A Virtual Private Cloud (VPC) is a private, isolated network in the cloud that gives you full control. A VPC is a region-level resource where you can create and use Alibaba Cloud resources, such as ECS and RDS instances.
A vSwitch is a zone-level resource that you can use to divide a VPC into subnets. vSwitches within the same VPC can communicate with each other over the internal network. By deploying cloud resources across vSwitches in different zones, you can protect your applications from single-zone failures.
Network planning
Proper network planning is essential to avoid CIDR block conflicts and ensure network scalability. Improper planning can lead to costly rebuilds. Therefore, we recommend that you plan your network before you create a VPC.
Create or delete VPCs and vSwitches
Console
Create VPC and vSwitch
Go to the Create VPC page in the VPC console.
Configure the VPC:
Region: Select the region where you plan to create cloud resources.
IPv4 CIDR block: Select a suggested CIDR block provided by the console, or enter a custom one. When connecting multiple VPCs, we recommend using non-overlapping CIDR blocks to prevent conflicts. To avoid CIDR block conflicts and ensure network scalability, we recommend that you create a VPC by using IPAM.
1. We recommend that you use the private IPv4 addresses specified in RFC 1918 for the VPC's CIDR block, with a mask length between 16 and 28. Examples include 10.0.0.0/16, 172.16.0.0/16, and 192.168.0.0/16.
2. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as the IPv4 CIDR block for a VPC.
Configure the vSwitch:
Zone: Select the zone where you will create cloud resources. Your choice should be based on resource availability, as some resources may be sold out in that zone.
IPv4 CIDR block: Select the default CIDR block provided by the console, or adjust the address range as needed.
Add more vSwitches: To protect your applications from single-zone failures, we recommend that you create multiple vSwitches in different zones. You can create vSwitches while you create the VPC, or add more later on the vSwitches page in the VPC console.
Delete VPC and vSwitch
In the Actions column of the target VPC or vSwitch, or on its details page, click Delete. The system checks for any unreleased cloud resources or associated resources. If any dependencies exist, you must release them before you can delete the VPC or vSwitch.
1. Before you delete a vSwitch, make sure that it is not shared, not bound to a custom route table or network ACL, and that all cloud resources within it are released.
2. Before you delete a VPC, make sure that all resources within it are released and that its connections to other network services, such as CEN, are removed.
API
Unlike in the console, calling theCreateVpcoperation only creates an empty VPC. You must also call theCreateVSwitchoperation to create a vSwitch.
Call CreateVpc and then CreateVSwitch to create a VPC and a vSwitch.
Call DeleteVSwitch and then DeleteVpc to delete a vSwitch and a VPC.
1. Before you delete a vSwitch, make sure that it is not shared, not bound to a custom route table or network ACL, and that all cloud resources within it are released.
2. Before you delete a VPC, make sure that all resources within it are released and that its connections to other network services, such as CEN, are removed.
Terraform
Resources: alicloud_vpc, alicloud_vswitch
Data Sources: alicloud_zones
# Specify the region where you want to create the VPC.
provider "alicloud" {
region = "cn-hangzhou"
}
# Use a data source to automatically retrieve a list of zones where you can create vSwitches.
data "alicloud_zones" "available_zones" {
available_resource_creation = "VSwitch" # Query for zones where vSwitches can be created in the VPC.
# available_instance_type = "ecs.g7.large" # Query for zones where ECS instances can be created in the VPC.
# available_resource_creation = "slb" # Query for zones where SLB instances can be created in the VPC.
}
# Create a VPC.
resource "alicloud_vpc" "example_vpc" {
vpc_name = "example_vpc_name"
cidr_block = "10.0.0.0/16" # Specify the CIDR block.
}
# Create a vSwitch.
resource "alicloud_vswitch" "example_vswitch" {
vswitch_name = "example_vswitch_name"
cidr_block = "10.0.0.0/24" # Specify the CIDR block.
vpc_id = alicloud_vpc.example_vpc.id # Specify the ID of the VPC to which the vSwitch belongs.
zone_id = data.alicloud_zones.available_zones.zones.0.id # Specify the zone to which the vSwitch belongs.
