Help Center/Cloud Container Engine/Best Practices/Networking/Enabling Cross-VPC Network Communications Between CCE Clusters
Updated on 2026-03-10 GMT+08:00
View PDF
Share

Enabling Cross-VPC Network Communications Between CCE Clusters

Application Scenarios

Because services in different VPCs cannot communicate with each other, CCE clusters are unable to communicate across VPCs. To resolve this, a VPC peering connection can be established between two VPCs with different CIDR blocks. This allows clusters in a VPC to access clusters or other services in another VPC.

Figure 1 Example network topology

To enable cross-VPC access, allow clusters that use different networks to communicate.

  • CCE standard clusters using the tunnel networks or CCE Turbo clusters using the Cloud Native 2.0 networks: You only need to enable communication between the VPC CIDR blocks at both ends.
  • Clusters using the VPC networks: You need to enable communication between the VPC CIDR blocks and container CIDR blocks at both ends. This is due to the features of such clusters. Clients in the same VPC as a cluster can directly access pods in the cluster through the pod IP addresses. For details, see Cross-VPC Cluster Connection.

For example, if the local VPC CIDR block is 172.16.0.0/16 and the peer VPC CIDR block is 172.17.0.0/16, the route tables at both ends should be configured as shown in the table below.

Cluster Network

VPC Route Tables at Both Ends

Local VPC Route Table

Peer VPC Route Table

Tunnel network

The peer VPC CIDR block (172.17.0.0/16) must be added to the destination IP address.

The cluster VPC CIDR block (172.16.0.0/16) must be added to the destination IP address.

VPC network

The peer VPC CIDR block (172.17.0.0/16) must be added to the destination IP address.

The container CIDR block of the cluster, for example, 10.0.0.0/16, must be added to the destination IP address.

The cluster VPC CIDR block (172.16.0.0/16) must be added to the destination IP address.

The container CIDR block of the cluster, for example, 10.0.0.0/16, must be added to the destination IP address.

Cloud Native 2.0 network (for CCE Turbo clusters)

The peer VPC CIDR block (172.17.0.0/16) must be added to the destination IP address.

The cluster VPC CIDR block (172.16.0.0/16) must be added to the destination IP address.

Step 1: Create a VPC Peering Connection

  1. Log in to the VPC console. In the navigation pane, choose VPC Peering Connections.
  2. In the upper right corner of the page, click Create VPC Peering Connection.
  3. Configure the parameters as instructed. For details about the parameters, see Table 1.

    Figure 2 Creating a VPC peering connection
    Table 1 Parameters for creating a VPC peering connection

    Parameter

    Description

    Example Value

    VPC Peering Connection Name

    Mandatory.

    Enter a name for the VPC peering connection.

    The name can contain a maximum of 64 characters, including letters, digits, hyphens (-), and underscores (_).

    peering-AB

    Local VPC

    Mandatory.

    VPC at one end of the VPC peering connection. You can select one from the drop-down list.

    vpc-A

    Local VPC CIDR Block

    CIDR block of the selected local VPC

    vpc-A CIDR block: 172.16.0.0/16

    Account

    Mandatory.

    • My account: The local and peer VPCs are from the same account.
    • Another account: The local and peer VPCs are from different accounts.

    Current account

    Peer Project

    The system fills in the corresponding project by default because Account is set to My account.

    For example, if vpc-A and vpc-B are in account A and region A, the system fills in the correspond project of account A in region A by default.

    None

    Peer VPC

    Mandatory if Account is set to My account.

    VPC at the other end of the VPC peering connection. You can select one from the drop-down list.

    vpc-B

    Peer VPC CIDR Block

    CIDR block of the selected peer VPC

    If the local and peer VPCs have overlapping CIDR blocks, the VPC peering connection may not take effect.

    vpc-B CIDR block: 172.17.0.0/16

    Description

    Optional.

    Enter the description of the VPC peering connection in the text box as required.

