- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Permissions Management
- VPC and Subnet
- Route Table and Route
- Virtual IP Address
-
Elastic Network Interface and Supplementary Network Interface
-
Elastic Network Interface
- Elastic Network Interface Overview
- Creating a Network Interface
- Viewing the Basic Information About a Network Interface
- Attaching a Network Interface to a Cloud Server
- Binding an EIP to a Network Interface
- Binding a Network Interface to a Virtual IP Address
- Detaching a Network Interface from an Instance or Unbinding an EIP from a Network Interface
- Changing Security Groups That Are Associated with a Network Interface
- Deleting a Network Interface
-
Supplementary Network Interfaces
- Supplementary Network Interface Overview
- Creating a Supplementary Network Interface
- Viewing the Basic Information About a Supplementary Network Interface
- Binding or Unbinding an EIP to or from a Supplementary Network Interface
- Changing Security Groups That Are Associated with a Supplementary Network Interface
- Deleting a Supplementary Network Interface
-
Network Interface Configuration Examples
- Binding an EIP to the Extended Network Interface of an ECS to Enable Internet Access
-
Configuring Policy-based Routes for an ECS with Multiple Network Interfaces
- Overview
- Collecting ECS Network Information
- Configuring IPv4 and IPv6 Policy-based Routes for a Linux ECS with Multiple Network Interfaces (CentOS)
- Configuring IPv4 and IPv6 Policy-based Routes for a Linux ECS with Multiple Network Interfaces (Ubuntu)
- Configuring IPv4 and IPv6 Policy-based Routes for a Windows ECS with Multiple Network Interfaces
-
Elastic Network Interface
-
Access Control
- Access Control Overview
-
Security Group
- Security Group and Security Group Rule Overview
- Default Security Groups
- Security Group Examples
- Common ECS Ports
- Managing a Security Group
-
Managing Security Group Rules
- Adding a Security Group Rule
- Fast-Adding Security Group Rules
- Allowing Common Ports with a Few Clicks
- Modifying a Security Group Rule
- Replicating a Security Group Rule
- Enabling or Disabling One or More Security Group Rules
- Importing and Exporting Security Group Rules
- Deleting One or More Security Group Rules
- Querying Security Group Rule Changes
- Managing Instances Added to a Security Group
- Network ACL
- IP Address Group
-
VPC Peering Connection
- VPC Peering Connection Overview
- VPC Peering Connection Usage
- Creating a VPC Peering Connection to Connect Two VPCs in the Same Account
- Creating a VPC Peering Connection to Connect Two VPCs in Different Accounts
- Obtaining the Peer Project ID of a VPC Peering Connection
- Modifying a VPC Peering Connection
- Viewing VPC Peering Connections
- Deleting a VPC Peering Connection
- Modifying Routes Configured for a VPC Peering Connection
- Viewing Routes Configured for a VPC Peering Connection
- Deleting Routes Configured for a VPC Peering Connection
- VPC Sharing
-
Edge Gateway
- Edge Gateway Overview
- Buying an Edge Gateway
- Associating VPCs with or Disassociating VPCs from an Edge Gateway
- Managing Edge Gateways
- Managing the Tags of an Edge Gateway
- Creating an Edge Connection
- Binding or Unbinding a Global Connection Bandwidth to and from an Edge Connection
- Managing Edge Connections
- IPv4/IPv6 Dual-Stack Network
- VPC Flow Log
-
Traffic Mirroring
- Traffic Mirroring
- Mirror Filters
-
Mirror Sessions
- Creating a Mirror Session
- Enabling or Disabling a Mirror Session
- Associating Mirror Sources with a Mirror Session
- Disassociating Mirror Sources from a Mirror Session
- Changing the Mirror Filter for a Mirror Session
- Changing the Mirror Target of a Mirror Session
- Modifying the Basic Information About a Mirror Session
- Viewing the Details About a Mirror Session
- Deleting a Mirror Session
- Traffic Mirroring Example Scenarios
- Monitoring and Auditing
- Managing Quotas
- Best Practices
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- APIs
-
API V3
- VPC
- Security Group
- Security Group Rule
- IP Address Group
-
Supplementary Network Interface
- Creating a Supplementary Network Interface
- Creating Supplementary Network Interfaces in Batches
- Querying Supplementary Network Interfaces
- Querying the Details of a Supplementary Network Interface
- Querying the Number of Supplementary Network Interfaces
