All Products
Search
Document Center

Virtual Private Cloud:Network connectivity

Last Updated:Nov 29, 2024

Alibaba Cloud provides a secure and isolated network environment that features elastic scaling, along with fast and reliable connectivity solutions for connecting a virtual private cloud (VPC) to the Internet, other VPCs, and on-premise data centers. You can add necessary services to VPCs to set up network connections that suit your business needs.

Enable Internet access

Select the public IP address type

A public IP address is required for the application server when you access an application deployed on the cloud from the Internet or vice versa. You can choose one of the two types: static public IP addresses and elastic IP addresses (EIPs).

  • Static public IP addresses: When creating an Elastic Compute Service (ECS) or Server Load Balancer (SLB) instance, you can enable public IPv4 address allocation. The system automatically assigns an IP address that supports both outbound and inbound public network access. After an IP address is assigned, it cannot be modified and can only be removed by deleting the instance. This option does not give you the flexibility to unbind and manage IP addresses.

  • EIPs: An EIP is an independent public IP resource that can be associated to or disassociated from instances as needed, allowing for flexible management. We recommend that you use an EIP for your application server.

Unified Internet traffic ingress

When a single backend server uses a public IP to provide services, any issues with the server can lead to a single point of failure and turn the system unavailable.

In business scenarios, we recommend that you use the Server Load Balancer (SLB) to centralize traffic ingress and deploy backend servers in different zones. This approach distributes traffic to different backend servers, which enhances the service throughput, eliminates single points of failure, and improves system availability.

SLB products encompass Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer (CLB). Select the product that best fits your requirements.

Unified Internet traffic egress

While a single server can access the Internet with a public IP, using multiple servers can lead to a consumption of public IP resources. To address this, you can enable the SNAT feature of the NAT gateway. This allows ECS instances in a VPC to share an EIP for Internet access, saving public IP addresses.

Internet access control

Proper Internet access control is crucial when your applications on the cloud provide services over the Internet, as it helps prevent unwanted or potentially harmful access.

Consider an ECS server within a VPC, for example. You can use the following methods for centralized access control:

  • IPv4 Gateway acts as the gateway for public IPv4 traffic. Without this feature, ECS instances can access the Internet after binding a public IP. However, when the IPv4 gateway is created and activated, Internet access from the VPC is managed by the IPv4 Gateway. You can use it together with subnet routing for centralized control of public IPv4 access.

  • IPv6 Gateway serves as the gateway for public IPv6 traffic. The default IPv6 address assigned to instances in the VPC is only capable of private communication. By enabling public bandwidth for the IPv6 address in IPv6 gateway, you provide it with the capability to access the Internet. Egress-only rules are supported, permitting outbound access only.

You can select cloud resources or functions that meet your specific business requirements. The following table lists the benefits and limitations of these options.

Scenario

Product

Function

Benefits and limitations

Configure public IP for application servers

Static public IP

After you enable public IP address allocation when creating an ECS instance, the system automatically allocates an IP address to access and be accessed from the Internet.

Use Internet Shared Bandwidth and Data Transfer Plan to reduce costs.

As static public IP address cannot be unbound from ECS instances, you can replace it with an EIP.

EIP

EIPs can be associated with and disassociated from ECS instances. EIPs support outbound Internet access through SNAT and inbound access through DNAT.

EIPs can be bound and unbound from ECS instances at any time.

Use Internet Shared Bandwidth and Data Transfer Plan to lower costs.

Unified Internet traffic ingress

SLB

Provides load balancing services at Layer 4 and Layer 7 based on ports. Enables Internet access to ECS through SLB.

SLBs distribute network traffic across ECS instances to prevent single points of failure. This improves the availability of application systems.

ECS cannot actively access the Internet through SLB.

Unified Internet traffic egress

Internet NAT Gateway

Enables multiple ECS instances to access and be accessed from the Internet.

Internet NAT Gateway facilitates communication between multiple ECS instances and the Internet, while EIPs only support communication between one ECS instance and the Internet.

Unlike SLBs, Internet NAT gateways are incapable of balancing the load of ECS instances.

Internet access control

IPv4 Gateway

/IPv6 Gateway

Manages Internet access for instances and enhances security by strictly controlling public traffic.

Controls Internet access through routing and reduces security risks associated with Internet access by using public IPs.

Inbound routing policy control can be combined with virtual firewalls for security protection.

Connect VPCs

Connect two VPCs

If you need to connect two VPCs, you can create VPC peering connections for fast, secure network.

VPC peering connections enable private network communication between two VPCs in the same or different regions, under the same or different accounts. Once a VPC peering connection is set up, you can configure route entries of the requester and accepter VPCs to enable connection.

Connect more than two VPCs

In expansive cloud computing environments, businesses often need to manage numerous VPCs, which may be located in different regions and handle important operations. Cloud Enterprise Networks (CENs) can be used to connect these VPCs to form a unified network architecture, providing stable, secure, and fast connections. This facilitates efficient resource sharing and flexible scheduling. It also supports data synchronization, application migration, and collaborative work across different regions and accounts in a multi-cloud environment. This significantly reduces network management complexity and enhances operational efficiency.

