Best Practices of Peer Connection
Introduction
The peer connection provides users with VPC-level network interconnection services, enabling users to implement traffic interconnection between different virtual networks, and realize stable and high-speed virtual network interconnection between the same region/cross region and the same user/different users. After the peer connection is established, the global and subnet-level traffic control is realized by the route configuration. Additionally, the service security access is guaranteed by configured of the security group and ACL security policies.
Usage restriction:
- A maximum of 10 peer connection instances are created in an individual VPC. An individual user creates a maximum of 10 peer connection instances.
- Only one peer connection can coexist between each pair of VPCs.
For the detailed use steps, please refer to the peer connection Operation Guide.
Basic Scenarios
Two VPC peer connections
When two VPCs should access the resources of each other, this kind of configuration can be used.
Example scenarios
Establish a peer connection between VPC A and VPC B.
Route configuration
| Source network segment | Destination network segment | Route type | Next hop instance |
|---|---|---|---|
| VPC A | 172.16.0.0/16 | peer connection | int-atob |
| VPC B | 192.168.0.0/16 | peer connection | int-btoa |
peer connection between One VPC and Multiple VPC
When other VPC need to access resources on the central VPC, and don't need to access the resources of each other, this kind of configuration can be used.
Example scenarios
VPC A is the central VPC, and respectively connected with VPC B, VPC C and VPC D in a peer-to-peer manner.
- peer connection between VPC A and VPC B;
- peer connection between VPC A and VPC C;
- peer connection between VPC A and VPC D.
Route configuration
| Source network segment | Destination network segment | Route type | Next hop instance |
|---|---|---|---|
| VPC A | 172.16.0.0/16 | peer connection | int-atob |
| VPC A | 172.17.0.0/16 | peer connection | int-atoc |
| VPC A | 10.0.0.0/16 | peer connection | int-atod |
| VPC B | 192.168.0.0/16 | peer connection | int-btoa |
| VPC C | 192.168.0.0/16 | peer connection | int-ctoa |
| VPC D | 192.168.0.0/16 | peer connection | int-dtoa |
Mutual Peer Connection among Multiple VPC
When multiple VPC need to access the resources of each other without limit, such as the file shared network, this kind of configuration can be used.
Example scenarios
Four VPC are connected together in a peer-to-peer manner by the full mesh configuration. All VPC are in the same Baidu AI Cloud account, and no CIDR blocks overlap.
- peer connection between VPC A and VPC B;
- peer connection between VPC A and VPC C;
- peer connection between VPC A and VPC D;
- peer connection between VPC B and VPC C;
- peer connection between VPC B and VPC D;
- peer connection between VPC C and VPC D.
Route configuration
| Source network segment | Destination network segment | Route type | Next hop instance |
|---|---|---|---|
| VPC A | 172.16.0.0/16 | peer connection | int-atob |
| VPC A | 172.17.0.0/16 | peer connection | int-atoc |
| VPC A | 10.0.0.0/16 | peer connection | int-atod |
| VPC B | 192.168.0.0/16 | peer connection | int-btoa |
| VPC B | 172.17.0.0/16 | peer connection | int-btoc |
| VPC B | 10.0.0.0/16 | peer connection | int-btod |
| VPC C | 192.168.0.0/16 | peer connection | int-ctoa |
| VPC C | 172.16.0.0/16 | peer connection | int-ctob |
| VPC C | 10.0.0.0/16 | peer connection | int-ctod |
| VPC D | 192.168.0.0/16 | peer connection | int-dtoa |
| VPC D | 172.16.0.0/16 | peer connection | int-dtob |
| VPC D | 172.17.0.0/16 | peer connection | int-dtoc |
Advanced Scenarios
Two Subnets in One VPC are Respectively Connected with Two VPC in a Peer-to-peer Manner
When different subnets in the central VPC have independent resource sets, other VPC need to access some resources but not all resources, this kind of configuration can be used.
Example scenarios
VPC A is the central VPC, and has two subnets Subnet X and Subnet Y which are respectively connected with VPC B and VPC C in a peer-to-peer manner.
- peer connection between VPC A and VPC B;
- peer connection between VPC A and VPC C.
