A virtual private cloud (VPC) is a private network in the cloud. Alibaba Cloud provides different services to access VPCs, such as Express Connect, VPN Gateway, Cloud Enterprise Network (CEN), and Smart Access Gateway (SAG).
Overview
The following table describes the connection solutions for each scenario.
Service
Description
Benefit
Limit
You can establish connections among VPCs that belong to different regions and Alibaba Cloud accounts.
Ease of use. Automatic route learning and advertising are supported.
Low latency and high speed.
Network instances, such as VPCs, virtual border routers (VBRs), and Cloud Connect Network (CCN) instances, that are attached to the same CEN instance can communicate with each other.
None
You can establish peering connections between two VPCs.
If the two VPCs are deployed in the same region, data transfer is free of charge.
None
Connect a data center to a VPC
Service
Description
Benefit
Limit
You can connect a data center to a VPC by using an encrypted IPsec-VPN tunnel over the Internet.
Low cost.
Security.
The configuration immediately takes effect.
The network latency and availability vary based on the Internet.
Automatic route learning and advertisement are supported. To enable communication among resources that are attached to the same CEN instance, you need to only attach the VBR that is associated with the data center to the CEN instance.
Ease of use. Automatic route learning and advertising are supported.
Low latency and high speed.
Network instances, such as VPCs and VBRs, that are attached to the same CEN instance can communicate with each other.
None
You can connect a data center to Alibaba Cloud by using SAG.
Ready-to-use. Automatic configuration is supported.
Data transmitted over the Internet between the data center and the VPC is encrypted.
You can connect to nearby access points in a MAN. Branch offices can be connected to Alibaba Cloud by using active and standby access devices or connections.
None
You can connect a data center to a VPC by using Express Connect circuits.
High network quality.
High bandwidth.
High costs.
Service activation is time-consuming.
VPN software deployment
You can purchase a VPN gateway and deploy the VPN gateway in a VPC. Then, you can connect a data center to the VPC by using an encrypted IPsec-VPN tunnel over the Internet.
Security.
Different types of VPN software are available.
The configuration immediately takes effect.
VPN gateways must be manually deployed and maintained.
The network latency and availability depend on the Internet.
Service
Description
Benefit
Limit
Establishes secure connections among multiple sites. The VPN-Hub feature enables communication among different sites, or between sites and VPCs.
Low cost.
Ready-to-use.
The configuration immediately takes effect.
None
You can purchase SAG instances for branch offices and attach the SAG instances to a CCN instance. Then, the branch offices can communicate with each other.
Ready-to-use. Automatic configuration is supported.
Data transmitted over the Internet between the data center and the VPC is encrypted.
You can connect to nearby access points in a MAN. Branch offices can be connected to Alibaba Cloud by using active and standby access devices or connections.
None
You can connect application systems and offices around the world by using a combination of VPN gateways and VPC peering connections.
High network quality.
Ready-to-use. The service takes effect immediately after configuration.
The network latency and availability depend on the Internet.
Service
Description
Benefit
Limit
VPN Gateway (with SSL-VPN)
You can connect a client to a VPC by using the SSL-VPN feature.
Lost cost.
Reliability.
Easy configuration and deployment.
None
SSL-VPN software deployment
You can purchase SSL-VPN software and deploy the SSL-VPN software in a VPC. Then, you can connect to the VPN server from a client.
Multiple types of SSL-VPN software and images are supported.
Low reliability.
High costs.
Manual deployment and maintenance.
Connect VPCs
You can deploy applications in VPCs in different regions. This way, services can be provided to the nearest regions and the network latency is low. Services in the VPCs can back up each other, which improves the availability of the system.
You can use CEN or VPC peering connections to connect VPCs in the same region or different regions.
CEN
You can use CEN to establish private network connections between VPCs in different regions, or between VPCs and data centers. CEN supports automatic route advertisement and learning, which speeds up network convergence, improves the quality and security of cross-network communication, and connects all network resources. CEN helps you build enterprise-class networks that provide high-performance network communication.
For more information, see the following topics:
VPC peering connection
A VPC peering connection is a private network connection between two VPCs. You can enable multiple VPCs to communicate with each other by establishing VPC peering connections. If you want to connect more than two VPCs by using VPC peering connections, you must establish a peering connection for every pair of the VPCs.
For more information, see Examples of VPC peering connections.
Connect a data center to a VPC
You can connect a data center to a VPC to build a hybrid cloud. After a secure and reliable connection is established between your data center and the VPC, you can seamlessly migrate on-premises IT infrastructure resources to Alibaba Cloud by using computing, storage, networking, CDN, and BGP resources that are provided by Alibaba Cloud. This helps you to handle business fluctuations.
You can connect a data center to a VPC by using Express Connect circuits, VPN gateways, and CEN instances.
