Building Hybrid Global Networks with Cloud Enterprise Network (CEN) and VPN Gateway

By Oliver Arafat, Staff Solution Architect, and Fabien Locquet, Solution Architect

This document outlines the necessary steps and highlights the caveats when enabling Alibaba Cloud’s Cloud Enterprise Network (CEN) service to support VPN Gateways routes to either connect to an Internet data center (IDC) or another Virtual Private Cloud (VPC).

This document describes the following scenarios:

  1. CEN and VPCs all belong to a single billing account
  2. CEN and VPCs are spread across multiple billing accounts

Scenario 1: VPCs in a Single Billing Account

Architecture Presentation

In this scenario, VPC A and B, CEN and VPN A all belong to the same Billing Account.

We will also discuss the necessary steps when attaching VPC from other accounts as depicted in Figure 1 in the second part of this paper.

Image for post
Image for post

Figure 1: Target Scenario for VPCs in a single Account

CIDR Definition

Solution Implementation Steps

CEN Setup

  1. Create a CEN-Instance
  2. Attach the VPC A and VPC B to the CEN-Instance
  3. For inter-region communication make sure to buy an according bandwidth package and assign a bandwidth of at least 1 Mbps between the regions where VPC A and VPC B are located (note that for pure connectivity tests the built-in and free of charge bandwidth of 1 kbps might also be sufficient)
  4. For intra-region communication there is no need to buy a bandwidth package and assign bandwidths since it is free of charge.

Note that you do not need to add any routing table entries since CEN will automatically learn the routes to route data packets from VPC A to VPC B and vice-versa.

Connectivity between VPC A and VPC B can be tested by provisioning according ECS instances in both VPCs assigned to VSwitch which defines a subnet within the VPC.

Once this has been done a simple $ ping command can be used to verify correct packet routing through the private backbone network of Alibaba Cloud as depicted in below screenshots:

Pinging from VPC B to VPC A:

Image for post
Image for post

Pinging from VPC A to VPC B:

Image for post
Image for post

VPN-Gateway Setup

  1. Configure a site-to-site connection via IPsec (
  2. Configure a VPC-to-VPC connection via IPsec (


  1. VPN Gateway consumes 3 IP addresses of one of the VSwitch in the selected VPC. It seems that it chooses the VSwitch in the first AZ if multiple VSwitches exist. Given that, when trying to delete this VSwitch, it will fail because of the dependency on the VPN Gateway.
  2. This Dependency is not shown in the VSwitch dependency panel in the Alibaba Cloud Console, and the error thrown when trying to delete a VSwitch without removing first the associated VPN Gateway is not providing indications.

VPN-Routes Publishing to CEN

As depicted in Figure 1 the routing table of VPC B has been modified with the following entry:

DestinationNext Hop192.168.0.0/24VPN A

This route is, however, not visible to VPC A and not known to CEN. Thus, any request from VPC A to an IP address within the range will not be routed anywhere.

In order to advertise this route to CEN it must be published to the CEN-Instance.

This can easily be done from the console. You need to navigate to the routing table of the particular VPC where you will find the according entry. Simply klick on the link “Publish” to advertise the route to all CEN-connected VPCs.

Image for post
Image for post

Under the hood this actually calls the OpenAPI PublishRouteEntries which is defined in the API documentation at

This allows you to also programmatically publish the route to CEN. There is a great online tool that allows to easily generate and execute according API calls (make sure to be logged in, otherwise you will be redirected to the Chinese portal):{}&tab=DEMO〈=JAVA&_=r

You need to populate the fields similar to below screenshot:

Image for post
Image for post

Figure 2: Publishing CEN Route using the Open API Explorer


  1. CenId is the id of your CEN-Instance
  2. ChildInstanceId is the id of VPC where the routing table is located. In our example this would be VPC B.
  3. ChildInstance Type is the type of the network which is VPC in our scenario
  4. ChildInstanceRegionId is the region in where the VPC is located
  5. ChildInstanceRouteTableId is the ID of the routing table defined in VPC B (not the VRouter id, be careful!)
  6. DestinationCidrBlock is destination CIDR block of the route entry to publish.

Once this is submitted, the route will be published to the CEN-Instance and be visible in the routing entries. In our example this will be similar to

DestinationNext Hop192.168.0.0/24VPC B

Where this entry is actually automatically added by CEN to the routing table of VPC A as depicted in below screenshot:

Image for post
Image for post

So any request against the defined IP-range will be routed to VPC B and from there to the VPN-Gateway, and thus to the IDC network or (in our scenario) to VPC C.

Scenario 2: VPCs in Multiple Billing Accounts

In the following, we’re going to focus on the differences with the main scenario described in the previous section.

The target architecture is the following:

Image for post
Image for post

Figure 3: Target Scenario for VPC in multiple Accounts

In this specific example, there is one Account owning the CEN-instance and a VPC, and another one owning only one VPC.

Other scenarios can also be fulfilled with this approach: One account only owns the CEN-instance, and all VPCs are owned by other Accounts for example.

Solution Implementation Steps

Then CEN-instance in Account 1 then needs to be set as “trusted” in the VPC in Account 2. This is done by navigating to the VPC configuration page in the Console, and selecting ‘CEN Cross Account Authorization’, as shown below.

Image for post
Image for post

Figure 4: Cross Account CEN Authorization

Then enter the Account UId and the CEN id:

Image for post
Image for post

Figure 5: Entering Remote Account and CEN IDs

It then appears in the VPC trusted CEN list:

Image for post

Figure 6: VPC Cross-Account Trusted CENs

Be aware that this only authorize the CEN in Account 1 to attach the VPC in Account 2.

Now the VPC actually has to be attached to the CEN, and this is done in the CEN management page in Account 1. Select “Attach Network”, and then select the tab “Different Account”:

Image for post
Image for post

Figure 7: Attach VPC from a different Account in CEN

VPN setup is the same as described in the previous section.

The last difference with single Account is how the route to the network served by the VPN is added to the CEN routing table.

In this case, publishing the route is not done in the Account owning the CEN, but instead in the Account owning the VPC containing the VPN Gateway.

In our scenario here, it means that the API PublishRouteEntries call shall be done in Account 2, instead of Account 1.

Once done, the connectivity can be tested by creating an instance in VPC A and one in VPC C and trying to make them ping each other, as described in the first part.



Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store