}
Enable or disable IPv6
After you enable IPv6 for a VPC and its vSwitches, only private communication is supported by default. To enable public internet access, you can enable public bandwidth for IPv6.
Regions that support IPv4/IPv6 dual-stack.
Console
Enable IPv6
When creating a VPC and a vSwitch, you can enable IPv6 in one of the following ways:
Select Allocated by system, and then select Assign BGP (Multi-ISP) from the drop-down list. The system automatically creates an IPv6 Gateway and assigns an IPv6 CIDR block.
To centrally manage IP addresses, select Allocated by IPAM. Choose an IPAM pool with a pre-provisioned IPv6 CIDR block, and then configure a mask or specify a CIDR block to allocate an IPv6 CIDR block from the pool.
For an existing VPC, click Enable IPv6 in the IPv6 CIDR column:
Select Allocated by system or Allocated by IPAM.
If you choose system allocation, you can select the Automatically Enable IPv6 for All vSwitches checkbox. If you do not select this checkbox or if you choose allocation by IPAM, you must navigate to the target vSwitch and click Enable IPv6 in its IPv6 CIDR column.
Disable IPv6
In the IPv6 CIDR column for the target VPC or vSwitch, click Disable IPv6. To disable IPv6 for a VPC, you must first disable IPv6 for all its vSwitches and delete the associated IPv6 Gateway.
API
Unlike in the console, an IPv6 Gateway is not automatically created when you enable IPv6 for a VPC and a vSwitch by calling an API. You must call CreateIpv6Gateway to create one yourself.
When you create a VPC and a vSwitch, set the
EnableIPv6parameter in CreateVpc and CreateVSwitch to enable or disable IPv6. When you create a VPC, specify theIpv6IpamPoolIdandIpv6CidrMaskparameters to allocate an IPv6 CIDR block from a specified IPv6 IPAM pool to the VPC.For existing VPCs and vSwitches, modify the
EnableIPv6parameter of ModifyVpcAttribute and ModifyVSwitchAttribute to enable or disable IPv6. To assign an IPv6 CIDR block to a VPC from a specified IPv6 address pool, call AssociateVpcCidrBlock.
Terraform
Terraform currently supports only system-allocated IPv6 CIDR blocks. Allocation from an IPAM pool is not supported.
Resources: alicloud_vpc, alicloud_vswitch
Data Sources: alicloud_zones
# Specify the region where you want to create the VPC.
provider "alicloud" {
region = "cn-hangzhou"
}
# Use a data source to automatically retrieve a list of zones where you can create vSwitches.
data "alicloud_zones" "available_zones" {
available_resource_creation = "VSwitch" # Query for zones where vSwitches can be created in the VPC.
# available_instance_type = "ecs.g7.large" # Query for zones where ECS instances can be created in the VPC.
# available_resource_creation = "slb" # Query for zones where SLB instances can be created in the VPC.
}
# Create a dual-stack VPC.
resource "alicloud_vpc" "example_vpc" {
vpc_name = "example_vpc_name"
cidr_block = "10.0.0.0/16"
enable_ipv6 = true # Enable IPv6. Set the value to false to disable IPv6.
ipv6_isp = "BGP" # Specify the type of the IPv6 CIDR block.
}
# Create a dual-stack vSwitch.
resource "alicloud_vswitch" "example_vswitch" {
vswitch_name = "example_vswitch_name"
cidr_block = "10.0.0.0/24"
vpc_id = alicloud_vpc.example_vpc.id
zone_id = data.alicloud_zones.available_zones.zones.0.id
enable_ipv6 = true # Enable IPv6. Set the value to false to disable IPv6.
ipv6_cidr_block_mask = 1 # Specify the last 8 bits of the IPv6 CIDR block for the vSwitch.
}
Modify CIDR blocks
The IPv4 CIDR block that you specify when you create a VPC is its primary CIDR block. You cannot modify the primary CIDR block in the console, but you can call the ModifyVpcAttribute operation and specify the CidrBlock parameter to expand or shrink the CIDR block. If you shrink the CIDR block, you must ensure that the new CIDR block contains all IP addresses that are already in use.
