opentelekomcloud · akyriako · Aug 8, 2024 · Aug 6, 2024 · Aug 6, 2024 · Aug 6, 2024
@@ -0,0 +1,68 @@
+---
+id: using-a-public-nat-gateway-and-vpc-peering-to-enable-communications-between-vpcs-and-the-internet
+title: Using a Public NAT Gateway and VPC Peering to Enable Communications Between VPCs and the Internet
+tags: [nat-gateway, vpc-peering]
+---
+
+# Using a Public NAT Gateway and VPC Peering to Enable Communications Between VPCs and the Internet
+
+Two VPCs, VPC A and VPC B are in the same region. A public NAT gateway is configured for subnet A in VPC A and you can add SNAT and DNAT rules for Internet connectivity. Subnet B connects to subnet A through a VPC peering connection and uses the public NAT gateway of subnet A to communicate with the Internet.
+
+## Solution Design
+
+The CIDR block of VPC A is `192.168.0.0/16` and that of subnet A is `192.168.1.0/24`.
+
+The CIDR block of VPC B is `192.168.0.0/16` and that of subnet B is `192.168.2.0/24`.
+
+### Topology
+
+1. A VPC peering connection is used to connect subnet A in VPC A to subnet B in VPC B.
+2. A public NAT gateway is created in VPC A, and subnet B can use the public NAT gateway to communicate the Internet.
+
+    ![**Figure 1** Network topology](/img/docs/best-practices/networking/nat-gateway/en-us_image_0000001089261095.png)
+
+:::note Advantages
+Only one public NAT gateway needs to be configured. Servers in the two VPCs can share the same public NAT gateway to communicate with the Internet, saving gateway resources.
+:::
+
+## Prerequisites
+
+* If VPCs connected by a VPC peering connection have overlapping CIDR blocks, the connection can only enable communications between specific (non-overlapping) subnets in the VPCs.
+* All subnets of the two VPCs do not overlap with each other. For details, see [VPC Peering Connection Usage Examples](https://docs.otc.t-systems.com/virtual-private-cloud/umn/vpc_peering_connection/vpc_peering_connection_usage_examples.html).
+
+## Deploying the Solution
+
+1. Create VPC A, VPC B, subnet A, and subnet B.
+
+    For detailed operations, see [Creating a VPC](https://docs.otc.t-systems.com/virtual-private-cloud/umn/vpc_and_subnet/vpc/creating_a_vpc.html).
+
+2. Create a VPC peering connection.
+
+    Create a VPC peering connection between subnet A and subnet B. For detailed operations, see [Creating a VPC Peering Connection with Another VPC in Your Account](https://docs.otc.t-systems.com/virtual-private-cloud/umn/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.html).
+
+    The local VPC is VPC A, and the peer VPC is VPC B.
+
+    Add a route in the route table of VPC B. Set *Destination* to `0.0.0.0/0` and *Next Hop* to the created VPC peering connection between VPC A and VPC B.
+
+3. Create a public NAT gateway.
+
+    Create a public NAT gateway with *VPC* set to VPC A. For details about how to configure other parameters, see [Creating a Public NAT Gateway](https://docs.otc.t-systems.com/nat-gateway/umn/managing_nat_gateways/creating_a_public_nat_gateway.html).
+
+4. Add an SNAT rule.
+    1. Select *VPC* for *Scenario* and subnet A for *Subnet*. For more details, see [Adding an SNAT Rule](https://docs.otc.t-systems.com/nat-gateway/umn/managing_snat_rules/adding_an_snat_rule.html).
+    2. Add an SNAT rule for subnet B. Set *Scenario* to *Direct Connect/Cloud Connect* and enter the CIDR block of subnet B.
+5. Add a DNAT rule.
+    1. Add a DNAT rule for subnet A. Select *VPC* for *Scenario* and enter an IP address of a server in subnet A for *Private IP Address*. For more details, see [Adding a DNAT Rule](https://docs.otc.t-systems.com/nat-gateway/umn/managing_dnat_rules/adding_a_dnat_rule.html).
+    2. Add a DNAT rule for subnet B. Set *Scenario* to *Direct Connect/Cloud Connect* and enter an IP address of a server in subnet B for *Private IP Address*.
+
+## Verifying Connectivity
+
+After the configuration is complete, test the network connectivity.
+
+Log in to a server in subnet B and ping a public IP address.