    Use peering-AB to connect vpc-A and vpc-B.

  4. After configuring the parameters, click Create Now. The dialog box for adding a route is displayed.
  5. In the displayed dialog box, click Add Now. On the displayed page about the VPC peering connection details, go to For Clusters Using the Tunnel or Cloud Native 2.0 Networks to add a route.

Step 2: Add Routes for the VPC Peering Connection

As shown in the route configurations for clusters using different networks, the CIDR blocks that must be enabled vary across clusters which use different networks.

Assume that the local VPC CIDR block is 172.16.0.0/16 and the peer VPC CIDR block is 172.17.0.0/16. To configure a route table, take the following steps:

  1. In the lower part of the VPC peer connection details page, click Add Route. The Add Route dialog box is displayed.

    Figure 3 Adding routes for the VPC peering connection

  2. Add routes to the VPC CIDR blocks at both ends in the route tables as instructed. Table 2 describes the parameters.

    Table 2 Adding routes to both VPC CIDR blocks

    Parameter

    Description

    Example Value

    VPC

    Select a VPC that is connected by the VPC peering connection.

    vpc-A

    Route Table

    Select the route table of the VPC. The route will be added to this route table.

    Each VPC comes with a default route table to control the outbound traffic from the subnets in the VPC. In addition to the default route table, you can create a custom route table and associate it with the subnets in the VPC. Then, the custom route table controls outbound traffic of the subnets.
    • If there is only the default route table in the drop-down list, select the default route table.
    • If there are both default and custom route tables in drop-down list, select the route table associated with the subnet connected by the VPC peering connection.

    rtb-vpc-A (Default route table)

    Destination

    IP address in the VPC at the other end of the VPC peering connection. The value can be a VPC CIDR block, subnet CIDR block, or ECS IP address.

    vpc-B CIDR block: 172.17.0.0/16

    Next Hop

    The default value is the current VPC peering connection. You do not need to specify this parameter.

    peering-AB

    Description

    Supplementary information about the route. This parameter is optional.

    The route description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    Route from vpc-A to vpc-B

    Add a route for the other VPC

    If you select this option, you can also add a return route for the other VPC of the VPC peering connection.

    To allow VPCs connected through VPC peering to communicate, you must include forward and return routes in the VPCs' route tables.

    Select this option.

    VPC

    By default, the system selects the other VPC connected by the VPC peering connection. You do not need to specify this parameter.

    vpc-B

    Route Table

    Select the route table of the VPC that the route will be added to.

    Each VPC comes with a default route table to control the outbound traffic from the subnets in the VPC. In addition to the default route table, you can also create a custom route table and associate it with the subnets in the VPC. Then, the custom route table controls outbound traffic of the subnets.
    • If there is only the default route table in the drop-down list, select the default route table.
    • If there are both default and custom route tables in drop-down list, select the route table associated with the subnet connected by the VPC peering connection.

    rtb-vpc-B (Default route table)

    Destination

    IP address in the VPC at the other end of the VPC peering connection. The value can be a VPC CIDR block, subnet CIDR block, or ECS IP address.

    vpc-A CIDR block: 172.16.0.0/16

    Next Hop

    The default value is the current VPC peering connection. You do not need to specify this parameter.

    peering-AB

    Description

    Supplementary information about the route. This parameter is optional.

    The route description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    Return route from vpc-B to vpc-A.

  3. After configuring the routes, click OK and go back to the route list. You can view the added routes.

Assume that the local VPC CIDR block is 172.16.0.0/16, the peer VPC CIDR block is 172.17.0.0/16, and the container CIDR block of the cluster is 10.0.0.0/16. To configure a route table, take the following steps:

  1. In the lower part of the VPC peer connection details page, click Add Route. The Add Route dialog box is displayed.

    Figure 4 Adding routes for the VPC peering connection

  2. Add routes to the VPC CIDR blocks at both ends in the route tables as instructed. Table 3 describes the parameters.

    Table 3 Adding routes to both VPC CIDR blocks

    Parameter

    Description

    Example Value

    VPC

    Select a VPC that is connected by the VPC peering connection.

    vpc-A

    Route Table

    Select the route table of the VPC. The route will be added to this route table.