The IPv6 CIDR block of a VPC and the IPv4 or IPv6 CIDR blocks of a vSwitch cannot be modified.
Secondary CIDR blocks
If a VPC has insufficient available IP addresses for business growth, or if the initial network plan was inadequate, you can add a secondary CIDR block to expand its address space.
The secondary CIDR block works alongside the primary CIDR block and can be used to create vSwitches and deploy cloud resources such as ECS instances.
1. You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as a secondary IPv4 CIDR block.
2. The secondary CIDR block cannot overlap with the primary CIDR block.
3. By default, you can add up to five secondary IPv4 CIDR blocks and five secondary IPv6 CIDR blocks to each VPC.
Console
Add secondary CIDR block
On the Basic Information page of the target VPC, click the CIDR Block Management tab to add a secondary IPv4 or IPv6 CIDR block.
You can add a secondary IPv4 CIDR block in one of three ways:
Default: Quickly add a CIDR block by selecting 10.0.0.0/16, 172.16.0.0/16, or 192.168.0.0/16.
Custom: Configure a custom secondary CIDR block.
Allocated by IPAM: Use IPAM to prevent CIDR block conflicts. We recommend that you select this option if you have an IPAM pool with a provisioned CIDR block. To configure the CIDR block, select an IPAM pool and then configure the IPv4 Mask.
To add a secondary IPv6 CIDR block:
If the VPC does not have IPv6 enabled, click Enable IPv6. You can select Allocated by system and then select Assign BGP (Multi-ISP) from the drop-down list. To centrally manage addresses, select Allocated by IPAM, choose an IPAM pool, and then select a mask or specify a CIDR block.
You can select the Automatically Enable IPv6 for All vSwitches checkbox. Alternatively, to enable IPv6 for a specific vSwitch, navigate to that vSwitch and click Enable IPv6 in the IPv6 CIDR column.
If the VPC already has IPv6 enabled, click Add IPv6 CIDR Block and select either Allocated by system or Allocated by IPAM.
Delete secondary CIDR block
On the Basic Information page of the target VPC, go to the CIDR Block Management tab. On the IPv4 CIDR or IPv6 CIDR tab, locate the secondary CIDR block that you want to delete and click Delete in the Actions column.
API
Call AssociateVpcCidrBlock to add a secondary CIDR block.
Call UnassociateVpcCidrBlock to delete a secondary CIDR block.
Terraform
Terraform currently supports adding only secondary IPv4 CIDR blocks. Adding secondary IPv6 CIDR blocks is not supported.
Resources: alicloud_vpc_ipv4_cidr_block
# Specify the region where you want to create the VPC.
provider "alicloud" {
region = "cn-hangzhou"
}
# Specify the ID of the VPC.
variable "vpc_id" {
default = "vpc-xxx" # Replace with the actual ID of your VPC.
}
# Add a secondary CIDR block to the VPC.
resource "alicloud_vpc_ipv4_cidr_block" "example_secondary_cidr_block" {
vpc_id = var.vpc_id
secondary_cidr_block = "192.168.0.0/16" # Specify the secondary CIDR block.
}Reserved CIDR blocks
You can reserve a CIDR block in a vSwitch to prevent its IP addresses from being automatically assigned when other resources are created. Currently, reserved CIDR blocks can be used only to assign an IP prefix to a secondary private IP address of an elastic network interface (ENI).
1. A reserved CIDR block cannot contain the system reserved IP addresses of the vSwitch.
2. Each VPC supports up to 100 reserved IPv4 CIDR blocks and 100 reserved IPv6 CIDR blocks.
3. The maximum mask length for a reserved IPv4 CIDR block is /28, and the maximum mask length for a reserved IPv6 CIDR block is /80.
Console
Create reserved CIDR block
On the Basic Information page of the target vSwitch, click the Reserved CIDR Block tab to add a reserved IPv4 or IPv6 CIDR block. You can add a CIDR block in one of two ways:
Specify CIDR Block: Precisely control the address block that you want to reserve.
