A virtual private cloud (VPC) is a private network in the cloud that you can fully control. Within your VPC, you can select the IP address range, configure routes, and deploy resources such as Elastic Compute Service (ECS), RDS, and Server Load Balancer (SLB) instances.
VPCs and vSwitches
As the initial step in adopting cloud services, a VPC lets you set up a logically isolated virtual network environment. It is a region-level resource that cannot be deployed across regions.
Typically, a region consists of several zones that are connected through a low-latency network. Zones in different regions are entirely isolated from one another.
As a zone-level resource, vSwitches in the same VPC are interconnected. You can create vSwitches in zones and deploy resources in vSwitches.
We recommend creating at least two vSwitches in different zones, deploy services across zones, and centrally configure security rules to enhance high availability and disaster recovery.
vSwitches do not support multicast or broadcast features.
Creation methods
When creating ECS, CLB, or RDS instances in a region without a VPC, you can choose to let Alibaba Cloud create a default VPC and vSwitch. This allows for quick deployment with preset configurations.
However, the default VPC and vSwitch may not be sufficient for your long-term network needs. For example, when different departments require data and resource isolation, you will need to create custom VPCs and vSwitches.
Default VPCs and vSwitches
When creating ECS, CLB, and RDS instances in a region without an existing VPC, you can choose to let Alibaba Cloud automatically create a default VPC and vSwitch in either a zone of your choice, or a random one. The default VPC and vSwitch have the following features:
Item | Default VPC | Default vSwitch |
Item | Default VPC | Default vSwitch |
Number | One per region. | One per zone. The default vSwitch belongs to the default VPC. |
Subnet mask and private IPs | The subnet mask of a default VPC is 16 bits in length. For example, the 172.31.0.0/16 CIDR block provides up to 65,532 private IP addresses. | The subnet mask of a default vSwitch is 20 bits in length. For example, the 172.16.0.0/20 CIDR block provides up to 4,092 private IP addresses. |
Quota | No quotas are consumed. | |
Creation | The default VPC and vSwitch are created by Alibaba Cloud, while all VPCs and vSwitches that you create are non-default. | |
Operations and specifications | Same as non-default VPCs and vSwitches. | |
You can delete default VPCs and vSwitches, but you cannot convert them to non-default ones, or vice versa.
Default VPCs and vSwitches help you quickly achieve business verification and deployment. For sustained network service support or critical production system hosting, we recommend tailoring your VPC or vSwitch to your business architecture. This strategy helps achieve resource isolation, security control, and flexible scalability through refined network planning, building an environment that aligns with your operational needs.
Custom VPCs and vSwitches
You can create custom VPCs and vSwitches, select IP address ranges, and set up routes to align with your network planning.
Build an IPv4 VPC: Instances in the same VPC can communicate using private IPv4 addresses.
Build an IPv6 VPC: Instances with IPv6 addresses can communicate using private IPv4 or IPv6 addresses. The two operate independently, and you must configure routes and security groups for each protocol separately.
Manage the address space with IPAM based on your development requirements. See Allocate resources from IPAM pools when creating an IPv4 VPC.
The following table compares IPv4 and IPv6 VPCs.
Item | IPv4 VPCs | IPv6 VPCs |
Item | IPv4 VPCs | IPv6 VPCs |
IP address | An IPv4 address is 32 bits in four sections, with each containing no more than three decimal digits. | An IPv6 address is 128 bits in eight sections, with each containing four hexadecimal digits. |
Status | Enabled by default | Optional |
CIDR block size |
|
|
vSwitch CIDR block size |
|
|
Can specify a CIDR block | Yes. | No. The system selects an IPv6 CIDR block from the address pool. |
Instance families | All instance families. | Specific instance families are not supported. |
ClassicLink connections | Supported. | Not supported. |
Elastic IPs (EIPs) | IPv4 EIPs are supported. | IPv6 EIPs are not supported. |
Gateway | VPN Gateway and NAT Gateway are supported. | VPN Gateway and NAT Gateway are not supported. |
Learn more
VPCs have many features available to meet your needs.
Scenarios | Feature | Description |
Scenarios | Feature | Description |
Traffic control | After a VPC is created, the system automatically creates a system route table and adds route entries to manage traffic. These entries cannot be manually created or deleted. If you plan to deploy services in different vSwitches and require independent traffic control, create a custom route table and bind it to the vSwitch. You can also use security groups and network ACLs for security isolation. | |
CIDR block management | If the initial address space is insufficient, use secondary CIDR blocks to expand it. | |
When building a container network based on multiple IP addresses, you can add reserved IPv4 or IPv6 CIDR blocks to a vSwitch. Use the reserved CIDR block to assign prefixes to ENI to simplify configurations and enhance a node's IP density. | ||
Network configuration | Use a self-managed DNS server and DHCP options set to provide unified configuration for ECS instances. | |
Enable DNS hostnames to configure built-in authoritative domain names for ECS instances in the VPC. In automated deployment and configuration management, using DNS host domain names in configuration files instead of IP addresses ensures that changes in instance IPs do not affect service discovery or configuration accuracy. | ||
High availability | Use the HAVIP feature together with Address Resolution Protocol (ARP) and Keepalived or Heartbeat to deploy high-availability services. This ensures that IP addresses are not changed during switchover. |