- Updating a Supplementary Network Interface
- Deleting a Supplementary Network Interface
-
Traffic Mirror Sessions
- Querying Traffic Mirror Sessions
- Querying Details About a Traffic Mirror Session
- Creating a Traffic Mirror Session
- Updating a Traffic Mirror Session
- Deleting a Traffic Mirror Session
- Disassociating a Traffic Mirror Source from a Traffic Mirror Session
- Associating a Traffic Mirror Source with a Traffic Mirror Session
- Traffic Mirror Filters
- Traffic Mirror Filter Rules
- Network ACL
- Network ACL Tag Management
- Port
-
Native OpenStack Neutron APIs (V2.0)
- API Version Information
- Port
- Network
- Subnet
- Router
-
Network ACL
- Querying Network ACL Rules
- Querying a Network ACL Rule
- Creating a Network ACL Rule
- Updating a Network ACL Rule
- Deleting a Network ACL Rule
- Querying Network ACL Policies
- Querying a Network ACL Policy
- Creating a Network ACL Policy
- Updating a Network ACL Policy
- Deleting a Network ACL Policy
- Inserting a Network ACL Rule
- Removing a Network ACL Rule
- Querying Network ACL Groups
- Querying a Network ACL Group
- Creating a Network ACL Group
- Updating a Network ACL Group
- Deleting a Network ACL Group
- Security Group
- Application Examples
-
Permissions and Supported Actions
- Introduction
- VPC
- Subnet
- Port
- VPC Peering Connection
- VPC Route
- Route Table
- Quota
- Private IP Address
- Security Group
- Security Group Rule
- VPC Tag
- Subnet Tag
- VPC Flow Log
- Port (OpenStack Neutron API)
- Network (OpenStack Neutron API)
- Subnet (OpenStack Neutron API)
- Router (OpenStack Neutron API)
- Network ACL (OpenStack Neutron API)
- Security Group (OpenStack Neutron API)
- VPC (V3)
- Security Group (V3)
- Security Group Rule (V3)
- IP Address Group (V3)
- Supplementary Network Interface (V3)
- Mirror Session (V3)
- Mirror Filter (V3)
- Mirror Filter Rule (V3)
- Network ACL (V3)
- Network ACL Tag (V3)
- Port (V3)
- Precautions for API Permissions
- FAQs
- Out-of-Date APIs
- Appendix
- SDK Reference
-
FAQs
-
Billing and Payments
- Will I Be Billed for Using the VPC Service?
- Why Is My VPC Still Being Billed After It Was Deleted?
- How Do I View My VPC Bills?
- How Is an EIP Charged?
- How Do I Change My EIP Billing Mode Between Pay-per-Use and Yearly/Monthly?
- How Do I Change the Billing Option of a Pay-per-Use EIP Between By Bandwidth and By Traffic?
-
VPCs and Subnets
- What Is Virtual Private Cloud?
- Which CIDR Blocks Are Available for the VPC Service?
- How Many VPCs Can I Create?
- Can Subnets Communicate with Each Other?
- What Subnet CIDR Blocks Are Available?
- Can I Change the CIDR Block of a Subnet?
- How Many Subnets Can I Create?
- How Do I Make the Changed DHCP Lease Time of a Subnet Take Effect Immediately?
- How Can I Make a Domain Name in a Subnet Take Effect Immediately After Being Changed?
- Why Can't I Delete My VPCs and Subnets?
- Can I Change the VPC of an ECS?
- Why Is the ECS IP Address Released After the System Time Is Changed?
- How Do I Change the DNS Server Address of an ECS?
-
EIPs
- How Do I Assign or Retrieve a Specific EIP?
- What Are the Differences Between EIPs, Private IP Addresses, and Virtual IP Addresses?
- Can I Change the Dedicated Bandwidth Used by an EIP to a Shared Bandwidth?
- How Many ECSs Can I Bind an EIP To?
- How Do I Access an ECS with an EIP Bound from the Internet?
- What Is the EIP Assignment Policy?
- Can I Bind an EIP of an ECS to Another ECS?
- Can I Buy a Specific EIP?
- How Do I Query the Region of My EIPs?
- How Can I Unbind an Existing EIP from an Instance and Bind Another EIP to the Instance?
- Can I Bind an EIP to a Cloud Resource in Another Region?
- Can I Change the Region of an EIP?
- VPC Peering Connections
- Virtual IP Addresses
-
Bandwidth
- What Are Inbound Bandwidth and Outbound Bandwidth?
- What Are the Differences Between Static BGP, Dynamic BGP, and Premium BGP?
- How Do I Know If My EIP Bandwidth Has Been Exceeded?
- What Are the Differences Between Public Bandwidth and Private Bandwidth?
- What Bandwidth Types Are Available?
- What Are the Differences Between a Dedicated Bandwidth and a Shared Bandwidth? Can a Dedicated Bandwidth Be Changed to a Shared Bandwidth or the Other Way Around?
- How Many EIPs Can I Add to Each Shared Bandwidth?
- Can I Increase a Yearly/Monthly Bandwidth and Decrease It Later?