    Each VPC comes with a default route table to control the outbound traffic from the subnets in the VPC. In addition to the default route table, you can create a custom route table and associate it with the subnets in the VPC. Then, the custom route table controls outbound traffic of the subnets.
    • If there is only the default route table in the drop-down list, select the default route table.
    • If there are both default and custom route tables in drop-down list, select the route table associated with the subnet connected by the VPC peering connection.

    rtb-vpc-A (Default route table)

    Destination

    IP address in the VPC at the other end of the VPC peering connection. The value can be a VPC CIDR block, subnet CIDR block, or ECS IP address.

    vpc-B CIDR block: 172.17.0.0/16

    Next Hop

    The default value is the current VPC peering connection. You do not need to specify this parameter.

    peering-AB

    Description

    Supplementary information about the route. This parameter is optional.

    The route description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    Route from vpc-A to vpc-B

    Add a route for the other VPC

    If you select this option, you can also add a return route for the other VPC of the VPC peering connection.

    To allow VPCs connected through VPC peering to communicate, you must include forward and return routes in the VPCs' route tables.

    Select this option.

    VPC

    By default, the system selects the other VPC connected by the VPC peering connection. You do not need to specify this parameter.

    vpc-B

    Route Table

    Select the route table of the VPC that the route will be added to.

    Each VPC comes with a default route table to control the outbound traffic from the subnets in the VPC. In addition to the default route table, you can also create a custom route table and associate it with the subnets in the VPC. Then, the custom route table controls outbound traffic of the subnets.
    • If there is only the default route table in the drop-down list, select the default route table.
    • If there are both default and custom route tables in drop-down list, select the route table associated with the subnet connected by the VPC peering connection.

    rtb-vpc-B (Default route table)

    Destination

    IP address in the VPC at the other end of the VPC peering connection. The value can be a VPC CIDR block, subnet CIDR block, or ECS IP address.

    vpc-A CIDR block: 172.16.0.0/16

    Next Hop

    The default value is the current VPC peering connection. You do not need to specify this parameter.

    peering-AB

    Description

    Supplementary information about the route. This parameter is optional.

    The route description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    Return route from vpc-B to vpc-A.

  3. After configuring the routes, click OK and go back to the route list. You can view the added routes.
  4. Click Add Route and add the route of the container CIDR block of the cluster to the VPC route tables by referring to Table 4.

    Figure 5 Adding routes of the container CIDR block of a cluster

    Table 4 Configuring route parameters

    Parameter

    Example Value

    VPC

    vpc-A

    Route Table

    rtb-vpc-A (Default route table)

    Destination

    In this example, the container CIDR block of the cluster is 10.0.0.0/16.

    Next Hop

    peering-AB

    Description

    Route from vpc-A to vpc-B

    Add a route for the other VPC

    Select this option.

    VPC

    vpc-B

    Route Table

    rtb-vpc-B (Default route table)

    Destination

    In this example, the container CIDR block of the cluster is 10.0.0.0/16.

    Next Hop

    peering-AB

    Description

    Return route from vpc-B to vpc-A.

  5. Click OK.

Follow-Up Operations

If a cluster needs to access services in other VPCs, it is important to verify if those cloud services permit access outside their VPCs. This may involve adding a trustlist or security group to enable access to certain services. In the case of a cluster using a VPC network, you must allow the container CIDR block to access the destination ends.

For example, if a cluster using the VPC network model needs to access an ECS in a different VPC, you must allow the cluster VPC CIDR block and its container CIDR block to pass through the ECS security group. This ensures that nodes and containers in the cluster can access the ECS.

Parent Topic: Networking