Enabling Cross-VPC Network Communications Between CCE Clusters

Application Scenarios

Because services in different VPCs cannot communicate with each other, CCE clusters are unable to communicate across VPCs. To resolve this, a VPC peering connection can be established between two VPCs with different CIDR blocks. This allows clusters in one VPC to access clusters or other services in the other VPC.

Figure 1 Example network topology

To enable cross-VPC access, clusters with different network models must communicate with each other across different CIDR blocks. For example, if the local VPC CIDR block of a cluster is 172.16.0.0/16 and the peer VPC CIDR block is 172.17.0.0/16, the routing tables at both ends should be configured as follows.

Step 1: Create a VPC Peering Connection

1. Log in to the VPC peering connection console.
2. In the upper right corner of the page, click Create VPC Peering Connection.

   The Create VPC Peering Connection page is displayed.

3. Configure the parameters following instructions.

   For details about the parameters, see Table 1.

   Figure 2 Creating a VPC peering connection
   

   Table 1 Parameters for creating a VPC peering connection

   Parameter	Description	Example Value
   VPC Peering Connection Name	Mandatory. Enter a name for the VPC peering connection. The name can contain a maximum of 64 characters, including letters, digits, hyphens (-), and underscores (_).	peering-AB
   Local VPC	Mandatory. VPC at one end of the VPC peering connection. You can select one from the drop-down list.	vpc-A
   Local VPC CIDR Block	CIDR block of the selected local VPC	vpc-A CIDR block: 172.16.0.0/16
   Account	Mandatory. My account: The local and peer VPCs are from the same account. Another account: The local and peer VPCs are from different accounts.	Current account
   Peer Project	The system fills in the corresponding project by default because Account is set to My account. For example, if vpc-A and vpc-B are in account A and region A, the system fills in the correspond project of account A in region A by default.	None
   Peer VPC	This parameter is mandatory if Account is set to My account. VPC at the other end of the VPC peering connection. You can select one from the drop-down list.	vpc-B
   Peer VPC CIDR Block	CIDR block of the selected peer VPC If the local and peer VPCs have overlapping CIDR blocks, the VPC peering connection may not take effect.	vpc-B CIDR block: 172.17.0.0/16
   Description	This parameter is optional. Enter the description of the VPC peering connection in the text box as required.	Use peering-AB to connect vpc-A and vpc-B.

4. Click Create Now.

   A dialog box for adding routes is displayed.

5. In the displayed dialog box, click Add Now. On the displayed page about the VPC peering connection details, go to Step 2: Add Routes for the VPC Peering Connection to add a route.

Step 2: Add Routes for the VPC Peering Connection

1. In the lower part of the VPC peering connection details page, click Add Route.

   The Add Route dialog box is displayed.

   Figure 3 Adding routes for the VPC peering connection
   

2. Add routes to the VPC route tables following instructions.

   Table 2 describes the parameters.

   Table 2 Parameters

   Parameter	Description	Example Value
   VPC	Select a VPC that is connected by the VPC peering connection.	vpc-A
   Route Table	Select the route table of the VPC. The route will be added to this route table. Each VPC comes with a default route table to control the outbound traffic from the subnets in the VPC. In addition to the default route table, you can also create a custom route table and associate it with the subnets in the VPC. Then, the custom route table controls outbound traffic of the subnets. If there is only the default route table in the drop-down list, select the default route table. If there are both default and custom route tables in drop-down list, select the route table associated with the subnet connected by the VPC peering connection.	rtb-vpc-A (Default route table)
   Destination	IP address in the VPC at the other end of the VPC peering connection. The value can be VPC CIDR block, subnet CIDR block, or ECS IP address.	vpc-B CIDR block: 172.17.0.0/16
   Next Hop	The default value is the current VPC peering connection. You do not need to specify this parameter.	peering-AB
   Description	Supplementary information about the route. This parameter is optional. The route description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).	Route from vpc-A to vpc-B
   Add a route for the other VPC	If you select this option, you can also add a route for the other VPC connected by the VPC peering connection. To enable communications between VPCs connected by a VPC peering connection, you need to add forward and return routes to the route tables of the VPCs.	Select this option.
   VPC	By default, the system selects the other VPC connected by the VPC peering connection. You do not need to specify this parameter.	vpc-B
   Route Table	Select the route table of the VPC. The route will be added to this route table. Each VPC comes with a default route table to control the outbound traffic from the subnets in the VPC. In addition to the default route table, you can also create a custom route table and associate it with the subnets in the VPC. Then, the custom route table controls outbound traffic of the subnets. If there is only the default route table in the drop-down list, select the default route table. If there are both default and custom route tables in drop-down list, select the route table associated with the subnet connected by the VPC peering connection.	rtb-vpc-B (Default route table)
   Destination	IP address in the VPC at the other end of the VPC peering connection. The value can be VPC CIDR block, subnet CIDR block, or ECS IP address.	vpc-A CIDR block: 172.16.0.0/16
   Next Hop	The default value is the current VPC peering connection. You do not need to specify this parameter.	peering-AB
   Description	Supplementary information about the route. This parameter is optional. The route description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).	Route from vpc-B to vpc-A.

   

   If the cluster network model in the local VPC is a VPC network, follow the preceding steps to add the CIDR block of the cluster container to the route tables at both ends as the destination IP address. In this example, the destination IP address is 10.0.0.0/16.

3. Click OK.

   You can check the routes in the route list.

Follow-Up Operations

If a cluster needs to access services in other VPCs, it is important to verify if those cloud services permit access outside the VPC. This may involve adding a trustlist or security group to enable access to certain services. In the case of a cluster using the VPC network model, you must allow the container CIDR block to pass the destination ends.

For example, if a cluster using the VPC network model needs to access an ECS in a different VPC, you must allow the VPC CIDR block where the cluster is located and its container CIDR block to pass through the ECS security group. This ensures that nodes and containers in the cluster can access the ECS.