+
+![**Figure 2**](/img/docs/best-practices/networking/nat-gateway/en-us_image_0000001092787311.png)
+
+Log in to a server that can access the Internet and is not deployed in VPC A or VPC B. Use **curl** to check whether the server can communicate with subnet B via the EIP associated with the DNAT rule configured for subnet B.
+
+![**Figure 3**](/img/docs/best-practices/networking/nat-gateway/en-us_image_0000001093306041.png)
@@ -0,0 +1,147 @@
+---
+id: unsupported-vpc-peering-configurations
+title: Unsupported VPC Peering Configurations
+tags: [vpc, vpc-peering]
+---
+
+# Unsupported VPC Peering Configurations
+
+## Scenarios
+
+The VPC peering connection configurations are not supported in table below:
+
+| Scenario                                                                                                                                                                                                                                                                                   | Example                                                                                                                                                                                                                                                                                                                   |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| If VPCs with the same CIDR block also include subnets that overlap, VPC peering connections are not usable. If two VPCs have overlapping CIDR blocks but some of their subnets do not overlap, you cannot create a VPC peering connection to connect specific subnets that do not overlap. | [Invalid VPC Peering for Overlapping](#invalid-vpc-peering-for-overlapping-vpc-cidr-blocks): VPC CIDR Blocks VPCs with the same CIDR block also include subnets that overlap. Two VPCs have overlapping CIDR blocks but some of their subnets do not overlap. |
+| VPC peering connections cannot enable ECSs in their VPCs to share an EIP to access the Internet. If VPC-A and VPC-B are peered and ECS-A01 in VPC-A has an EIP, ECS-B01 in VPC-B cannot access the Internet using the EIP bound to ECS-A01.                                                | [Invalid VPC Peering for Sharing an EIP](#invalid-vpc-peering-for-sharing-an-eip)                                                                                                                                                                                                                                     |
+
+**Table 1** Scenarios that VPC peering connections are invalid
+
+## Notes and Constraints
+
+- If the ECSs in VPCs connected by a VPC peering connections are in
+    different security groups, you need to add rules to the security
+    groups to allow access to each other. For details, [Enabling ECSs in
+    Different Security Groups to Communicate with Each Other Through an
+    Internal
+    Network](https://docs.otc.t-systems.com/virtual-private-cloud/umn/access_control/security_group/security_group_configuration_examples.html#en-us-topic-0081124350).
+
+    :::note
+    In all examples in this section, the ECSs in local and peer VPCs are
+    in the same security group. No additional security group rule is
+    required.
+    :::
+
+- Each route table of a VPC can have a maximum of 200 routes. If you
+    want to establish VPC peering connections between multiple VPCs,
+    consider this restriction when planning networking.
+
+- In a VPC route table, the route priority is as follows:
+
+  - Local route: A route that is automatically added by the system
+        for communication within a VPC. It has a higher priority than a
+        custom route.
+
+  - Custom route: A route added by a user. It uses the longest
+        prefix match rule to find a destination for packet forwarding.
+
+        ![image1](/img/docs/best-practices/networking/virtual-private-cloud/en-us_image_0000001261140071.png)
+
+## Invalid VPC Peering for Overlapping VPC CIDR Blocks
+
+If two VPCs have overlapping CIDR blocks, the VPC peering connection may
+not take effect due to route conflicts. The following describes the
+reasons and configuration suggestions.
+
+- VPCs with the same CIDR block also include subnets that overlap.
+
+    VPC peering connections are not usable. As shown in
+    **Table 2**, VPC-A and
+    VPC-B, and their subnets have the same CIDR block. If you create a
+    VPC peering connection between VPC-A and VPC-B, their route tables
+    are shown in **Table 2**.
+
+    In the rtb-VPC-A route table, the custom route for routing traffic
+    from VPC-A to VPC-B and the local route have overlapping
+    destinations. The local route has a higher priority and traffic will
+    be forwarded within VPC-A and cannot reach VPC-B.