- What Is the Relationship Between Bandwidth and Upload/Download Rate?
-
Connectivity
- Does a VPN Allow Communication Between Two VPCs?
- Why Cannot I Access Public Websites Through Domain Names or Access Internal Domain Names on the Cloud When My ECS Has Multiple Network Interfaces?
- What Are the Priorities of the Custom Route and EIP If Both Are Configured for an ECS to Enable the ECS to Access the Internet?
- Why Are There Intermittent Interruptions When a Local Host Accesses a Website Built on an ECS?
- Why Do ECSs Using Private IP Addresses in the Same Subnet Only Support One-Way Communication?
- Why Does Communication Fail Between Two ECSs in the Same VPC or Packet Loss Occur When They Communicate?
- Why Can't My ECS Use Cloud-init?
- Why Can't My ECS Access the Internet Even After an EIP Is Bound?
- Why Is My ECS Unable to Communicate at a Layer 2 or Layer 3 Network?
- How Do I Handle a BMS Network Failure?
- Why Does My ECS Fail to Obtain an IP Address?
- How Do I Handle a VPN or Direct Connect Connection Network Failure?
- Why Can My Server Be Accessed from the Internet But Cannot Access the Internet?
- Why Can't I Access Websites Using IPv6 Addresses After IPv4/IPv6 Dual Stack Is Configured?
- Why Does My ECS Fail to Communicate with Other After It Has Firewall Installed?
- Routing
-
Security
- Does a New Security Group Rule or a Network ACL Rule Take Effect Immediately for Existing Connections?
- Why Is Outbound Access on TCP Port 25 Blocked?
- How Do I Know the Instances Associated with a Security Group?
- Why Can't I Delete a Security Group?
- Can I Change the Security Group of an ECS?
- How Do I Configure a Security Group for Multi-Channel Protocols?
- Why Are Some Ports of ECSs Inaccessible?
- Why Is Access from a Specific IP Address Still Allowed After a Network ACL Rule That Denies the Access from the IP Address Has Been Added?
- Why Are My Security Group Rules Not Working?
-
Billing and Payments
- Videos
- Glossary
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Getting Started
- VPC and Subnet
- Route Tables
-
Virtual IP Address
- Virtual IP Address Overview
- Assigning a Virtual IP Address
- Binding a Virtual IP Address to an EIP or ECS
- Binding a Virtual IP Address to an EIP
- Unbinding a Virtual IP Address from an Instance
- Unbinding a Virtual IP Address from an EIP
- Releasing a Virtual IP Address
- Disabling IP Forwarding on the Standby ECS
- Disabling Source/Destination Check for an ECS NIC
-
Elastic Network Interface and Supplementary Network Interface
-
Elastic Network Interface
- Elastic Network Interface Overview
- Creating a Network Interface
- Viewing Basic Information About a Network Interface
- Attaching a Network Interface to an Instance
- Binding a Network Interface to an EIP
- Binding a Network Interface to a Virtual IP Address
- Detaching a Network Interface from an Instance or Unbinding an EIP from a Network Interface
- Changing Security Groups That Are Associated with a Network Interface
- Deleting a Network Interface
-
Supplementary Network Interfaces
- Supplementary Network Interface Overview
- Creating a Supplementary Network Interface
- Viewing Basic Information About a Supplementary Network Interface
- Binding or Unbinding a Supplementary Network Interface to or from an EIP
- Changing Security Groups That Are Associated with a Supplementary Network Interface
- Deleting a Supplementary Network Interface
-
Elastic Network Interface
-
Access Control
- What Is Access Control?
- Security Group
- Network ACL
-
VPC Peering Connection
- VPC Peering Connection Overview
- VPC Peering Connection Usage Examples
- Creating a VPC Peering Connection with Another VPC in Your Account
- Creating a VPC Peering Connection with a VPC in Another Account
- Obtaining the Peer Project ID of a VPC Peering Connection
- Modifying a VPC Peering Connection
- Viewing VPC Peering Connections
- Deleting a VPC Peering Connection
- Modifying Routes Configured for a VPC Peering Connection
- Viewing Routes Configured for a VPC Peering Connection
- Deleting Routes Configured for a VPC Peering Connection
- VPC Flow Log
- Elastic IP
- Shared Bandwidth
- Monitoring
-
FAQ
- General Questions
- VPCs and Subnets
- EIPs
- VPC Peering Connections
- Bandwidth
-
Connectivity
- Does a VPN Allow Communication Between Two VPCs?
- Why Are Internet or Internal Domain Names in the Cloud Inaccessible Through Domain Names When My ECS Has Multiple NICs?
- What Are the Priorities of the Custom Route and EIP If Both Are Configured for an ECS to Enable the ECS to Access the Internet?
- Why Can't My ECS Access the Internet Even After an EIP Is Bound?