Route configuration
| Source network segment | Destination network segment | Route type | Next hop instance |
|---|---|---|---|
| Subnet X in VPC A | 10.0.0.0/16 | peer connection | int-atob |
| Subnet Y in VPC A | 10.0.0.0/16 | peer connection | int-atoc |
| VPC B | 172.16.0.0/24 | peer connection | int-btoa |
| VPC C | 172.16.1.0/24 | peer connection | int-ctoa |
The Specific Subnets in Two VPCs are Connected with the Same VPC in a Peer Manner
When there is a set of resources in the central VPC, and the resources don't need to fully access the VPC which are connected with them in a peer-to-peer manner, such as Active Directory services, this kind of configuration can be used.
Example scenarios
VPC A is a central VPC with a subnet, VPC B and VPC C both have two subnets, and each subnet has only one peer connection with VPC A.
- peer connection between VPC A and VPC B;
- peer connection between VPC A and VPC C.
Route configuration
| Source network segment | Destination network segment | Route type | Next hop instance |
|---|---|---|---|
| VPC A | 10.0.0.0/24 | peer connection | int-atob |
| VPC A | 10.0.1.0/24 | peer connection | int-atoc |
| Subnet X in VPC B | 172.16.0.0/24 | peer connection | int-btoa |
| Subnet Y in VPC C | 172.16.0.0/24 | peer connection | int-btoc |
Multiple Instances in One VPC are Respectively Connected with the Instances of Two VPCs in a Peer Manner
If you need to restrict the peer connection traffic to specific instances, this kind of configuration can be used.
Example scenarios
VPC A is a central VPC with a subnet. The subnet of VPC A has two instances which are respectively connected with the instances of VPC B and VPC C in a peer-to-peer manner. Take BCC as an example of the instance.
- peer connection between VPC A and VPC B;
- peer connection between VPC A and VPC C.
Route configuration
| Source network segment | Destination network segment | Route type | Next hop instance |
|---|---|---|---|
| Instance 172.16.0.88/32 in VPC A | 10.0.0.44/32 | peer connection | int-atob |
| Instance 172.16.0. 99/32 in VPC A | 10.0.0.55/32 | peer connection | int-atoc |
| Instance 10.0.0.44/32 in VPC B | 172.16.0.88/32 | peer connection | int-btoa |
| Instance 10.0.0.55/32 in VPC C | 172.16.0.99/32 | peer connection | int-ctoa |
Use the Longest Prefix Match to Realize the peer connection between One VPC and Two VPC
The peer connection between one VPC and the VPC of two identical segments can use the longest prefix match.
Example scenarios
VPC A is a central VPC with a subnet and respectively connected with VPC B and VPC C in a peer-to-peer manner. VPC B and VPC C have overlapped CIDR blocks, and the specific instances in VPC A and VPC B are connected in a peer-to-peer manner. Other traffic sent to the 10.0.0.0/16 IP address is routed to VPC C. Take BCC as an example of the instance.
- peer connection between VPC A and VPC B;
- peer connection between VPC A and VPC C.
Route configuration
| Source network segment | Destination network segment | Route type | Next hop instance |
|---|---|---|---|
| VPC A | 10.0.0.77/32 | peer connection | int-atob |
| VPC A | 10.0.0.0/16 | peer connection | int-atoc |
| VPC B | 172.16.0.0/16 | peer connection | int-btoa |
| VPC C | 172.16.0.0/16 | peer connection | int-ctoa |
Note: If VPC A sends traffic to one instance other than 10.0.0.77/32 in VPC B, the corresponding traffic is routed to VPC C rather than VPC B.
Complex Topology Scenarios
The complex topology scenario with peer connection among multiple VPC and partially overlapped CIDR blocks can use this kind of configuration.
Example scenarios
In this scenario, the central VPC A is connected with multiple VPC in a peer-to-peer manner. peer connection between VPC E and VPC F. VPC A and VPC F have overlapped CIDR blocks. This means that the peer-to-peer traffic between VPC A and VPC E is restricted to the specific subnet (subnet X) in VPC E. This is to ensure that the response traffic is sent to the correct VPC if VPC receives the request from VPC A or VPC F. Currently, Baidu AI Cloud doesn't support the unicast reverse path forwarding in the VPC peer connection, checking of the source IP of data packet, and routing of response data packet to the source.
