Updated on 2023-08-30 GMT+08:00

Network Planning

Before creating your VPCs, determine how many VPCs, the number of subnets, and what IP address ranges or connectivity options you will need.

How Do I Determine How Many VPCs I Need?

VPCs are region-specific. By default, networks in VPCs in different regions or even in the same region are not connected. Networks in different VPCs are completely isolated from each other, this is not the case for networks in the same VPC but in different AZs. Networks in the same VPC can communicate with each other even if they are in different AZs.

One VPC

If your services do not require network isolation, a single VPC should be enough.

Multiple VPCs

If you have multiple service systems in a region and each service system requires an isolated network, you can create a separate VPC for each service system. If you require network connectivity between separate VPCs, you can use a VPC peering connection as shown in Figure 1.

Figure 1 VPC peering connection

Default VPC Quota

By default, you can create a maximum of five VPCs in your account. If this cannot meet your service requirements, request a quota increase. For details, see What Is a Quota?

How Do I Plan Subnets?

A subnet is a unique CIDR block with a range of IP addresses in a VPC. All resources in a VPC must be deployed on subnets.

  • By default, ECSs in all subnets of the same VPC can communicate with one another, but ECSs in different VPCs cannot.

    You can create VPC peering connections to enable ECSs in different VPCs but in the same region to communicate with one another. For details, see VPC Peering Connection Overview.

  • After a subnet is created, its CIDR block cannot be modified.

    When you create a VPC, a default subnet will be created together. If you need more subnets, see Creating a Subnet for the VPC.

    The subnets used to deploy your resources must reside within your VPC, and the subnet masks used to define them can be between the netmask of its VPC CIDR block and /28 netmask.

    • 10.0.0.0 – 10.255.255.255
    • 172.16.0.0 – 172.31.255.255
    • 192.168.0.0 – 192.168.255.255

    A subnet mask can be between the netmask of its VPC CIDR block and /28 netmask. If a VPC CIDR block is 192.168.0.0/16, its subnet mask can between 16 to 28.

Subnet Planning

  • We recommend that you create different subnets for different service modules in a VPC. For example, you can create different subnets for web, application, and database servers. A web server is in a publicly accessible subnet, and application and database servers are in non-publicly accessible subnets. You can leverage network ACLs to help control access to the servers in each subnet.
  • If you only need to plan subnets for VPCs, and communication between VPCs and on-premises data centers are not required, you can create subnets within any of the CIDR blocks listed above.
  • If your VPC needs to communicate with an on-premises data center through VPN or Direct Connect, the VPC CIDR block cannot overlap with the CIDR block of the on-premises data center. Therefore, when creating a VPC or subnet, ensure that its CIDR block does not overlap with any CIDR block on the data center.
  • When determining the size of a VPC or subnet CIDR block, ensure that the number of available IP addresses on the CIDR block meet your service requirements.

Default Subnet Quota

By default, you can create up to 100 subnets in your account. If you need more, request a quota increase. For details, see What Is a Quota?

How Do I Plan Routing Policies?

A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. When you create a VPC, it automatically has a default route table, which enables internal communication within that VPC.

  • If you do not need to explicitly control how each subnet routes inbound and outbound traffic, you can use the default route table.
  • If you need to explicitly control how each subnet routes inbound and outbound traffic in a VPC, you can add custom routes to the route table.

How Do I Connect to an On-Premises Data Center?

If you require interconnection between a VPC and an on-premises data center, ensure that the VPC does not have an overlapping IP address range with the on-premises data center to be connected.

As shown in Figure 2, you have VPC 1 in region A and VPC 2 and VPC 3 in region B. To connect to an on-premises data center, they can use a VPN, as VPC 1 does in Region A; or a Direct Connect connection, as VPC 2 does in Region B. VPC 2 connects to the data center through a Direct Connect connection, but to connect to another VPC in that region, like VPC 3, a VPC peering connection must be established.

Figure 2 Connections to on-premises data centers

When planning CIDR blocks for VPC 1, VPC 2, and VPC 3:

  • The CIDR block of VPC 1 cannot overlap with the CIDR block of the on-premises data center in Region A.
  • The CIDR block of VPC 2 cannot overlap with the CIDR block of the on-premises data center in Region B.
  • The CIDR blocks of VPC 2 and VPC 3 cannot overlap.

How Do I Access the Internet?

Use EIPs to enable a small number of ECSs to access the Internet.

When only a few ECSs need to access the Internet, you can bind the EIPs to the ECSs. This will provide them with Internet access. You can also dynamically unbind the EIPs from the ECSs and bind them to NAT gateways and load balancers instead, which will also provide Internet access. The process is not complicated.

For more information about EIP, see EIP Overview.

Use a NAT gateway to enable a large number of ECSs to access the Internet.

When a large number of ECSs need to access the Internet, the public cloud provides NAT gateways for your ECSs. With NAT gateways, you do not need to assign an EIP to each ECS. NAT gateways reduce costs as you do not need so many EIPs. NAT gateways offer both source network address translation (SNAT) and destination network address translation (DNAT). SNAT allows multiple ECSs in the same VPC to share one or more EIPs to access the Internet. SNAT prevents the EIPs of ECSs from being exposed to the Internet. DNAT can implement port-level data forwarding. It maps EIP ports to ECS ports so that the ECSs in a VPC can share the same EIP and bandwidth to provide Internet-accessible services.

For more information, see NAT Gateway User Guide.

Use ELB to access the Internet If there are a large number of concurrent requests.

In high-concurrency scenarios, such as e-commerce, you can use load balancers provided by the ELB service to evenly distribute incoming traffic across multiple ECSs, allowing a large number of users to concurrently access your business system or application. ELB is deployed in the cluster mode. It provides fault tolerance for your applications by automatically balancing traffic across multiple AZs. You can also take advantage of deep integration with Auto Scaling (AS), which enables automatic scaling based on service traffic and ensures service stability and reliability.

For more information, see Elastic Load Balance User Guide.