-
Routing
- Can a Route Table Span Multiple VPCs?
- How Many Routes Can a Route Table Contain?
- Are There Any Restrictions on Using a Route Table?
- Do the Same Routing Priorities Apply to Direct Connect Connections and Custom Routes in the Same VPC?
- Are There Different Routing Priorities of the VPN and Custom Routes in the Same VPC?
- Security
- Change History
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- Getting Started
- VPC APIs (V1/V2)
-
VPC APIs (V3)
- VPC
- Security Group
- Security Group Rule
- IP Address Group
-
Supplementary Network Interface
- Creating a Supplementary Network Interface
- Creating Supplementary Network Interfaces in Batches
- Querying Supplementary Network Interfaces
- Querying the Details of a Supplementary Network Interface
- Querying the Number of Supplementary Network Interfaces
- Updating a Supplementary Network Interface
- Deleting a Supplementary Network Interface
- Network ACL
- Network ACL Tag Management
-
Native OpenStack Neutron APIs (V2.0)
- API Version Information
- Port
- Network
- Subnet
- Router
-
Network ACL
- Querying Network ACL Rules
- Querying a Network ACL Rule
- Creating a Network ACL Rule
- Updating a Network ACL Rule
- Deleting a Network ACL Rule
- Querying Network ACL Policies
- Querying a Network ACL Policy
- Creating a Network ACL Policy
- Updating a Network ACL Policy
- Deleting a Network ACL Policy
- Inserting a Network ACL Rule
- Removing a Network ACL Rule
- Querying Network ACL Groups
- Querying a Network ACL Group
- Creating a Network ACL Group
- Updating a Network ACL Group
- Deleting a Network ACL Group
- Security Group
-
Permissions and Supported Actions
- Introduction
- VPC
- Subnet
- Port
- VPC Peering Connection
- VPC Route
- Route Table
- Quota
- Private IP Address
- Security Group
- Security Group Rule
- VPC Tag
- Subnet Tag
- Port (OpenStack Neutron API)
- Network (OpenStack Neutron API)
- Subnet (OpenStack Neutron API)
- Router (OpenStack Neutron API)
- Network ACL (OpenStack Neutron API)
- Security Group (OpenStack Neutron API)
- VPC (V3)
- Security Group (V3)
- Security Group Rule (V3)
- IP Address Group (V3)
- Supplementary Network Interface (V3)
- Network ACL (V3)
- Network ACL Tag (V3)
- Precautions for API Permissions
- Out-of-Date APIs
- Appendix
- Change History
-
User Guide (Paris Regions)
- Service Overview
- Getting Started
- VPC and Subnet
-
Access Control
- Differences Between Security Groups and Network ACLs
- Security Group
- Network ACL
- Elastic IP
- Shared Bandwidth
- Route Tables
-
VPC Peering Connection
- VPC Peering Connection Overview
- VPC Peering Connection Usage Examples
- Creating a VPC Peering Connection with Another VPC in Your Account
- Creating a VPC Peering Connection with a VPC in Another Account
- Obtaining the Peer Project ID of a VPC Peering Connection
- Modifying a VPC Peering Connection
- Viewing VPC Peering Connections
- Deleting a VPC Peering Connection
- Modifying Routes Configured for a VPC Peering Connection
- Viewing Routes Configured for a VPC Peering Connection
- Deleting Routes Configured for a VPC Peering Connection
- VPC Flow Log
-
Virtual IP Address
- Virtual IP Address Overview
- Assigning a Virtual IP Address
- Binding a Virtual IP Address to an EIP or ECS
- Binding a Virtual IP Address to an EIP
- Unbinding a Virtual IP Address from an Instance
- Unbinding a Virtual IP Address from an EIP
- Releasing a Virtual IP Address
- Disabling IP Forwarding on the Standby ECS
- Disabling Source/Destination Check for an ECS NIC
- Interconnecting with CTS
- Monitoring
-
FAQ
- General Questions
- Billing and Payments
- VPCs and Subnets
-
EIPs
- What Are the Differences Between EIP, Private IP Address, and Virtual IP Address?
- How Do I Access the Internet Using an EIP Bound to an Extension NIC?
- What Are the Differences Between the Primary and Extension NICs of ECSs?
- Can an EIP That Uses Dedicated Bandwidth Be Changed to Use Shared Bandwidth?
- Can I Bind an EIP to Multiple ECSs?
- How Do I Access an ECS with an EIP Bound from the Internet?
- Can I Bind an EIP of an ECS to Another ECS?
- How Do I Unbind an EIP from an Instance and Bind a New EIP to the Instance?
- Can I Bind an EIP to a Cloud Resource in Another Region?
- Can I Change the Region of My EIP?
