Updated on 2024-04-19 GMT+08:00

Selecting a Networking Scheme

You can use enterprise routers to build a central network and to simplify the network architecture. There are two typical schemes to use Enterprise Router together with Direct Connect to allow an on-premises data center to access multiple VPCs.
Figure 1 Networking for allowing an on-premises data center to access two service VPCs directly (scheme 2)
Figure 2 Networking for allowing an on-premises data center to access two service VPCs over a transit VPC (scheme 2)
Table 1 Comparison between the two schemes

Scheme

Networking Architecture

Network Path Description

Configuration Guide

Remarks

Scheme 1

As shown in Figure 1:

Two service VPCs (VPC-A and VPC-B) and the Direct Connect virtual gateway are attached to an enterprise router.

  • The enterprise router enables the two VPCs to communicate with each other.
  • Direct Connect enables the on-premises data center to access the cloud, and the enterprise router connects the on-premises data center to both VPCs.

For details, see How Do I Select a Networking Scheme?.

Scheme 2

As shown in Figure 2:

The two service VPCs (VPC-A and VPC-B) are not attached to the enterprise router. Instead, a transit VPC (VPC-Transit) is used. The transit VPC and the Direct Connect virtual gateway are attached to the enterprise router.

  • Each service VPC is connected to the transit VPC over a VPC peering connection.
  • Direct Connect enables the on-premises data center to access the cloud, and the enterprise router connects the on-premises data center to the two service VPCs.

Using Enterprise Router and a Transit VPC to Allow an On-premises Data Center to Access Service VPCs

How Do I Select a Networking Scheme?

In scheme 1, the service VPCs are directly attached to the enterprise router. In scheme 2, a transit VPC is used and attached to the enterprise router. Each service VPC is connected to the transit VPC over a VPC peering connection. Compared with scheme 1, scheme 2 costs less and eliminates some constraints, as detailed below:
  • Scheme 2 uses less traffic and fewer attachments.
    • Traffic between service VPCs is routed through VPC peering connections instead of enterprise routers, reducing traffic costs.
    • Only the transit VPC is attached to the enterprise router. You can pay less for the attachments.
  • Scheme 2 frees you from the following constraints that scheme 1 has on attaching service VPCs to an enterprise router:
    • If a service VPC is used by ELB, VPC Endpoint, NAT Gateway (private NAT gateways), or DCS, contact customer service to confirm the service compatibility and preferentially use a transit VPC for networking.
    • Traffic cannot be forwarded from a VPC to the enterprise router if you set the destination of a route in the VPC route table to 0.0.0.0/0 and:
      • An ECS in the VPC has an EIP bound.
      • The VPC is being used by the ELB (either dedicated or shared load balancers), NAT Gateway, VPCEP, and DCS services.

If you still want to use scheme 1 to attach service VPCs to an enterprise router, contact customer service to evaluate the feasibility.