A transit router CIDR block is a custom address range that you define for a Transit Router. This is similar to assigning an IP address to a loopback interface on a router. A transit router CIDR block is used to allocate addresses to IPsec-VPN connections to create vpn connections.
Background information
When you create a vpn connection, the system allocates an address from the transit router CIDR block for the IPsec-VPN connection.
If you create a private vpn connection, the system automatically allocates a gateway IP address from the transit router CIDR block to the IPsec-VPN connection. This IP address is used to establish an IPsec-VPN connection with your on-premises network.
After a route learning relationship is established between the private vpn connection and a Transit Router route table, the system automatically adds a blackhole route to the Transit Router route table that learns routes from the vpn connection. The destination of the route is the transit router CIDR block from which the gateway IP address of the IPsec-VPN connection was allocated. This blackhole route is advertised only to the route tables of VBR instances that are connected to the Transit Router.
NoteYou can use the CreateTransitRouterCidr API operation and its PublishCidrRoute parameter to control whether the system adds a blackhole route to the Transit Router route table for the transit router CIDR block. For more information, see CreateTransitRouterCidr.
After a route learning relationship is established between a private vpn connection and a Transit Router route table, the Transit Router automatically learns a route to the IPsec-VPN connection. The destination is the gateway IP address of the IPsec-VPN connection, and the next hop is the vpn connection.
This route entry is added to the Transit Router route table that has a route learning relationship with the vpn connection.
If you create a public vpn connection:
In single-tunnel mode, the system allocates one public IP address from an Alibaba Cloud address pool to the IPsec-VPN connection. The public IP address is used to establish an IPsec-VPN connection with your on-premises network. At the same time, the system also allocates one IP address from the transit router CIDR block to the IPsec-VPN connection. This IP address is used for internal health checks and does not affect your network traffic.
In dual-tunnel mode, the system allocates two public IP addresses from an Alibaba Cloud address pool to the IPsec-VPN connection. Each tunnel uses one public IP address to establish a dual-tunnel mode IPsec-VPN connection with your on-premises network. The system also allocates two IP addresses from the transit router CIDR block to the IPsec-VPN connection. These IP addresses are used for internal health checks and do not affect your network traffic.
NoteFor more information about dual-tunnel mode, see (Deprecated) Associate with a Transit Router.
For more information about the IP address allocation rules for transit router CIDR blocks, see IP address allocation rules for a transit router CIDR block.
Limits
Only Enterprise Edition transit routers support transit router CIDR blocks.
A Transit Router supports up to five CIDR blocks, each with a subnet mask between /16 and /24.
You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16, or their subnets as a transit router CIDR block.
Each transit router CIDR block must not overlap with CIDR blocks used for communication within the Cloud Enterprise Network (CEN) instance.
Within the same CEN instance, each transit router CIDR block must be unique.
IP address allocation rules
This section describes the IP address allocation rules for a transit router CIDR block.
After you add a CIDR block to a Transit Router, the system automatically reserves three /28 subnets from the transit router CIDR block when you create the first vpn connection on the Transit Router. These subnets are reserved for backend processes to create vpn connections. The system then allocates IP addresses for IPsec-VPN connections from the remaining address space in the transit router CIDR block.
When the system allocates an IP address to an IPsec-VPN connection, it first carves out a /28 subnet from the remaining address space. Within this subnet, four IP addresses are reserved for system use. The system allocates IP addresses for IPsec-VPN connections from the remaining 12 IP addresses. One IP address is allocated per tunnel. After all 12 IP addresses are used, the system carves out another /28 subnet. In each /28 subnet, four IP addresses are reserved for system use.
Example
For example, you configure 10.0.0.0/24 and 192.168.0.0/20 as the CIDR blocks for a Transit Router. Assume that 10.0.0.0/28, 10.0.0.16/28, and 10.0.0.32/28 are system-reserved subnets. The system carves out a /28 subnet, such as 10.0.0.48/28, from the remaining address space to allocate IP addresses to IPsec-VPN connections. Within the 10.0.0.48/28 subnet, four IP addresses are reserved for system use. The remaining 12 IP addresses can be used for IPsec-VPN connections. After all 12 IP addresses are used, the system carves out another /28 subnet from the remaining address space. In each /28 subnet, four IP addresses are reserved for system use.
In this scenario:
Single-tunnel mode
In single-tunnel mode, a vpn connection has one tunnel, and each tunnel consumes one IP address.
Maximum number of vpn connections that can be created in the 10.0.0.0/24 CIDR block: (2^8÷2^4-3)×(2^4-4)=156.
Maximum number of vpn connections that can be created in the 192.168.0.0/20 CIDR block: (2^12÷2^4)×(2^4-4)=3,072.
Maximum number of vpn connections that can be created on the Transit Router: 156 + 3,072 = 3,228.
Dual-tunnel mode
In dual-tunnel mode, a vpn connection has two tunnels, and each tunnel consumes one IP address.
Maximum number of vpn connections that can be created in the 10.0.0.0/24 CIDR block: (2^8÷2^4-3)×(2^4-4)÷2=78.