- VPC Peering Connections
- Virtual IP Addresses
-
Bandwidth
- What Are Inbound Bandwidth and Outbound Bandwidth?
- How Do I Know If My EIP Bandwidth Limit Has Been Exceeded?
- What Are the Differences Between Public Bandwidth and Private Bandwidth?
- What Is the Bandwidth Size Range?
- What Bandwidth Types Are Available?
- What Are the Differences Between a Dedicated Bandwidth and a Shared Bandwidth?
- Is There a Limit to the Number of EIPs That Can Be Added to Each Shared Bandwidth?
- What Is the Relationship Between Bandwidth and Upload/Download Rate?
-
Connectivity
- Does a VPN Allow Communication Between Two VPCs?
- Why Are Internet or Internal Domain Names in the Cloud Inaccessible Through Domain Names When My ECS Has Multiple NICs?
- What Are the Priorities of the Custom Route and EIP If Both Are Configured for an ECS to Enable the ECS to Access the Internet?
- Why Are There Intermittent Interruptions When a Local Host Accesses a Website Built on an ECS?
- Why Do ECSs Using Private IP Addresses in the Same Subnet Only Support One-Way Communication?
- Why Does Communication Fail Between Two ECSs in the Same VPC or Packet Loss Occur When They Communicate?
- Why Can't My ECS Use Cloud-init?
- Why Can't My ECS Access the Internet Even After an EIP Is Bound?
- Why Does My ECS Fail to Obtain an IP Address?
- How Do I Handle a VPN or Direct Connect Connection Network Failure?
- Why Can My Server Be Accessed from the Internet But Cannot Access the Internet?
- Why Can't I Access Websites Using IPv6 Addresses After IPv4/IPv6 Dual Stack Is Configured?
- Why Does My ECS Fail to Communicate with Other After It Has Firewall Installed?
-
Routing
- How Do I Configure Policy-Based Routes for an ECS with Multiple NICs?
- Can a Route Table Span Multiple VPCs?
- How Many Routes Can a Route Table Contain?
- Are There Any Restrictions on Using a Route Table?
- Do the Same Routing Priorities Apply to Direct Connect Connections and Custom Routes in the Same VPC?
- Are There Different Routing Priorities of the VPN and Custom Routes in the Same VPC?
-
Security
- Are the Security Group Rules Considered the Same If All Parameters Except Their Description Are the Same?
- How Do I Know the Instances Associated with a Security Group?
- Why Can't I Delete a Security Group?
- Can I Change the Security Group of an ECS?
- How Do I Configure a Security Group for Multi-Channel Protocols?
- Does a Modified Security Group Rule or a Network ACL Rule Take Effect Immediately for Existing Connections?
- Which Security Group Rule Has a High Priority When Multiple Security Group Rules Conflict?
- Why Is Access from a Specific IP Address Still Allowed After a Network ACL Rule That Denies the Access from the IP Address Has Been Added?
- Why Do My Security Group Rules Not Take Effect?
- Change History
-
API Reference (Paris Regions)
- Before You Start
- API Overview
- Calling APIs
- Getting Started
-
APIs
- Virtual Private Cloud
- Subnet
- EIP
- Bandwidth
- Bandwidth (V2.0)
- Quota
- Private IP Address
- Security Group
- VPC Peering Connection
- VPC Route
- Route Table
- VPC Tag Management
- Subnet Tag Management
- EIP Tag Management
- VPC Flow Log
-
Virtual IP Address
- Virtual IP Address Overview
- Binding an ECS to a Virtual IP Address
- Accessing a Virtual IP Address Using an EIP
- Using a VPN to Access the Virtual IP Address
- Using a Direct Connect Connection to Access the Virtual IP Address
- Using a VPC Peering Connection to Access the Virtual IP Address
- Disabling Source and Destination Check (HA Load Balancing Cluster Scenario)
- API V3
-
Native OpenStack Neutron APIs (V2.0)
- API Version Information
- Port
- Network
- Subnet
- Router
- Floating IP Address
-
Network ACL
- Querying Network ACL Rules
- Querying a Network ACL Rule
- Creating a Network ACL Rule
- Updating a Network ACL Rule
- Deleting a Network ACL Rule
- Querying Network ACL Policies
- Querying a Network ACL Policy
- Creating a Network ACL Policy
- Updating a Network ACL Policy
- Deleting a Network ACL Policy
- Inserting a Network ACL Rule
- Removing a Network ACL Rule
- Querying Network ACL Groups
- Querying a Network ACL Group
- Creating a Network ACL Group
- Updating a Network ACL Group
- Deleting a Network ACL Group
- Security Group
- Application Examples
-
Permissions Policies and Supported Actions
- VPC
- Subnet
- EIP
- Bandwidth
- Bandwidth (V2.0)
- EIP V3
- VPC Peering Connection
- VPC Route
- Route Table
- Quota
- Private IP Address
- Security Group
- VPC Flow Log
- Port (OpenStack Neutron API)
- Network (OpenStack Neutron API)
- Subnet (OpenStack Neutron API)
- Router (OpenStack Neutron API)
- Floating IP Address (OpenStack Neutron API)
- Network ACL (OpenStack Neutron API)
- Security Group (OpenStack Neutron API)
- Precautions for API Permissions
- Appendix
- Change History
-
User Guide (Kuala Lumpur Region)
- Service Overview
- Getting Started
- VPC and Subnet
- Route Tables
- Virtual IP Address
-
Access Control
- What Is Access Control?
