If you want to enable private and secure communication among virtual private clouds (VPCs), you can use Cloud Enterprise Network (Cloud Enterprise Network), VPN Gateway, VPC peering connections, or PrivateLink.
Solutions for enabling communication among VPCs
CEN
Before you use CEN to connect different VPCs, you must make sure that the CIDR blocks to be connected do not overlap.
CEN uses transit routers to build private network channels between VPCs. The VPCs can reside in the same region or in different regions. The hub-spoke connection mode of transit routers allows you to connect VPCs to transit routers over VPC connections. Then, the transit routers automatically synchronize the routes of the VPCs.
Transit routers require simple configuration and support various routing policies and quality of service (QoS) mechanisms. This helps you plan complex networks and implement access control. However, transit routers have limits on the bandwidth. You are also charged for traffic processing if you use transit routers. Therefore, the CEN solution costs more than the VPC peering connection solution.
VPC peering connection
When you connect VPCs by using VPC peering connections, make sure that the CIDR blocks to be connected do not overlap with each other.
If you want to create VPC peering connections for a large number of VPCs, the configuration becomes more complex because of the connection mode of VPC peering connections and the requirements for point-to-point route configuration. VPC peering connections are not suitable for scenarios in which a large number of VPCs must be fully connected. However, VPC peering connections provide benefits such as unlimited bandwidth, low latency, and no fees for the VPC peering connections created for VPCs in the same region.
PrivateLink
PrivateLink allows you to establish stable and secure private connections between VPCs in which endpoint services are deployed and VPCs in which endpoints are deployed. PrivateLink requires easy network configuration and meets the requirements of various scenarios. PrivateLink supports only intra-region connections and does not support inter-region connections.
When you use PrivateLink to connect different VPCs, the CIDR blocks of the VPCs in which endpoint services are deployed and VPCs in which endpoints are deployed can overlap.
This solution can tolerate overlapping CIDR blocks and does not require route configurations. It also provides strong network isolation and access control capabilities, enabling highly secure network connections. However, PrivateLink supports only one-way access.
VPN gateway
Before you use VPN gateways to connect different VPCs, you must make sure that the CIDR blocks to be connected do not overlap.
This solution requires complex configuration. You must create VPN gateways, customer gateways, and IPsec-VPN connections, and configure routes for the VPN gateways. Therefore, we recommend that you do not use this method when you want to connect a large number of VPCs.
The following table lists the differences of the following items between different VPC connection methods: connection mode, bandwidth limit, network latency, and billing. The VPC connection methods include VPC peering, PrivateLink, transit routers, and VPN gateways.
Item | VPC peering connection | Transit router | PrivateLink | VPN gateway |
Connection methods | Full mesh, which allows VPCs to communicate with each other over VPC peering connections. | Hub-spoke, which allows VPCs to connect to transit routers over VPC connections. | Connection of business network elements. This resembles connections of devices in physical networks, such as load balancers and firewalls. | Connection between VPCs through VPN. |
Route advertisement | Unsupported | Supported | Unsupported | Supported |
Configuration complexity | The configuration is complex. You must create VPC peering connections and configure the routes that point to each VPC peering connection for peer VPCs. | The configuration is simple. You need to only connect VPCs to a transit router and configure settings to route the network traffic of VPCs to the transit router. | The configuration is simple. You do not need to consider address conflicts or route configurations. | The configuration is complex. You must create VPN gateways, customer gateways, and IPsec-VPN connections, and configure routes for the VPN gateways. |
Maximum number of connected VPCs | 10 | 1,000 | Unlimited. You can request a quota increase. | 10 |
Latency | Alibaba Cloud internal networks are used and the latency is low. | Alibaba Cloud internal networks are used and the latency is low. | Alibaba Cloud internal networks are used and the latency is low. PrivateLink supports only communication within the same region. | The Internet is used and the latency is high. |
Billing | You are not charged for VPC peering connections that are created for VPCs in the same region. If you create a VPC peering connection between VPCs that reside in different regions, you are charged for outbound traffic of the VPCs. The billing is managed by Cloud Data Transfer (CDT). For more information, see What is CDT? | For connections among VPCs in the same region, you are charged connection fees and traffic processing fees. For connections among VPCs in different regions, you are charged fees for bandwidth plans and data transfer fees.
| You are not charged when you activate PrivateLink. After you activate PrivateLink, you are charged on a pay-as-you-go basis. Bills are generated on an hourly basis. You are charged an instance fee and data transfer fee. For more information, see Billing. | You are charged IPsec-VPN instance fees and data transfer fees. For more information, see Billing overview. |
Supported regions |
Solution examples
You can connect multiple VPCs by using CEN, VPN gateways, VPC peering connections, and PrivateLink, so that the VPCs can access resources in the other VPCs. You can use PrivateLink to share the service resources in a VPC with other VPCs without establishing private network connections.
CEN
CEN allows you to connect VPCs in the same region or in different regions. The following example describes how to connect three VPCs in the same region by using CEN.
To allow VPCs in different regions to communicate with each other, you must purchase a bandwidth plan and set up cross-region connections. VPCs within the same region can communicate with each other through transit routers. You do not need to purchase a bandwidth plan or create cross-region connections. For more information about how to purchase a bandwidth plan and create a cross-region connection, see Work with a bandwidth plan and Cross-region connections.
VPC peering connection
A VPC peering connection is a private network connection between two VPCs. You can enable multiple VPCs to communicate with each other by establishing VPC peering connections. If you want to connect more than two VPCs by using VPC peering connections, you must establish a peering connection for every pair of the VPCs. The following example describes how to connect three VPCs by using VPC peering connections.
When you create a VPC peering connection, one VPC serves as the requester and the other VPC serves as the accepter. The requester and the accepter can reside in the same region or in different regions.
PrivateLink
In PrivateLink, endpoint services can use Classic Load Balancer (CLB) instances as service resources. You can use PrivateLink to enable a VPC to access a CLB instance that serves as the service resource in another VPC. The following figure shows how two VPCs are connected by using PrivateLink so that one of the VPCs can access the CLB instance in the other VPC.
VPN gateway
You can connect two VPCs by connecting two VPN gateways through an encrypted IPsec-VPN tunnel. The following example describes how to connect two VPCs by using a VPN gateway.
We recommend that you do not use this solution if you want to connect a VPC in a Chinese mainland region and one in a region outside the Chinese mainland. This is because cross-border connections are unstable. If you need to establish cross-border connections, we recommend that you use the CEN solution. For more information, see What is CEN?
Solution configurations
Solution | References |
CEN |
|
VPC peering connection | |
PrivateLink |
|
VPN gateway |