VPN gateway
VPN Gateway can be used to connect data centers, office networks, and terminals to VPCs by using an encrypted tunnel in a secure and reliable manner. By default, VPN Gateway supports the active-standby mode in which two VPN gateways are used. In this mode, the system performs failovers when one VPN gateway becomes faulty. You can use VPN gateways to establish IPsec-VPN connections between your data center and VPCs.
For more information, see IPsec-VPN overview.
CEN
CEN supports automatic route advertisement and learning to connect resources in a hybrid cloud. After you attach the VBR that is associated with your data center to a CEN instance, the data center can communicate with other network instances that are attached to the CEN instance, such as VPCs and VBRs.
For more information, see Use Enterprise Edition transit routers to enable intra-region communication between on-premises and cloud networks.
SAG
SAG is an all-in-one solution that can be used to connect your workloads to Alibaba Cloud. You can use SAG to connect private networks to Alibaba Cloud over the Internet. The connections established by SAG are secure and reliable.
You can purchase SAG instances for your data center and attach the CCN instance that is associated with the SAG instances to the CEN instance. This allows you to connect your data center to Alibaba Cloud.
For more information, see Deploy an SAG device in inline mode.
Express Connect
Express Connect provides dedicated circuits to establish connections. After an Express Connect circuit is used to connect to Alibaba Cloud, you can create a VBR and connect your data center to Alibaba Cloud. This way, you can build a hybrid cloud and access your data center over a private network.
An Express Connect circuit connects your data center to Alibaba Cloud over a private network. Compared with Internet-based connections, connections over Express Connect circuits reduce network latency, enhance security, and improve reliability.
For more information, see Connect a data center to a VPC by using an Express Connect circuit.
VPN software deployment
Alibaba Cloud provides various types of VPN software and images. You can purchase VPN software and deploy the VPN software on an ECS instance. Then, you can connect your data center to the VPC over the Internet by using an elastic IP address (EIP).
Connect multiple sites
You can connect multiple sites by using SAG or the VPN-Hub feature of VPN Gateway.
VPN gateway
The IPSec-VPN feature of VPN Gateway provides site-to-site VPN connections. Each VPN gateway supports at most 10 IPsec-VPN connections. You can purchase a VPN gateway and establish connections among up to 10 data centers or branch offices in different regions.
You can create multiple site-to-site IPsec connections among sites, or between sites and VPCs by using VPN-Hub. VPN-Hub allows large enterprises to establish private connections across branch offices that run business in different regions.
By default, the VPN-Hub feature is enabled. You need only to configure an IPsec-VPN connection between each branch office and Alibaba Cloud. No additional configurations or payments are required. Each VPN gateway supports up to 10 IPsec-VPN connections, which indicates that you can connect up to 10 branch offices in different regions by using one VPN gateway. The following figure shows how to establish connections among the branch offices in Shanghai, Hangzhou, and Ningbo by using a VPN gateway.
For more information, see Connect multiple offices to each other and to a VPC.
SAG
SAG is an all-in-one solution that can be used to connect your workloads to Alibaba Cloud. You can use SAG to connect private networks to Alibaba Cloud over the Internet. The connections established by SAG are secure and reliable.
You can purchase SAG instances for branch offices and attach the SAG instances to a CCN instance. Then, the branch offices can communicate with each other.
Build a high-speed global network
You can establish connections among applications and branch offices worldwide by using VPC peering connections and VPN gateways. This solution ensures secure communication and optimal network quality, and minimizes your costs.
The following figure shows how to establish connections among the branch offices that are connected to the VPC in the US (Virginia) region and the VPC in the China (Shanghai) region. You can deploy applications in both VPCs and connect the two VPCs by using a VPC peering connection. Then, you can connect the branch offices to each VPC by using the IPsec-VPN tunnel.
Remote access to a VPC
The SSL-VPN feature of VPN Gateway provides point-to-site VPN connections. You can use a client to access a VPC without the need to configure a gateway. You can deploy internal applications in a VPC and enable access to the applications by using SSL-VPN connections over internal networks. For example, on-site IT staff must connect to the VPC over an internal network to perform O&M operations. Remote access is allowed for the applications in the VPC.
VPN gateways and VPN software and images from Alibaba Cloud Marketplace can be used to achieve remote access to VPCs.
VPN Gateway (SSL-VPN)
You can use the SSL-VPN feature to connect a client to applications and services that are deployed in a VPC. After you deploy the applications and services, you can load the SSL client certificate to your client and initiate an SSL-VPN connection between the client and the VPC. By default, VPN gateways support the active-standby mode in which two VPN gateways are used. In this mode, the system automatically performs failovers when one VPN gateway becomes faulty.
For more information, see Connect a client to a VPC.
Installation and deployment of SSL-VPN software
For more information, see Connect a client to a VPC.