- Security Group
- Network ACL
-
VPC Peering Connection
- VPC Peering Connection Overview
- VPC Peering Connection Usage Examples
- Creating a VPC Peering Connection with Another VPC in Your Account
- Creating a VPC Peering Connection with a VPC in Another Account
- Obtaining the Peer Project ID of a VPC Peering Connection
- Modifying a VPC Peering Connection
- Viewing VPC Peering Connections
- Deleting a VPC Peering Connection
- Modifying Routes Configured for a VPC Peering Connection
- Viewing Routes Configured for a VPC Peering Connection
- Deleting Routes Configured for a VPC Peering Connection
- VPC Flow Log
- Elastic IP
- Shared Bandwidth
- Interconnecting with CTS
- Monitoring
-
FAQ
- General Questions
- VPCs and Subnets
- EIPs
- VPC Peering Connections
- Bandwidth
- Connectivity
-
Routing
- Can a Route Table Span Multiple VPCs?
- How Many Routes Can a Route Table Contain?
- Are There Any Restrictions on Using a Route Table?
- Do the Same Routing Priorities Apply to Direct Connect Connections and Custom Routes in the Same VPC?
- Are There Different Routing Priorities of the VPN and Custom Routes in the Same VPC?
- Security
- Change History
-
API Reference (Kuala Lumpur Region)
- Before You Start
- API Overview
- Calling APIs
- Getting Started
- APIs
-
Native OpenStack Neutron APIs (V2.0)
- API Version Information
- Port
- Network
- Subnet
- Router
-
Network ACL
- Querying Network ACL Rules
- Querying a Network ACL Rule
- Creating a Network ACL Rule
- Updating a Network ACL Rule
- Deleting a Network ACL Rule
- Querying Network ACL Policies
- Querying a Network ACL Policy
- Creating a Network ACL Policy
- Updating a Network ACL Policy
- Deleting a Network ACL Policy
- Inserting a Network ACL Rule
- Removing a Network ACL Rule
- Querying Network ACL Groups
- Querying a Network ACL Group
- Creating a Network ACL Group
- Updating a Network ACL Group
- Deleting a Network ACL Group
- Security Group
-
Permissions Policies and Supported Actions
- VPC
- Subnet
- Port
- VPC Peering Connection
- Quota
- Private IP Address
- Security Group
- Security Group Rule
- VPC Tags
- Subnet Tags
- Port (OpenStack Neutron API)
- Network (OpenStack Neutron API)
- Subnet (OpenStack Neutron API)
- Router (OpenStack Neutron API)
- Network ACL (OpenStack Neutron API)
- Security Group (OpenStack Neutron API)
- Precautions for API Permissions
- Out-of-Date APIs
- Appendix
- Change History
-
User Guide (Ankara Region)
- Service Overview
- Getting Started
- VPC and Subnet
- Route Tables
-
Virtual IP Address
- Virtual IP Address Overview
- Assigning a Virtual IP Address
- Binding a Virtual IP Address to an EIP or ECS
- Binding a Virtual IP Address to an EIP
- Unbinding a Virtual IP Address from an Instance
- Unbinding a Virtual IP Address from an EIP
- Releasing a Virtual IP Address
- Disabling IP Forwarding on the Standby ECS
- Disabling Source/Destination Check for an ECS NIC
-
Elastic Network Interface and Supplementary Network Interface
-
Elastic Network Interface
- Elastic Network Interface Overview
- Creating a Network Interface
- Viewing Basic Information About a Network Interface
- Attaching a Network Interface to an Instance
- Binding a Network Interface to an EIP
- Binding a Network Interface to a Virtual IP Address
- Detaching a Network Interface from an Instance or Unbinding an EIP from a Network Interface
- Changing Security Groups That Are Associated with a Network Interface
- Deleting a Network Interface
-
Supplementary Network Interfaces
- Supplementary Network Interface Overview
- Creating a Supplementary Network Interface
- Viewing Basic Information About a Supplementary Network Interface
- Binding or Unbinding a Supplementary Network Interface to or from an EIP
- Changing Security Groups That Are Associated with a Supplementary Network Interface
- Deleting a Supplementary Network Interface
-
Elastic Network Interface
-
Access Control
- What Is Access Control?
