{"componentChunkName":"component---src-templates-acg-portal-intl-template-tsx","path":"/fm5aqhghr-intl","result":{"data":{"markdownRemark":{"html":"

概览

\n

VPC(Virtual Private Cloud)内支持创建多张自定义路由表,可与云智能网的TGW(Transit Gateway)绑定,使得TGW到VPC方向的流量匹配自定义路由表,可以满足用户更多场景的使用,如实现多VPC间的安全防护。

\n

需求场景

\n

安全VPC:多个VPC之间的互访流量需要经过安全VPC进行防护。

\n

说明:

\n\n

方案概述

\n

两个VPC之间的互访流量经过安全VPC

\n

请求流量从源VPC发出之后,先经过安全VPC中的第三方防火墙实例,再到达目的VPC;回向流量从目的VPC发出之后,同样先经过安全VPC中的第三方防火墙实例,再回到源VPC。

\n

\"1改.png\"

\n

按以下方式配置路由表(详见配置步骤):

\n\n

\"2.3改.png\"

\n

配置步骤

\n

环境准备

\n

创建VPC-A、VPC-B和安全VPC三个VPC。由于当前在VPC路由表中,子网直连路由优先级高于自定义路由,VPC尽量选择不同网段,为了避免出现流量被直连路由导走情况。本示例中,VPC-A网段为192.168.0.0/16,VPC-B网段为172.16.0.0/16,安全VPC网段为10.0.0.0/16。

\n

具体操作方法参考创建VPC

\n

在安全VPC中创建一台虚机,模拟第三方防火墙;在VPC-A和VPC-B中各创建一台虚机,用于两VPC间互访流量的连通性测试。

\n

具体操作方法参考创建云服务器实例

\n

合理设置三台虚机的安全组,使得三台实例之间可以相互通信。

\n

具体操作方法参考安全组

\n

配置流程

\n

\"流程图-202412191611.png\"

\n

步骤一:创建CSN实例并加载VPC

\n\n

具体操作方法参考创建云智能网实例

\n

\"3.png\"

\n\n

具体操作方法参考添加网络实例

\n\n

\"4.png\"\n\"5.png\"

\n\n

\"6.png\"

\n

步骤二:配置CSN实例路由表

\n\n

\"7.png\"\n\"8.png\"

\n\n

具体操作可参考关联关系创建方法

\n

\"9.png\"

\n\n

路由添加方法可参考。

\n

\"10.png\"

\n\n

\"11.png\"

\n\n

学习关系创建方法可参考。

\n

\"12.png\"\n\"13.png\"

\n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
\n

路由表名称

\n 		\n

路由表描述

\n 		\n

关联VPC

\n 		\n

路由

\n
\n

目标网段

\n 		\n

下一跳

\n
\n

default

\n 		\n

不可信流量

\n 		\n

VPC-A、VPC-B

\n 		\n

192.168.0.0/16

\n 		\n

安全VPC

\n
\n

172.16.0.0/16

\n 		\n

安全VPC

\n
\n

trusted

\n 		\n

可信流量

\n 		\n

安全VPC

\n 		\n

192.168.0.0/16

\n 		\n

VPC-A

\n
\n

172.16.0.0/16

\n 		\n

VPC-B

\n
\n

步骤三:配置安全VPC路由表

\n\n

\"14.png\"\n\"15.png\"

\n\n

\"16.png\"

\n

点击“+添加路由”按钮,源网段选择自定义配置,输入0.0.0.0/0,目的网段输入VPC-A的网段,路由类型选择实例路由,下一跳实例选择用户第三方防火墙实例。用同样的方法也添加目的地址为VPC-B网段、其他配置相同的路由。

\n

\"17.png\"\n\"18.png\"\n\"19.png\"

\n

步骤四:绑定TGW与安全VPC自定义路由表

\n\n

\"20.png\"\n\"21.png\"\n\"22.png\"