Maximum number of vpn connections that can be created in the 192.168.0.0/20 CIDR block: (2^12÷2^4)×(2^4-4)÷2=1,536.
Maximum number of vpn connections that can be created on the Transit Router: 78 + 1,536 = 1,614.
The caret (^) symbol indicates an exponent. For example, 2^4 = 16.
After you create vpn connections, you can view details about the system-reserved subnets and IP address allocation for IPsec-VPN connections in the Address Details panel of the transit router CIDR block. For more information, see View the allocation details of a transit router CIDR block.
Add a transit router CIDR block
You can add a CIDR block when you create a Transit Router, or add one to an existing Transit Router.
Add a CIDR block during creation
Log on to the CEN console.
On the CEN Instance page, click the ID of the CEN instance that you want to manage.
-
On the tab, click Create Transit Router.
In the Create Transit Router dialog box, configure the parameters and click OK.
Parameter
Description
Region
Select the region where you want to deploy the Transit Router.
Edition
The edition is automatically determined based on the selected region.
Enable Multicast
Specifies whether to enable multicast. This feature is disabled by default.
NoteOnly Enterprise Edition transit routers in specific regions support multicast. For more information, see Multicast.
Name
Enter a name for the Transit Router.
Description
Enter a description for the Transit Router.
Tag
Set a tag for the Transit Router.
-
Tag key: The tag key cannot be an empty string. It can be up to 64 characters in length and cannot start with
aliyunoracs:. It cannot containhttp://orhttps://. -
Tag value: The tag value can be an empty string. It can be up to 128 characters in length and cannot start with
aliyunoracs:. It cannot containhttp://orhttps://.
You can add multiple tags to a Transit Router. For more information about tags, see Tags.
Transit Router CIDR
Enter a transit router CIDR block.
To add multiple CIDR blocks, click
Add below the text box.-
Add a CIDR block to an existing router
Log on to the CEN console.
On the CEN Instance page, click the ID of the CEN instance that you want to manage.
Go to the tab and click the ID of the transit router that you want to manage.
On the details page of the Transit Router, click the Basic Settings tab. In the Transit Router CIDR section, click Edit.
In the Modify Transit router CIDR dialog box, enter a CIDR block and click OK.
To add multiple CIDR blocks, click
Add below the text box.In the Results dialog box, click OK.
View allocation details
After you add a CIDR block to a Transit Router and create a vpn connection, the system allocates an address from the transit router CIDR block to the IPsec-VPN connection. You can view the allocation details of the CIDR block on the Basic Settings tab of the Transit Router.
Log on to the CEN console.
On the CEN Instance page, click the ID of the CEN instance that you want to manage.
Go to the tab and click the ID of the transit router that you want to manage.
On the details page of the Transit Router, click the Basic Settings tab. In the Transit Router CIDR section, click Address Details.
In the Address Details panel, view the allocation details of the transit router CIDR block.
Modify a transit router CIDR block
You cannot modify a transit router CIDR block from which IP addresses have been allocated.
To modify a transit router CIDR block from which IP addresses have been allocated, you must first delete the vpn connections that use the IP addresses. For more information, see Delete a network instance connection.
Log on to the CEN console.
On the CEN Instance page, click the ID of the CEN instance that you want to manage.
Go to the tab and click the ID of the transit router that you want to manage.
On the details page of the Transit Router, click the Basic Settings tab. In the Transit Router CIDR section, click Edit.
In the Modify Transit router CIDR dialog box, modify the transit router CIDR block and click OK.
You can perform the following operations on a transit router CIDR block:
Add a transit router CIDR block: Click
Add below the text box to add a new transit router CIDR block.Modify a transit router CIDR block: Directly modify the existing CIDR block.
Delete a transit router CIDR block: Click the
icon to the right of the input box to delete the current transit router CIDR block.
Click OK in the Results dialog box.
Delete a transit router CIDR block
You cannot delete a transit router CIDR block from which IP addresses have been allocated.
To delete a transit router CIDR block from which IP addresses have been allocated, you must first delete the vpn connections that use the IP addresses. For more information, see Delete a network instance connection.
Log on to the CEN console.
On the CEN Instance page, click the ID of the CEN instance that you want to manage.
Go to the tab and click the ID of the transit router that you want to manage.
On the details page of the Transit Router, click the Basic Settings tab. In the Transit Router CIDR section, click Edit.
In the Modify Transit router CIDR dialog box, click the
icon to the right of the target CIDR block, and then click OK.If the delete icon
is not displayed, the CIDR block cannot be deleted. To add a new CIDR block, click Add below the input box.Click OK in the Results dialog box.
References
CreateTransitRouterCidr: Create a transit router CIDR block.
ModifyTransitRouterCidr: Modify a transit router CIDR block.
DeleteTransitRouterCidr: Delete a transit router CIDR block.
ListTransitRouterCidr: Query the CIDR blocks that are added to a Transit Router.
ListTransitRouterCidrAllocation: Query the allocation details of a transit router CIDR block.