- Security Group
- Network ACL
-
VPC Peering Connection
- VPC Peering Connection Overview
- VPC Peering Connection Usage Examples
- Creating a VPC Peering Connection with Another VPC in Your Account
- Creating a VPC Peering Connection with a VPC in Another Account
- Obtaining the Peer Project ID of a VPC Peering Connection
- Modifying a VPC Peering Connection
- Viewing VPC Peering Connections
- Deleting a VPC Peering Connection
- Modifying Routes Configured for a VPC Peering Connection
- Viewing Routes Configured for a VPC Peering Connection
- Deleting Routes Configured for a VPC Peering Connection
- VPC Flow Log
- Elastic IP
- Shared Bandwidth
- Monitoring
- Permissions Management
-
FAQ
- General Questions
- VPCs and Subnets
- EIPs
- VPC Peering Connections
- Bandwidth
- Connectivity
- Routing
-
Security
- Does a Modified Security Group Rule or a Network ACL Rule Take Effect Immediately for Existing Connections?
- Why Can't I Delete a Security Group?
- Can I Change the Security Group of an ECS?
- How Do I Configure a Security Group for Multi-Channel Protocols?
- Which Security Group Rule Has a High Priority When Multiple Security Group Rules Conflict?
- Change History
-
API Reference (Ankara Region)
- Before You Start
- API Overview
- Calling APIs
- Getting Started
- APIs
- API V3
-
Native OpenStack Neutron APIs (V2.0)
- API Version Information
- Port
- Network
- Subnet
- Router
- Floating IP Address
-
Network ACL
- Querying Network ACL Rules
- Querying a Network ACL Rule
- Creating a Network ACL Rule
- Updating a Rule
- Deleting a Network ACL Rule
- Querying Network ACL Policies
- Querying a Network ACL Policy
- Creating a Network ACL Policy
- Updating a Network ACL Policy
- Deleting a Network ACL Policy
- Inserting a Network ACL Rule
- Removing a Network ACL Rule
- Querying Network ACL Groups
- Querying a Network ACL Group
- Creating a Network ACL Group
- Updating a Network ACL Group
- Deleting a Network ACL Group
- Security Group
-
Permissions Policies and Supported Actions
- Introduction
- VPC
- Subnet
- EIP
- Bandwidth
- Bandwidth (V2.0)
- EIP V3
- Port
- VPC Peering Connection
- VPC Route
- Route Table
- Quota
- Private IP Address
- Security Group
- Security Group Rule
- Port (OpenStack Neutron API)
- Network (OpenStack Neutron API)
- Subnet (OpenStack Neutron API)
- Router (OpenStack Neutron API)
- Floating IP Address (OpenStack Neutron API)
- Network ACL (OpenStack Neutron API)
- Security Group (OpenStack Neutron API)
- Precautions for API Permissions
- Appendix
- Change History
-
User Guide (ME-Abu Dhabi Region)
- General Reference
Copied.
VPC Sharing Overview
What Is VPC Sharing?
VPC sharing allows multiple accounts to create and manage cloud resources, such as ECSs, load balancers, and RDS instances, in one VPC. With Resource Access Manager (RAM), you can share subnets in a VPC with one or more accounts so you can centrally manage resources in multiple accounts. This helps you improve resource management efficiency and reduce O&M costs.
- Account A: IT management account of the enterprise and the owner of the VPC and subnets.
Account A creates a VPC and four subnets and shares these subnets with other accounts. Account A creates resources in Subnet-01.
- Account B: service account of the enterprise and the principal of the shared subnet. Account B creates resources in Subnet-02.
- Account C: service account of the enterprise and the principal of the shared subnet. Account C creates resources in Subnet-03.
- Account D: service account of the enterprise and the principal of the shared subnet. Account D creates resources in Subnet-04.
The subnets of the owner and those of the principals are in the same VPC, so resources in these subnets can communicate with each other by default. However, if the resources in the subnets are associated with different security groups, the resources are isolated from each other. If you want the resources to communicate with each other, you need to add security group rules by referring to Adding a Security Group Rule.
For example, to allow ECSs in accounts A and B to communicate with each other, you need to add inbound rules to their security groups and set the source to the security group in the other account.
Advantages
- There are multiple accounts, such as network accounts, security accounts, and service accounts. This makes cross-account resource O&M hard and time-consuming.
- The cross-account network configurations result in a complex networking structure, hard user operations, and low efficiency.
To deal with these problems, you can share subnets with multiple accounts. You can organize accounts in an orderly and centralized manner based on organization structure or business model.