Specify Mask Length: The system automatically carves out a reserved CIDR block from the available address space.
For IPv6, if the vSwitch does not have IPv6 enabled, click Enable IPv6. In the Enable IPv6 dialog box, configure the IPv6 CIDR block for the vSwitch.
If IPv6 is not enabled for the VPC, in the pop-up Enable IPv6 dialog box, first set IPv6 CIDR Block Type to the default value Assign BGP (Multi-ISP), and then configure the IPv6 CIDR block for the vSwitch.
View used IP addresses
On the Reserved CIDR Block tab of the target vSwitch, click the IPv4 CIDR or IPv6 CIDR tab. Find the target reserved CIDR block and click View Used IP in the Actions column. You can view the used IP addresses and their corresponding ENIs.
Delete reserved CIDR block
Before you delete a reserved CIDR block, make sure that no IP addresses within it are in use.
On the Basic Information page of the target vSwitch, click the Reserved CIDR Block tab. On the IPv4 CIDR or IPv6 CIDR tab, find the reserved CIDR block that you want to delete and click Delete in the Actions column.
API
Call CreateVSwitchCidrReservation to create a reserved CIDR block.
Call GetVSwitchCidrReservationUsage to view used IP addresses.
Call DeleteVSwitchCidrReservation to delete a reserved CIDR block.
Terraform
Resources: alicloud_vpc_vswitch_cidr_reservation
# Specify the region where the resource is located.
provider "alicloud" {
region = "cn-hangzhou" # The region where the resource resides.
}
# Specify the ID of the vSwitch.
variable "vsw_id" {
default = "vsw-xxx" # Replace with the actual ID of your vSwitch.
}
# Create a reserved CIDR block.
resource "alicloud_vpc_vswitch_cidr_reservation" "example_cidr_reservation" {
vswitch_id = var.vsw_id
ip_version = "IPv4"
cidr_reservation_cidr = "10.0.0.128/26" # Specify the reserved CIDR block.
}Create a VPC with IPAM
IPAM is a cloud-based tool for automating the allocation and management of IP addresses, simplifying network administration and preventing address conflicts. After you plan with IPAM by creating an IPAM instance and an IPAM pool, you can allocate IPv4 and IPv6 CIDR blocks to your VPC from the pool.
Console
Before you create a VPC, ensure that you have created an IPAM instance and an IPAM pool in the IPAM console.
Go to the Create VPC page in the VPC console.
To allocate an IPv4 CIDR block, select Allocated by IPAM, choose an IPAM pool, and configure a mask. The system automatically allocates the first available CIDR block matching the specified mask length. You can also adjust the IPv4 CIDR block within the pre-provisioned range of the pool.
To enable IPv6, select Allocated by IPAM, choose an IPv6 IPAM pool, and then configure a mask or specify a CIDR block.
API
If you have an existing IPAM pool:
Allocate an IPv4 CIDR block: You can call CreateVpc and pass the
Ipv4IpamPoolIdparameter to specify an IPAM pool and theIpv4CidrMaskparameter to specify a mask. A CIDR block is then allocated from the IPAM pool and used as the IPv4 CIDR block for the new VPC. Alternatively, you can pass theCidrBlockparameter to specify the CIDR block for the VPC instead of automatically allocating a CIDR block by specifying a mask.Allocate an IPv6 CIDR block: If you pass both
Ipv6IpamPoolIdandIpv6CidrMask, an IPv6 CIDR block is allocated to the VPC from the specified IPv6 IPAM pool.
If you have not created an IPAM pool, call the following APIs in sequence to create one, and then create your VPC as described above.
Terraform
Terraform currently supports allocating only IPv4 CIDR blocks from an IPAM pool. Allocating IPv6 CIDR blocks is not supported.
Resources: vpc_ipam_ipam, alicloud_vpc_ipam_ipam_pool, alicloud_vpc_ipam_ipam_pool_cidr, alicloud_vpc
# Specify the region where you want to create the IPAM instance, IPAM pool, and VPC.
provider "alicloud" {
region = "cn-hangzhou"
}
# Create an IPAM instance.
resource "alicloud_vpc_ipam_ipam" "example_ipam" {
ipam_name = "example_ipam_name"
operating_region_list = ["cn-hangzhou"] # Specify the operating region of the IPAM instance.
