A virtual private cloud (VPC) is your private network on the cloud that you can fully control. A VPC is a region-level resource. You can create and use Alibaba Cloud resources in your VPC, such as Elastic Compute Service (ECS) instances and ApsaraDB RDS instances.
A vSwitch is a zone-level resource that you can use to divide your VPC into subnets. vSwitches in the same VPC can communicate with each other over the internal network. You can deploy cloud resources in vSwitches across different zones to prevent your applications from being affected by failures in a single zone.
Network planning
Proper network planning helps you avoid CIDR block conflicts and ensures network extensibility. Improper network planning can lead to high reconstruction costs in the future. Therefore, we recommend that you perform network planning before you create a VPC.
Create/delete a VPC and a vSwitch
Console
Create a VPC and a vSwitch
Go to the Create VPC page in the VPC console.
Configure the VPC:
Region: Select the region where you want to create cloud resources.
IPv4 CIDR block: Select a recommended CIDR block from the console or enter a custom CIDR block. In scenarios such as VPC peering, we recommend that you configure a CIDR block that does not overlap with existing VPCs to avoid CIDR block conflicts during VPC peering. To avoid CIDR block conflicts and ensure network extensibility, we recommend that you create a VPC with IPAM.
1. We recommend that you use a private IPv4 address specified in RFC1918 as the CIDR block of your VPC, with a subnet mask of 16 to 28 bits. Examples: 10.0.0.0/16, 172.16.0.0/16, and 192.168.0.0/16.
2. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as the IPv4 CIDR block of your VPC.
Configure the vSwitch:
Zone: Select the zone where you want to create cloud resources. You should select a zone based on the support status and inventory (whether it is sold out) of the resources you need in that zone.
IPv4 CIDR block: Select the default CIDR block from the console or adjust the CIDR block range as needed.
Add more vSwitches: To prevent your applications from being affected by failures in a single zone, you can create multiple vSwitches across different zones. You can create vSwitches during the VPC creation process or add more vSwitches later in the VPC console - vSwitch.
Delete a VPC and a vSwitch
Click Delete in the Actions column or on the details page of the target VPC or vSwitch. The system will check whether there are any cloud resources or linked resources that have not been deleted. If there are dependent resources, you must release all resources before you can delete the VPC and vSwitch.
1. Before you delete a vSwitch, make sure that the vSwitch is not shared, not attached to a custom route table or a network ACL, and all cloud resources in the vSwitch have been released.
2. Before you delete a VPC, make sure that all resources in the VPC have been released and the VPC is not associated with network services such as Cloud Enterprise Network (CEN).
API
Unlike the console logic, the CreateVpc operation only creates an empty VPC. You need to call CreateVSwitch to create a vSwitch.
Call CreateVpc and CreateVSwitch in sequence to create a VPC and a vSwitch.
Call DeleteVSwitch and DeleteVpc in sequence to delete a vSwitch and a VPC.
1. Before you delete a vSwitch, make sure that the vSwitch is not shared, not attached to a custom route table or a network ACL, and all cloud resources in the vSwitch have been released.
2. Before you delete a VPC, make sure that all resources in the VPC have been released and the VPC is not associated with network services such as Cloud Enterprise Network (CEN).