Similarly, VPC E and VPC H have overlapped CIDR blocks. The peer-to-peer traffic between VPC F and VPC E is restricted to subnet Y in VPC E. The peer-to-peer traffic between VPC F and VPC H is restricted to subnet X in VPC H. This is to ensure that VPC F sends the response traffic to the correct VPC if VPC F receives the peer-to-peer traffic from VPC E or VPC H.
The route tables of VPC B, D, E, F and G direct to relevant peer connections to access the integrated CIDR blocks of VPC A. The route table of VPC A directs to relevant peer connections of VPC B, C and D to access their integrated CIDR blocks. For the peer connection int-aaaaeeee, the route table of VPC A routes the traffic to only subnet X in VPC E (192.168.0.0/24), and the route table of subnet X in VPC E directs to the integrated CIDR blocks of VPC A.
The route table of VPC G directs to relevant peer connections to access the integrated CIDR blocks of VPC F and VPC H. The route table of VPC H directs to relevant peer connections to access the integrated CIDR blocks of VPC G. The route table of subnet X in VPC H directs to relevant peer connections to access integrated CIDR blocks of VPC F. The route table of VPC F directs to relevant peer connections to access the subnet Y in VPC E and the subnet X in VPC H.
- peer connection between VPC A and VPC B;
- peer connection between VPC A and VPC C;
- peer connection between VPC A and VPC D;
- peer connection between VPC A and VPC E;
- peer connection between VPC E and VPC F;
- peer connection between VPC F and VPC G;
- peer connection between VPC F and VPC H;
- peer connection between VPC G and VPC H.
Peer Connection Transitivity
The peer connection between one VPC and multiple VPCs can realize the interconnection across VPCs by the route configuration, and use this kind of configuration. The configuration needs to enable the relay VPC.
Example scenarios
VPCs are under the same Baidu AI Cloud account, VPC B is the relay VPC and respectively connected with VPC A and VPC C in a peer-to-peer manner, presenting a star topology. The peer connection between VPC A and VPC C is realized by the route configuration.
- peer connection between VPC A and VPC B;
- peer connection between VPC B and VPC C.
Note: In this scenario, you need to enable the route relay of VPC VPC. Please refer to the relay VPC Operation Guide.
Route configuration
| Source network segment | Destination network segment | Route type | Next hop instance |
|---|---|---|---|
| VPC A | 172.16.0.0/16 | peer connection | int-atob |
| VPC A | 10.0.0.0/16 | peer connection | int-atob |
| VPC B | 192.168.0.0/16 | peer connection | int-btoa |
| VPC B | 10.0.0.0/16 | peer connection | int-btoc |
| VPC C | 192.169.0.0/16 | peer connection | int-ctob |
| VPC C | 172.16.0.0/16 | peer connection | int-ctob |
Moreover, Baidu AI Cloud also supports the user's configuration of the route table to realize the connection transitivity between the peer connection and private line or VPN connection.
CIDR Block Overlapping
The peer connection supports the interconnection between two VPC with overlapped CIDRs.
Example scenarios
Both VPC A and VPC B have the same CIDR blocks and two subnets. VPC A and VPC B are connected in a peer-to-peer manner, and the two subnets in VPC A and VPC B are respectively interconnected by the route configuration.
Route configuration
| Source network segment | Destination network segment | Route type | Next hop instance |
|---|---|---|---|
| Subnet X in VPC A | 192.168.2.0/24 | peer connection | int-atob |
| Subnet Y in VPC A | 192.168.4.0/24 | peer connection | int-atob |
| Subnet X in VPC B | 192.168.1.0/24 | peer connection | int-btoa |
| Subnet Y in VPC B | 192.168.3.0/24 | peer connection | int-btoa |
Note: In this scenario, the CIDR blocks of subnets at both terminals cannot overlap in the route configuration.
Unsupported Scenarios
Multi-hop Scenarios
The peer connection transitivity supports only crossing one VPC.
Example scenarios
VPC A and VPC B, VPC B and VPC C, VPC C and VPC D are connected in a peer-to-peer manner, but the transitivity connection between VPC A and VPC D is not supported. It is recommend to change the linear topology to the star topology.