\n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
\n

VPC名称

\n 		\n

路由表名称

\n 		\n

绑定资源

\n 		\n

路由

\n
\n

源网段

\n 		\n

目标网段

\n 		\n

下一跳

\n
\n

VPC-A

\n 		\n

default

\n 		\n

VPC内全部资源

\n 		\n

0.0.0.0/0

\n 		\n

192.168.0.0/16

\n 		\n

系统

\n
\n

0.0.0.0/0

\n 		\n

192.168.0.0/16

\n 		\n

TGW实例

\n
\n

0.0.0.0/0

\n 		\n

172.16.0.0/12

\n 		\n

TGW实例

\n
\n

0.0.0.0/0

\n 		\n

10.0.0.0/8

\n 		\n

TGW实例

\n
\n

VPC-B

\n 		\n

default

\n 		\n

VPC内全部资源

\n 		\n

0.0.0.0/0

\n 		\n

172.16.0.0/16

\n 		\n

系统

\n
\n

0.0.0.0/0

\n 		\n

192.168.0.0/16

\n 		\n

TGW实例

\n
\n

0.0.0.0/0

\n 		\n

172.16.0.0/12

\n 		\n

TGW实例

\n
\n

0.0.0.0/0

\n 		\n

10.0.0.0/8

\n 		\n

TGW实例

\n
\n

安全VPC

\n 		\n

default

\n 		\n

VPC内除TGW外全部资源

\n 		\n

0.0.0.0/0

\n 		\n

10.0.0.0/16

\n 		\n

系统

\n
\n

0.0.0.0/0

\n 		\n

192.168.0.0/16

\n 		\n

TGW实例

\n
\n

0.0.0.0/0

\n 		\n

172.16.0.0/12

\n 		\n

TGW实例

\n
\n

0.0.0.0/0

\n 		\n

10.0.0.0/8

\n 		\n

TGW实例

\n
\n

路由表A

\n 		\n

TGW实例(TGW进入VPC方向的流量匹配该路由表)

\n 		\n

0.0.0.0/0

\n 		\n

10.0.0.0/16

\n 		\n

系统

\n
\n

0.0.0.0/0

\n 		\n

192.168.0.0/16

\n 		\n

第三方防火墙实例

\n
\n

0.0.0.0/0

\n 		\n

172.16.0.0/16

\n 		\n

第三方防火墙实例

\n
\n

连通性测试

\n
    \n
  1. 登录安全VPC中的第三方防火墙实例,执行以下命令启动允许转发。
    2. \n
\n\n
\n
\n
\n Plain Text\n \n
\n
\n 
1# 临时启用允许转发,重启后会失效\n2echo 1 > /proc/sys/net/ipv4/ip_forward\n3\n4# 永久启动允许转发\n5echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf\n6sudo sysctl -p
\n
\n
\n
\n \n
    \n
  1. 登录VPC-A中的虚机,对VPC-B中虚机的ip执行ping操作,测试VPC-A与VPC-B的连通性,同时在安全VPC中的第三方防火墙实例上,执行tcpdump命令,检查VPC-A与VPC-B的互访流量是否经过第三方防火墙。
    2. \n
\n\n
\n
\n
\n Plain Text\n \n
\n
\n 
1# 测试VPC-A与VPC-B连通性\n2ping <虚机ip地址>\n3\n4# 测试流量是否通过第三方防火墙\n5tcpdump host <源虚机ip地址> and <目的虚机ip地址>
\n
\n
\n
\n \n

相关产品

\n

云服务器BCC私有网络VPC云智能网CSN

","fields":{"slug":"fm5aqhghr-intl","title":"CSN支持VPC自定义路由表实现流量安全互访","date":"2025-08-21","extractedHeadings":[]},"headings":[{"value":"概览","depth":2},{"value":"需求场景","depth":2},{"value":"方案概述","depth":2},{"value":"两个VPC之间的互访流量经过安全VPC","depth":3},{"value":"配置步骤","depth":2},{"value":"环境准备","depth":3},{"value":"配置流程","depth":3},{"value":"连通性测试","depth":3},{"value":"相关产品","depth":3}]}},"pageContext":{"isCreatedByStatefulCreatePages":false,"slug":"fm5aqhghr-intl","prev":{"id":"ekk7z0ver-intl","name":"产品描述","path":"ekk7z0ver-intl","filePath":"产品描述/应用场景.md","seo":null,"parentIds":["Rkk7yxf0g-intl"],"parents":[{"id":"Rkk7yxf0g-intl","documentId":"b8449bcd-116c-442e-a836-31a53cd03ef8","name":"产品描述","repoName":"CSN","filePath":"产品描述","disabled":false,"path":"Rkk7yxf0g-intl","lastMergeTime":null,"isApiDoc":null,"httpMethod":null,"seo":null}]},"next":{"id":"Fm9b18t79-intl","name":"多IDC间通过云智能网实现灾备","path":"Fm9b18t79-intl","filePath":"典型实践/多IDC间通过云智能网实现灾备.md","seo":null,"parentIds":["Ell3fz1kn-intl"],"parents":[{"id":"Ell3fz1kn-intl","documentId":"bfdc531c-9e8e-49cd-90a8-3d3739bf5b77","name":"典型实践","repoName":"CSN","filePath":"典型实践","disabled":false,"path":"Ell3fz1kn-intl","lastMergeTime":null,"isApiDoc":null,"httpMethod":null,"seo":null}]},"parents":[{"id":"Ell3fz1kn-intl","documentId":"bfdc531c-9e8e-49cd-90a8-3d3739bf5b77","name":"典型实践","repoName":"CSN","filePath":"典型实践","disabled":false,"path":"Ell3fz1kn-intl","lastMergeTime":null,"isApiDoc":null,"httpMethod":null,"seo":null}],"specificSeo":null}}}