Terraform
Resources: alicloud_vpc, alicloud_vswitch
Data Sources: alicloud_zones
# Specify the region where the VPC will be created
provider "alicloud" {
region = "cn-hangzhou"
}
# Automatically obtain a list of available zones where vSwitches can be created
data "alicloud_zones" "available_zones" {
available_resource_creation = "VSwitch" # Query zones where vSwitches can be created in the VPC
# available_instance_type = "ecs.g7.large" # Query zones where ECS instances can be created in the VPC
# available_resource_creation = "slb" # Query zones where SLB instances can be created in the VPC
}
# Create a VPC
resource "alicloud_vpc" "example_vpc" {
vpc_name = "example_vpc_name"
cidr_block = "10.0.0.0/16" # Specify the CIDR block
}
# Create a vSwitch
resource "alicloud_vswitch" "example_vswitch" {
vswitch_name = "example_vswitch_name"
cidr_block = "10.0.0.0/24" # Specify the CIDR block
vpc_id = alicloud_vpc.example_vpc.id # Specify the ID of the VPC to which the vSwitch belongs
zone_id = data.alicloud_zones.available_zones.zones.0.id # Specify the zone to which the vSwitch belongs
}
Enable/disable IPv6
After you enable IPv6 for a VPC and a vSwitch, the system automatically creates an IPv6 gateway and assigns an IPv6 CIDR block. By default, only internal network communication is supported. If you need public network communication, you can enable IPv6 public bandwidth.
Regions that support IPv4/IPv6 dual stack.
Console
Enable IPv6
When you create a VPC and a vSwitch, you can select Assign BGP (Multi-ISP) from the IPv6 option drop-down list to enable IPv6.
For an existing VPC, you can click Enable IPv6 in the IPv6 CIDR Block column of the target VPC, and select Assign BGP (Multi-ISP) as the IPv6 CIDR block type. You can select Automatically Enable IPv6 For All VSwitches In The VPC, or click Enable IPv6 in the IPv6 CIDR Block column of the target vSwitch to enable IPv6 for a specific vSwitch.
Disable IPv6
You can click Disable IPv6 in the IPv6 CIDR Block column of the target VPC or vSwitch. However, to disable IPv6 for a VPC, you must first disable IPv6 for all vSwitches in the VPC and delete the IPv6 gateway of the VPC.
API
When you create a VPC and a vSwitch, set the
EnableIPv6parameter in CreateVpc and CreateVSwitch to enable or disable IPv6.For existing VPCs and vSwitches, set the
EnableIPv6parameter in ModifyVpcAttribute and ModifyVSwitchAttribute to enable or disable IPv6.
Terraform
Resources: alicloud_vpc, alicloud_vswitch
Data Sources: alicloud_zones
# Specify the region where the VPC will be created
provider "alicloud" {
region = "cn-hangzhou"
}
# Automatically obtain a list of available zones where vSwitches can be created
data "alicloud_zones" "available_zones" {
available_resource_creation = "VSwitch" # Query zones where vSwitches can be created in the VPC
# available_instance_type = "ecs.g7.large" # Query zones where ECS instances can be created in the VPC
# available_resource_creation = "slb" # Query zones where SLB instances can be created in the VPC
}
# Create a dual-stack VPC
resource "alicloud_vpc" "example_vpc" {
vpc_name = "example_vpc_name"
cidr_block = "10.0.0.0/16"
enable_ipv6 = true # Enable IPv6, set to false to disable IPv6
ipv6_isp = "BGP" # Specify the IPv6 CIDR block type
}
# Create a dual-stack vSwitch
resource "alicloud_vswitch" "example_vswitch" {
vswitch_name = "example_vswitch_name"
cidr_block = "10.0.0.0/24"
vpc_id = alicloud_vpc.example_vpc.id
zone_id = data.alicloud_zones.available_zones.zones.0.id
enable_ipv6 = true # Enable IPv6, set to false to disable IPv6
ipv6_cidr_block_mask = 1 # Specify the last 8 bits of the vSwitch IPv6 CIDR block
}
Modify CIDR blocks
When you create a VPC, the IPv4 CIDR block that you specify is the primary CIDR block of the VPC. The console does not support modifying the primary CIDR block of a VPC. However, you can set the CidrBlock parameter in the ModifyVpcAttribute operation to expand or shrink the CIDR block within the primary CIDR block. You must ensure that the shrunk CIDR block contains all IP addresses that are already in use.
The IPv4 CIDR block of a vSwitch and the IPv6 CIDR blocks assigned to a VPC and a vSwitch after IPv6 is enabled cannot be modified.
Use secondary CIDR blocks to expand address space
When the number of available IP addresses in a VPC is insufficient to meet the needs of business expansion, or when improper network planning leads to address shortage, you can use secondary CIDR blocks to expand the VPC address space.
Secondary CIDR blocks take effect simultaneously with the primary CIDR block and can be used to create vSwitches and deploy cloud resources such as ECS instances.
1. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as an IPv4 secondary CIDR block.
2. The address range of a secondary CIDR block cannot overlap with that of the primary CIDR block.
3. Each VPC supports adding 5 IPv4 secondary CIDR blocks and 5 IPv6 secondary CIDR blocks by default.
Console
Add a secondary CIDR block
On the Basic Information page of the target VPC, click the CIDR Block Management tab. You can add IPv4 or IPv6 secondary CIDR blocks.
For IPv4 secondary CIDR blocks, you can add them in three ways:
Recommended CIDR Block: Quickly add a CIDR block by selecting one from 10.0.0.0/16, 172.16.0.0/16, or 192.168.0.0/16.
Advanced CIDR Block Configuration: Customize the secondary CIDR block.
IPv4 CIDR Block Assigned By IPAM: Use IPAM to avoid CIDR block conflicts. If you have an IPAM address pool with preset CIDR blocks, we recommend that you select this option. To configure, first select an address pool, and then configure the Subnet Mask.
For IPv6 secondary CIDR blocks:
If IPv6 is not enabled for the VPC, click Enable IPv6 and select Assign BGP (Multi-ISP) as the IPv6 CIDR block type. You can select Automatically Enable IPv6 For All VSwitches In The VPC, or click Enable IPv6 in the IPv6 CIDR Block column of the target vSwitch to enable IPv6 for a specific vSwitch.
For a VPC with IPv6 enabled, click Add IPv6 CIDR Block and select Assign BGP (Multi-ISP) as the IPv6 CIDR Block Type.
Delete a secondary CIDR block
On the Basic Information page of the target VPC, click the CIDR Block Management >IPv4 CIDR Block tab or IPv6 CIDR Block tab, find the secondary CIDR block that you want to delete, and click Delete in the Actions column.
API
Call AssociateVpcCidrBlock to add a secondary CIDR block.
Call UnassociateVpcCidrBlock to delete a secondary CIDR block.
Terraform
Terraform currently supports only creating IPv4 secondary CIDR blocks and does not support creating IPv6 secondary CIDR blocks.
Resources: alicloud_vpc_ipv4_cidr_block
# Specify the region where the VPC will be created
provider "alicloud" {
region = "cn-hangzhou"
}
# Specify the VPC ID
variable "vpc_id" {
default = "vpc-xxx" # Replace with the actual VPC ID
}
# Create a secondary CIDR block in the VPC
resource "alicloud_vpc_ipv4_cidr_block" "example_secondary_cidr_block" {
vpc_id = var.vpc_id
secondary_cidr_block = "192.168.0.0/16" # Specify the secondary CIDR block
}Reserved CIDR blocks
You can reserve CIDR blocks in a vSwitch to ensure that these CIDR blocks are not occupied by other resources. Currently, reserved CIDR blocks are used only to assign IP prefixes to secondary private IP addresses of elastic network interfaces (ENIs).
1. Reserved CIDR blocks cannot contain system reserved addresses of the vSwitch.
2. Each vSwitch can have a maximum of 100 IPv4 reserved CIDR blocks and 100 IPv6 reserved CIDR blocks.
3. The subnet mask of an IPv4 reserved CIDR block cannot exceed 28 bits, and the subnet mask of an IPv6 reserved CIDR block cannot exceed 80 bits.
Console
Create a reserved CIDR block
On the Basic Information page of the target vSwitch, click the Reserved CIDR Block tab. You can add IPv4 or IPv6 reserved CIDR blocks in two ways:
Specify CIDR Block: Precisely control the CIDR block to be reserved.
Specify Subnet Mask: The system automatically allocates a reserved CIDR block from available CIDR blocks.
For IPv6 CIDR blocks, if IPv6 is not enabled for the vSwitch, click Enable IPv6. In the Enable IPv6 dialog box that appears, set the IPv6 CIDR block for the vSwitch.
If IPv6 is not enabled for your VPC, in the Enable IPv6 dialog box that appears, first set IPv6 CIDR Block Type to the default Assign BGP (Multi-ISP), and then set the IPv6 CIDR block for the vSwitch.
View occupied IP segments
On the Basic Information page of the target vSwitch, click the Reserved CIDR Block >IPv4 CIDR Block tab or IPv6 CIDR Block tab, find the target reserved CIDR block, and click View Occupied IP Addresses in the Actions column. You can view the occupied IP segments and the corresponding ENIs.
Delete a reserved CIDR block
Before you delete a reserved CIDR block, make sure that no IP segments in the CIDR block are occupied.
On the Basic Information page of the target vSwitch, click the Reserved CIDR Block >IPv4 CIDR Block tab or IPv6 CIDR Block tab, find the reserved CIDR block that you want to delete, and click Delete in the Actions column.
API
Call CreateVSwitchCidrReservation to create a reserved CIDR block.
Call GetVSwitchCidrReservationUsage to view occupied IP segments.
Call DeleteVSwitchCidrReservation to delete a reserved CIDR block.
Terraform
Resources: alicloud_vpc_vswitch_cidr_reservation
# Specify the region where the VPC will be created
provider "alicloud" {
region = "cn-hangzhou" # Region where the resource is located
}
# Specify the vSwitch ID
variable "vsw_id" {
default = "vsw-xxx" # Replace with the actual vSwitch ID
}
# Create a reserved CIDR block
resource "alicloud_vpc_vswitch_cidr_reservation" "example_cidr_reservation" {
vswitch_id = var.vsw_id
ip_version = "IPv4"
cidr_reservation_cidr = "10.0.0.128/26" # Specify the reserved CIDR block
}Create a VPC with IPAM
Manually configuring IPv4 CIDR blocks may lead to low configuration efficiency and potential address conflicts.
IPAM is a cloud-based IP address management tool that helps you automate the allocation and management of IP addresses, simplify network management processes, and avoid address conflicts. You can plan with IPAM, create IPAM and IPAM address pools, and then allocate IPv4 CIDR blocks to VPCs from IPAM address pools.
Console
Go to the Create VPC page in the VPC console, use IPv4 CIDR Block Assigned By IPAM, select an IPAM address pool, and configure the subnet mask to allocate a CIDR block from the IPAM address pool to the VPC.
After you configure the subnet mask, the system automatically allocates the first available CIDR block within the specified subnet mask range. You can also adjust the IPv4 CIDR block within the preset CIDR block of the address pool.
Before you create a VPC, make sure that you have created IPAM and IPAM address pools in the IPAM console.
API
If you have created an IPAM address pool, you can specify the IPAM address pool by setting the
Ipv4IpamPoolIdparameter when you call CreateVpc. You can also set theIpv4CidrMaskparameter to specify the subnet mask for allocating a CIDR block from the IPAM address pool as the CIDR block of the new VPC. Alternatively, you can set theCidrBlockparameter to specify the CIDR block for the VPC instead of automatically allocating a CIDR block by specifying the subnet mask.If you have not created an IPAM address pool, you can call the following API operations in sequence to create an IPAM address pool, and then create a VPC by following the preceding logic.
Terraform
Resources: vpc_ipam_ipam, alicloud_vpc_ipam_ipam_pool, alicloud_vpc_ipam_ipam_pool_cidr, alicloud_vpc
# Specify the region where IPAM, IPAM address pool, and VPC will be created
provider "alicloud" {
region = "cn-hangzhou"
}
# Create IPAM
resource "alicloud_vpc_ipam_ipam" "example_ipam" {
ipam_name = "example_ipam_name"
operating_region_list = ["cn-hangzhou"] # Specify the effective region of IPAM
}
# Create an IPAM address pool
resource "alicloud_vpc_ipam_ipam_pool" "example_parentIpamPool" {
ipam_scope_id = alicloud_vpc_ipam_ipam.example_ipam.private_default_scope_id # Specify the scope of the IPAM address pool
ipam_pool_name = "example_parentIpamPool_name"
pool_region_id = alicloud_vpc_ipam_ipam.example_ipam.region_id # Specify the effective region of the IPAM address pool
ip_version = "IPv4" # Specify the version of the IPAM address pool
}
# Allocate a CIDR block to the IPAM address pool
resource "alicloud_vpc_ipam_ipam_pool_cidr" "example_ipamPoolCidr" {
cidr = "10.0.0.0/16" # Specify the CIDR block
ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id # Specify the ID of the IPAM address pool
}
# Create a VPC
resource "alicloud_vpc" "example_ipam_vpc" {
vpc_name = "example_ipam_vpc_name"
ipv4_ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id # Specify the ID of the IPAM address pool
ipv4_cidr_mask = 24 # IPv4 subnet mask
}
More information
Default VPC and default vSwitch
Default VPCs and vSwitches can help you quickly verify and deploy your business. However, if you need long-term network service support or want to host core production systems, we recommend that you create custom VPCs and vSwitches based on your business architecture requirements. Through fine-grained network planning, you can achieve resource isolation, security control, and elastic scaling capabilities, thereby building a cloud network environment that meets your business needs.
You can create only one default VPC in each region and only one default vSwitch in each zone. Default VPCs and vSwitches do not count against your quota allocated by Alibaba Cloud.
When you create an ECS, CLB, or RDS instance in a region where you have not created any VPCs, you can choose to have Alibaba Cloud create a default VPC and vSwitch. The CIDR block of the default VPC created in this way is fixed at 172.16.0.0/12.
In a region where no default VPC exists, you can call CreateDefaultVpc and CreateDefaultVSwitch to create a default VPC and vSwitch. The CIDR block of the default VPC created in this way is 172.xx.0.0/16.
VPCs and vSwitches that you create yourself are non-default. You can delete default VPCs and vSwitches, but you cannot convert between default and non-default VPCs and vSwitches.
System reserved addresses
The address space of a vSwitch CIDR block contains system reserved addresses that you cannot assign to cloud resources such as ECS instances.
For IPv4, the first IP address and the last three IP addresses of each vSwitch are reserved by the system.
For example, if a vSwitch CIDR block is 192.168.1.0/24, the IP addresses 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255 are reserved.
For IPv6, the first IP address and the last nine IP addresses of each vSwitch are reserved by the system.
For example, if a vSwitch IPv6 CIDR block is 2408:xxxx:xxxx:6eff::/64, the first IP address 2408:xxxx:xxxx:6eff:: and the last nine IP addresses 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fff7, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fff8, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fff9, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffa, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffb, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffc, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffd, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffe, and 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:ffff are reserved by the system.
Cross-account authorization
Before you connect a VPC to a CEN instance, a virtual border router (VBR), or an Express Connect router (ECR) that belongs to a different account, you must first perform cross-account authorization in the VPC.
For authorization operations, see Authorize CEN instances across accounts, Authorize VBR instances across accounts, and Authorize ECR instances across accounts.
After successful authorization, the other account can select the VPC instance of this account when creating a VPC connection, creating a VBR connection, or associating a VPC with ECR.
1. The account here refers to an Alibaba Cloud account, not a RAM user.
2. Cross-account authorization is not supported across sites, which means it is not supported between the China site (aliyun.com) and the international site (alibabacloud.com).