+
+    ![**Figure 1** Networking diagram
+    (IPv4)](/img/docs/best-practices/networking/virtual-private-cloud/en-us_image_0000001254335981.png)
+
+    | Route Table | Destination         | Next Hop   | Route Type | Description                                                                                 |
+    | ----------- | ------------------- | ---------- | ---------- | ------------------------------------------------------------------------------------------- |
+    | rtb-VPC-A   | 10.0.0.0/24         | Local      | System     | Local routes are automatically added for communications within a VPC.                       |
+    |             | 10.0.1.0/24         | Local      | System     |                                                                                             |
+    |             | 10.0.0.0/16 (VPC-B) | Peering-AB | Custom     | Add a route with the CIDR block of VPC-B as the destination and Peering-AB as the next hop. |
+    | rtb-VPC-B   | 10.0.0.0/24         | Local      | System     | Local routes are automatically added for communications within a VPC.                       |
+    |             | 10.0.1.0/24         | Local      | System     |                                                                                             |
+    |             | 10.0.0.0/16 (VPC-A) | Peering-AB | Custom     | Add a route with the CIDR block of VPC-A as the destination and Peering-AB as the next hop. |
+
+    **Table 2** VPC route table details
+
+    If two VPCs want to use their IPv6 CIDR blocks for communication by
+    a VPC peering connection but the IPv4 CIDR blocks of the VPCs or
+    subnets overlap, the connection is not usable.
+
+    ![**Figure 2** Networking diagram
+    (IPv6)](/img/docs/best-practices/networking/virtual-private-cloud/en-us_image_0000001209300412.png)
+
+    Two VPCs have overlapping CIDR blocks but some of their subnets do
+    not overlap. VPC peering connections will not take effect in the following
+    scenarios:
+
+  - Connecting overlapping CIDR blocks of VPCs
+
+        As shown in Figure 3,
+        if you create a VPC peering connection between VPC-A and VPC-B,
+        the VPC peering connection will not take effect because the two
+        VPCs have the same CIDR block.
+
+  - Connecting overlapping subnets from different VPCs
+
+        If you create a VPC peering connection between Subnet-A01 and
+        Subnet-B02, the route tables are shown in table below. In the
+        rtb-VPC-B route table, the custom route for routing traffic from
+        Subnet-B02 to Subnet-A01 and the local route have overlapping
+        destinations. The local route has a higher priority and traffic
+        will be forwarded within Subnet-B02 and cannot reach Subnet-A01.
+
+        ![**Figure 3** Networking diagram
+        (IPv4)](/img/docs/best-practices/networking/virtual-private-cloud/en-us_image_0000001209777270.png)
+
+        | Route Table | Destination              | Next Hop   | Route Type | Description                                                                                      |
+        | ----------- | ------------------------ | ---------- | ---------- | ------------------------------------------------------------------------------------------------ |
+        | rtb-VPC-A   | 10.0.0.0/24              | Local      | System     | Local routes are automatically added for communications within a VPC.                            |
+        |             | 10.0.1.0/24              | Local      | System     |                                                                                                  |
+        |             | 10.0.2.0/24 (Subnet-B02) | Peering-AB | Custom     | Add a route with the CIDR block of Subnet-B02 as the destination and Peering-AB as the next hop. |
+        | rtb-VPC-B   | 10.0.0.0/24              | Local      | System     | Local routes are automatically added for communications within a VPC.                            |
+        |             | 10.0.2.0/24              | Local      | System     |                                                                                                  |
+        |             | 10.0.0.0/24 (Subnet-A01) | Peering-AB | Custom     | Add a route with the CIDR block of Subnet-A01 as the destination and Peering-AB as the next hop. |
+
+        **Table 3** VPC route table details
+
+    If the subnets connected by a VPC peering connection do not overlap,
+    the connection will take effect. As shown in Figure 4, you can create a
+    VPC peering connection between Subnet-A02 and Subnet-B02. In this
+    case, the routes do not conflict and the VPC peering connection
+    takes effect.
+
+    ![**Figure 4** Networking diagram
+    (IPv4)](/img/docs/best-practices/networking/virtual-private-cloud/en-us_image_0000001209321492.png)
+
+    If two VPCs want to use their IPv6 CIDR blocks for communication by
+    a VPC peering connection but the IPv4 CIDR blocks of the VPCs or
+    subnets overlap, the connection is not usable.
+
+    ![**Figure 5** Networking diagram
+    (IPv6)](/img/docs/best-practices/networking/virtual-private-cloud/en-us_image_0000001254241751.png)
+
+## Invalid VPC Peering for Sharing an EIP
+
+As shown in Figure 6, although
+VPC-A and VPC-B are peered and ECS-A01 in VPC-A has an EIP, ECS-B01 in
+VPC-B cannot access the Internet using the EIP bound to ECS-A01.
+
+![**Figure 6** Networking
+diagram](/img/docs/best-practices/networking/virtual-private-cloud/en-us_image_0000001254608729.png)