VPC, quickly create a security group by cloning the security group associated with the ECS instance in the original VPC to the destination VPC. For more information, see Clone a security group.
If the destination VPC is shared by another Alibaba Cloud account, the security group must be created by your account in the shared VPC.
Procedure
If you change the VPC, the ECS instance becomes temporarily unavailable. Take note of factors, such as business continuity and customer experience, and select a suitable time to operate.
We recommend creating ECS snapshots and backups during off-peak hours before you change the VPC.
Use the ECS console
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the ECS instance whose VPC you want to change and click the instance ID to go to the instance details page. Click All Actions in the upper-right corner and find and click .
On the Change VPC configuration wizard page, follow the instructions to change the VPC of the ECS instance.
In the Make Preparations phase, review the network information before the change and the notes, and click Next.
In the Select a VPC phase, select the Destination VPC, Destination vSwitch, and Destination Security Group for the ECS instance, and then click Next.
If no vSwitch is available in the destination VPC, create a vSwitch in the destination VPC and in the zone where the ECS instance resides. For more information, see Create and manage vSwitches.
If no security group is available in the destination VPC, quickly create a security group by cloning the security group associated with the ECS instance in the original VPC to the destination VPC. For more information, see Clone a security group.
(Optional) In the Configure Primary Private IP Address phase, specify the primary private IP address for the ECS instance.
To specify a primary private IP address, make sure that the IP address is within the CIDR block of the destination vSwitch.
For information about the CIDR format and IP address range conversion, see Examples of converting CIDR format to IP address ranges.
You can also use the
ipcalctool to view the IP address range represented by the CIDR block.
If you do not specify the primary private IP address, the system automatically assigns one.
Click OK.
View the results.
After the VPC is changed, click the destination ECS instance ID to go to the Instance Details tab and view the VPC and vSwitch fields in the Configuration Information section.
If you configured event notifications for VPC changes of ECS instances in EventBridge or CloudMonitor, you can receive a vSwitch change event notification.
For information about how to configure event notifications, see Subscribe to ECS system event notifications.
For information about EventBridge, see Elastic Compute Service events.
For information about vSwitch change event notifications, see vSwitch event notifications.
Call API operations
You can call the ModifyInstanceVpcAttribute operation to modify the VPC, vSwitch, security group, and other information of an ECS instance.
After the modification is complete, call the DescribeInstances operation to view the VPC, vSwitch, and security group information of the instance after the change based on the returned VpcId, VSwitchId, and SecurityGroupId values.
Common errors
If you encounter the following errors when changing the VPC, read Prechecks, and handle them based on the actual error message and corresponding solution:
Error 1:
InvalidDependence.GrantAccess
Cause: When you change the VPC, the instance cannot be used by other cloud services. Otherwise, an error message appears, which indicates that the ECS instance may be associated with other services, such as Database Backup (DBS), DTS, Data Management (DMS), or Workbench.
Solution: Release the reverse access links, delete the authorization to other products, and try again.
If your instance generates a reverse access link by using Workbench, perform the following steps to release the reverse access link:
Log on to the Workbench console. On the Private Links page, check whether a reverse access link exists for the corresponding ECS instance. If so, click Release Link in the Actions column on the right.
In the message that appears, click OK. After the reverse access link is released, change the VPC of the instance again. If the issue persists, submit a ticket.
Error 2:
InvalidDependence.NextHopOfCustomRouter
Cause: When you change the VPC, the instance cannot be in a custom route entry. An error is reported even if the vSwitch to which the instance belongs is not associated with the route table to which the route entry belongs. Otherwise, an error message appears, which indicates that the ECS instance is the next hop in a custom route table entry.
Solution: Delete the route entry associated with the instance. Perform the following steps:
Go to VPC console - Route Tables.
In the top navigation bar, select the region of the VPC to which the vSwitch belongs.
On the Route Tables page, find the route entry that contains the ECS instance for which you want to change the VPC.
Click Delete, delete the route entry, and then try to change the VPC of the instance again.
Error 3:
InvalidDependence.SLB
Cause: When you change the VPC, the ECS instance cannot be associated with an SLB instance. Otherwise, an error message appears, which indicates that the instance is added to the backend server group even if the ECS instance is not attached to a backend real server (RS) by the SLB instance.
Solution: Confirm the SLB backend server group that the ECS instance has joined, and remove the ECS instance from the server group. Then, change the VPC of the instance again. For more information, see Remove backend servers.
Error 4:
EnterpriseGroupLimited.MutliGroupType
Cause: If you select multiple security groups (1 to 5) in the destination VPC when you change the VPC, the security groups must be of the same type (all basic or enterprise security groups). Otherwise, an error message is reported, which indicates that a security group type is inconsistent with the security groups that you selected.
Solution: Select security groups of the same type.
Error 5:
Invalidinstance.AttachedEni
Cause: When you change the VPC, the ECS instance cannot have secondary ENIs attached.
Solution: Detach the secondary ENI from the ECS instance. For more information, see Detach an ENI.
Error 6:
PrimaryEniHasSubIp
Cause: When you change the VPC, the ECS instance cannot have multiple IP addresses. Otherwise, an error message appears, which indicates that the primary ENI attached to the ECS instance is assigned multiple secondary private IP addresses.
Solution: Revoke the secondary private IP addresses assigned to the ECS instance.
Reference
To enable internal network communication between ECS instances across different accounts and VPCs, use PrivateLink or other methods. For more information, see Access services in a VPC that belongs to another account by using PrivateLink.