CENs connect network instances through transit routers, routing traffic between instances in the same or different regions. Add a VPC to the transit router when you create a connection and routes are automatically synchronized. Only one transit router is allowed in each region. Transit routers in different regions need to be connected with each other. You can use CENs and Enterprise Edition transit routers to connect VPCs across regions and accounts.

Monitoring charts are available in the CEN console, giving you quick insights into network operational status and enhancing O&M efficiency.

Private network access among VPCs in the same region

To offer cloud services deployed in a VPC to other VPCs, you can use PrivateLink, which does not require an Internet egress such as NAT gateways or EIPs. PrivateLink provides high data security and network quality as data is not transmitted over the Internet. It creates a private connection between the VPCs to which endpoints belong by using endpoint connection. This simplifies the network architecture, enables private network access, and removes potential security risks posed by Internet access.

You can select a solution that aligns with your business requirements to connect VPCs. For more information, see Overview of VPC connections.

Scenario

Option

Function

Benefits and limits

Connect two VPCs

VPC peering connection

Enables private network communication between two VPCs in different accounts and across different regions.

Low latency.

Free of charge for VPCs in the same region.

Does not support route propagation.

Complex configuration.

Difficult to manage on a large scale.

Connect more than two VPCs

Cloud Enterprise Network (CEN)

Provides stable, secure, and fast connections for VPCs across regions and accounts.

Supports route propagation.

Supports fast connection of multi-region networks.

Systematic management that boosts O&M efficiency.

Provides low latency and fast transmission.

Standby connections and disaster recovery.

Connects networks through nearby access points.

Private network access between VPCs in the same region

PrivateLink

Connects VPCs to which endpoint services belong through an endpoint connection. Offers services deployed in a VPC to other VPCs.

Low latency.

Independent networks for service providers and service users to improve network reliability.

Secure and controllable. You can add security groups and configure endpoint policies to implement source authentication.

Simple management. It provides flexible cross-account and cross-VPC access to avoid complex routing and security configurations.

Flow logs are available, which record inbound and outbound traffic about an endpoint elastic network interface (ENI) and ensure transparency and controllability.

Connections across regions are not supported.

Hybrid cloud

You can select an appropriate solution to connect on-premises data centers to VPCs and build a hybrid cloud based on your business needs and factors such as network performance, data security, cost-effectiveness, and scalability.

Highly available hybrid cloud

Express Connect is recommended in the following scenarios for establishing a reliable, secure, and fast connection between an on-premises data center and a VPC:

  • For extensive data migrations or frequent data synchronization between the on-premises data center and VPC, Express Connect ensures a stable, fast connection with reduced transmission time.

  • For on-premises operations that require extremely high availability, you can build several leased line connections for elastic scalability and disaster recovery, while maintaining seamless integration with on-premises infrastructure.

Simple hybrid cloud

If cost and construction time are a major concern rather than latency, you can choose the VPN gateway, which has varied network latency and availability due to Internet communication. It uses encrypted tunnels to create network connections between on-premises data centers, office networks, Internet clients, and Alibaba Cloud.

IPsec-VPN and SSL-VPN connections are available for different networking scenarios:

  • IPsec-VPN is used for connections between on-premises data centers or office networks and VPCs.

  • SSL-VPN is applicable to connections between Internet clients (remote clients) and VPCs.

Enterprise-level hybrid cloud

For large, complex network architectures, you can use CENs for centralized management and monitoring of network resources that are globally distributed. This enhances O&M efficiency. CENs support multi-cloud connectivity and communication between clouds and on-premises networks, creating a hybrid cloud architecture to accommodate diverse business requirements.

You can choose a hybrid cloud solution that suits your needs. The following table describes the functions and benefits:

Scenario

Product

Function

Benefits and limitations

Highly available hybrid cloud

Express Connect

Connects on-premises data centers and VPCs through an Express Connect circuit.

Leverages backbone networks of ISPs for low latency.

Ensures communication quality with secure, reliable leased lines.

Lengthy construction cycle and significant costs.

Simple hybrid cloud

VPN Gateway

Connects on-premises data centers and VPCs by establishing IPsec-VPN.

Connects on-premises clients and VPCs by establishing SSL-VPN.

Offers a budget-friendly connection that is secure, stable, and highly available.

Higher latency than private network access as traffic needs to be forwarded over the Internet.

Enterprise-level hybrid cloud

CEN

Connection with on-premises data centers: Loads the Virtual Border Router (VBR) associated with data centers to the CEN instances to build an interconnected network.

Connection between multiple VPCs and on-premises data center: Loads multiple network instances such as VPC and VBR to the CEN instances to build an enterprise-level interconnected network.

Supports route propagation.

Connects networks across different regions.

Systematic management that enhances O&M efficiency.

Offers low latency and fast network transmission.

Standby connections and disaster recovery.

Connects networks through nearby access points.