}
# Create an IPAM pool.
resource "alicloud_vpc_ipam_ipam_pool" "example_parentIpamPool" {
ipam_scope_id = alicloud_vpc_ipam_ipam.example_ipam.private_default_scope_id # Specify the scope of the IPAM pool.
ipam_pool_name = "example_parentIpamPool_name"
pool_region_id = alicloud_vpc_ipam_ipam.example_ipam.region_id # Specify the region of the IPAM pool.
ip_version = "IPv4" # Specify the IP version of the IPAM pool.
}
# Allocate a CIDR to the IPAM pool.
resource "alicloud_vpc_ipam_ipam_pool_cidr" "example_ipamPoolCidr" {
cidr = "10.0.0.0/16" # Specify the CIDR.
ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id # Specify the ID of the IPAM pool.
}
# Create a VPC.
resource "alicloud_vpc" "example_ipam_vpc" {
vpc_name = "example_ipam_vpc_name"
ipv4_ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id # Specify the ID of the IPAM pool.
ipv4_cidr_mask = 24 # The IPv4 network mask.
}
More information
Default VPCs and default vSwitches
Default VPCs and default vSwitches help you verify and deploy services quickly. However, for production workloads or long-term services, we strongly recommend that you create custom VPCs and vSwitches tailored to your business architecture. This provides granular control over network design, resource isolation, security policies, and scalability, ensuring your cloud environment is perfectly suited to your business needs.
You can create only one default VPC in each region and only one default vSwitch in each zone. Default VPCs and default vSwitches do not count against your Alibaba Cloud resource quotas.
When you create resources such as ECS, CLB, or RDS instances in a region without a VPC, you can choose to have Alibaba Cloud create a default VPC and a default vSwitch for you. A default VPC created this way has a fixed CIDR block of 172.16.0.0/12.
In a region that does not have a default VPC, you can call CreateDefaultVpc and CreateDefaultVSwitch to create a default VPC and a default vSwitch. A default VPC created this way has a CIDR block of 172.xx.0.0/16.
VPCs and vSwitches created by any other method are considered non-default. You can delete default VPCs and default vSwitches, but you cannot convert them to non-default, or vice versa.
System reserved IP addresses
Each vSwitch's CIDR block contains system reserved IP addresses. You cannot assign these addresses to cloud resources, such as ECS instances.
For IPv4, the first IP address and the last three IP addresses of each vSwitch's CIDR block are reserved.
For example, if the CIDR block of a vSwitch is 192.168.1.0/24, the addresses 192.168.1.0, 192.168.1.253, 192.168.1.254, and 192.168.1.255 are reserved.
For IPv6, the first IP address and the last nine IP addresses of each vSwitch's CIDR block are reserved.
For example, if the IPv6 CIDR block of a vSwitch is 2408:xxxx:xxxx:6eff::/64, the first address 2408:xxxx:xxxx:6eff:: and the last nine addresses 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fff7, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fff8, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fff9, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffa, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffb, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffc, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffd, 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:fffe, and 2408:xxxx:xxxx:6eff:ffff:ffff:ffff:ffff are reserved.
Cross-account authorization
Before you connect a VPC to a cross-account CEN, VBR, or ECR instance, you must first grant cross-account authorization for the VPC.
For authorization instructions, see Authorize a cross-account CEN instance, Authorize a cross-account VBR instance, and Authorize a cross-account ECR instance.
After the authorization is successful, the other account can select your VPC instance when they create a VPC connection, create an uplink VBR connection, or associate a VPC with an ECR.
1. The term 'account' in this context refers to an Alibaba Cloud account (primary account), not a RAM user (sub-account).
2. Cross-account authorization does not support cross-site scenarios. In other words, cross-account authorization between the China website (aliyun.com) and the International website (alibabacloud.com) is not supported.