By leveraging tunneling technologies for isolation, a virtual private cloud (VPC) is designated with a unique tunnel ID that corresponds to a virtualized network.
Background
To enhance network resource efficiency and device utilization, the concept of network virtualization has emerged. By transforming a hardware-dependent network into a software-based one, this technology enables logically isolated networks to operate concurrently on a physical infrastructure. This scalable approach gives users the flexibility to modify network configurations based on their requirements.
As cloud computing continues to evolve, the demand for more elastic, secure, reliable, and interconnected virtualized networks intensifies. Traditional network solutions fall short in addressing challenges like Address Resolution Protocol (ARP) spoofing, broadcast storms, and host scanning, which are particularly acute within Layer 2 architecture.
In response to these challenges, various network isolation technologies have emerged to completely separate physical and virtual networks. Among these, a virtual local area network (VLAN) segments a physical local area network (LAN) into multiple logical networks based on ports, MAC addresses, or IP addresses. Each VLAN creates a separate broadcast domain, which effectively contains broadcast traffic within its boundaries, thus enhancing network performance and security. However, a VLAN is restricted to a maximum of 4,096 virtual networks, which is insufficient when handling a large user base.
VXLAN was developed to overcome the limitations of VLAN. The new technology facilitates efficient communication between data centers and accommodates millions of virtual networks, making it an ideal solution for constructing multitenant networks within expansive cloud infrastructures. By employing tunneling technology, VXLAN encapsulates Layer 2 network packets within Layer 3 packets and enables Layer 2 communication over Layer 3 networks. This resolves the scalability issue faced by virtual networks in conventional network architectures and offers robust technical support for extensive network deployments in the context of cloud computing.
How it works
VPC is a fundamental component of cloud computing that provides users with secure and private virtual network environments on shared infrastructure. By leveraging tunneling and software-defined network (SDN) technologies along with high-performance physical gateways and proprietary distributed vSwitches, Alibaba Cloud VPC is a robust, flexible solution that meets diverse networking needs.
Tunneling: Essential for network isolation, with each VPC assigned a unique tunnel ID that represents a virtualized network.
Data packets between ECS instances in a VPC are encapsulated with the tunnel ID and transmitted over the physical network.
ECS instances in different VPCs are naturally isolated because they have different tunnel IDs and belong to different routing planes.
SDN: A new type of network architecture that decouples the control plane and data plane, thus allowing for centralized management and traffic control. The SDN controller in a VPC dynamically configures network policies, such as routing and security rules, without interacting with the underlying hardware. This enhances the flexibility and programmability of networks.
Physical gateways and vSwitches: Support high-performance data forwarding and cater to the demands of large-scale VPCs.
Logical architecture
The figure below illustrates the components of a VPC, namely a gateway, a controller, and a vSwitch.
vSwitches and gateways are central to the data path, whereas the controllers use proprietary protocols to deliver forwarding tables, thus ensuring connectivity of the configuration path. The configuration and data paths are separate from each other.
vSwitches are distributed nodes, while gateways and controllers are clusters deployed across data centers. All connections are designed with redundancy and disaster recovery to improve the availability of VPCs.
Features
You can leverage the comprehensive features of VPC to fulfill your requirements, from constructing complex network architectures to implementing fine-grained security policies.
vSwitch: A zone-level resource where you can deploy cloud resources after creating a VPC.
Route table: Essential for managing and directing traffic and enhances network flexibility and security when configured properly.
IP address manager (IPAM): IPAM automates IP address allocation and management, thus simplifying network management and preventing address conflicts.
IPv4 gateway/IPv6 gateway: By leveraging IPv4 and IPv6 gateways, you can centrally manage and enforce strict control over Internet access for instances in a VPC, thereby improving security.
VPC peering connection: Enables private communication between two VPCs, regardless of whether they are in the same account and region.
Network ACL: You can create custom network ACLs and associate them with vSwitches to manage ECS traffic in the vSwitches.
Flow log: Records inbound and outbound traffic of elastic network interfaces (ENIs) in a VPC and assists in access control verification, network performance monitoring, and troubleshooting.
Traffic mirroring: Mirrors packets that pass through ENIs and meet specific filter conditions. This feature is useful in content inspection, threat monitoring, and troubleshooting.