- You can create subnets in a VPC under an account and share the subnets with principals. In this way, principals do not need to create VPCs and subnets. Fewer resources and simplified network architecture improves management efficiency and reduces costs.
If there are VPCs in different accounts, VPC peering connections are required for mutual communications among VPCs. With VPC sharing, different accounts can create resources in one VPC. This eliminates the need for configuring VPC peering connections and simplifies the network structure.
- Resources can be centrally managed in one account, which helps enterprises configure service security policies in a centralized manner and better monitor and audit resource usage for higher security.
Process for Sharing a Subnet
Before sharing a subnet, you need to enable the RAM service in your account. For details, see Resource Access Manager User Guide.
As the owner of VPC subnets, you can share the subnets with other accounts. Principals need to accept the sharing requests before they use the subnets. Figure 2 shows the process of sharing a subnet.
You can share a subnet on the RAM or VPC console. For details, see Table 1.
Method |
Description |
Reference |
---|---|---|
Method 1 |
Creating a resource share to share a subnet
|
|
Method B |
Using an existing resource share to share a subnet
|
Operation Permissions on a Shared Subnet
The owner and principals of a shared subnet have different operation permissions on the subnet and associated resources. For details, see Table 2.
Role |
When a Share Is Accepted |
When a Share Is Stopped |
When the Principals Leave a Share |
---|---|---|---|
Owner |
|
|
|
Principal |
|
Uses the existing resources created by themselves, but cannot create resources in the shared subnet. |
Uses the existing resources created by themselves, but cannot create resources in the shared subnet. |
Resource |
Owner |
Principal |
---|---|---|
VPC |
Has all operation permissions on the VPC of a shared subnet. |
Only can view the VPC that the shared subnet belongs to, but cannot perform any operations on the VPC. |
Subnet |
Has all operation permissions on the shared subnet and can view the virtual IP addresses and network interfaces in the shared subnet. |
Only can view the shared subnet, but cannot:
Can assign virtual IP addresses and network interfaces in the subnet. |
Route table |
Has all operation permissions on the route table. |
|
Network ACL |
Has all operation permissions on the network ACL. |
|
Security group |
|
|
IP address group |
IP address groups are independent of each other. Owners can create an IP address group and associate it with their own security groups. |
IP address groups are independent of each other. Principals can create an IP address group and associate it with their own security groups. |
VPC flow log |
|
Can create a flow log with Resource Type set to NIC. Traffic on all network interfaces of the principal will be recorded in this flow log. |
VPC peering connection |
Selects the VPC with subnets shared with other accounts to create a VPC peering connection. |
Cannot select the VPC with subnets shared with other accounts to create a VPC peering connection. |
NAT gateway |
Creates and manages NAT gateways in the shared subnet. |
Cannot create NAT gateways in the shared subnet. |
VPN gateway |
Creates and manages VPN gateways in the shared subnet. |
Cannot create VPN gateways in the shared subnet. |
Enterprise router |
Attaches the VPC with subnets shared with other accounts to an enterprise router. |
Cannot attach the VPC with subnets shared with other accounts to an enterprise router. |
Enterprise switch |
Creates and manages enterprise switches in the shared subnet. |
Cannot create enterprise switches in the shared subnet. |
Direct Connect connection |
Creates and manages Direct Connect connections in the shared subnet. |
Cannot create Direct Connect connections in the shared subnet. |
Cloud connection |
Loads the VPC with subnets shared with other accounts to a cloud connection. |
Cannot load the VPC with subnets shared with other accounts to a cloud connection. |
VPC endpoint |
Creates and manages VPC endpoints in the shared subnet. |
Cannot create VPC endpoints in the shared subnet. |
Tag |
Adds and manages tags in the shared subnet. |
Cannot add tags in the shared subnet. |
Billing
You only need to pay for the resources (such as ECSs, load balancers, and RDS instances) you create in the shared subnets. For details, see the billing description of each cloud resource.
Quotas
Notes and Constraints
- A principal can receive a maximum of 100 subnet shares.
- A subnet can be shared with a maximum of 100 principals.
- The following cloud resources can be created in a shared subnet:
- ECSs
- BMSs
- Dedicated load balancers
- CCE turbo clusters
- API gateways
- Kafka instances
- ServiceStage environments
- ServiceComb engines
- FunctionGraph functions
- DCS instances
- GaussDB instances
- TaurusDB
- GeminiDB Influx instances
- GeminiDB Redis instances
- GeminiDB Cassandra instances
- RDS for MySQL instances
- RDS for PostgreSQL instances
- DDS cluster instances
- Dedicated HSM instances
- Database audit instances
- CBH instances
- GaussDB(DWS) instances
- DataArts Studio instances
- CSS clusters
- Network connections between DLI and resources
- CDM clusters
- Workspace
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot