Help Center/ Enterprise Router/ Best Practices/ Using an Enterprise Router and a Transit VPC to Enable an On-Premises Data Center to Access Service VPCs/ Overview
Updated on 2024-01-18 GMT+08:00
View PDF

Overview

Scenario

You can use enterprise routers to build a central network and to simplify the network architecture. There are two typical networking schemes. One is to attach the service VPCs to the enterprise router. The other is to use a transit VPC to build a network, together with VPC Peering and Enterprise Router. Compared with scheme 1, scheme 2 costs less and eliminates some restrictions, as detailed below:
  • Scheme 2 uses less traffic and fewer attachments.
    • Traffic between service VPCs is routed through VPC peering connections instead of enterprise routers, reducing traffic costs.
    • Only the transit VPC is attached to the enterprise router. You can pay less for the attachments.
  • Scheme 2 frees you from the following constraints that scheme 1 has on attaching service VPCs to an enterprise router:
    • If a service VPC is used by ELB, VPC Endpoint, NAT Gateway (private NAT gateways), or DCS, contact customer service to confirm the service compatibility and preferentially use a transit VPC for networking.
    • Traffic cannot be forwarded from a VPC to the enterprise router if you set the destination of a route in the VPC route table to 0.0.0.0/0 and:
      • An ECS in the VPC has an EIP bound.
      • The VPC is being used by ELB, NAT Gateway, VPC Endpoint, or DCS.
    • If a VPC attached to an enterprise router has a NAT gateway associated and Scenario of the SNAT or DNAT rules is set to Direct Connect, the network from the on-premises data center to the VPC is disconnected.

Architecture

In scheme 2, service VPCs communicate with each other over VPC peering connections and with the on-premises data center using an enterprise router. Figure 1 shows the networking architecture.
  1. Create a VPC peering connection between VPC-A and VPC-Transit, and between VPC-B and VPC-Transit. Traffic between VPC-A and VPC-B is forwarded through VPC-Transit and the two VPC peering connections.
  2. VPC-Transit is connected to the enterprise router. Traffic from VPC-A and VPC-B to the on-premises data center is forwarded to the enterprise router through the transit VPC, and then to the on-premises data center over the Direct Connect connection.
Figure 1 Networking for allowing an on-premises data center to access two service VPCs over a transit VPC (scheme 2)