Virtual Private Cloud (VPC) is the foundational network abstraction across Alibaba Cloud. Compute, database, and managed services are attached to a VPC through VSwitches, and traffic between them, as well as to external destinations, is governed by route tables, security groups, and dedicated connectivity services. This article documents how these components interact and the configuration decisions that determine the behaviour of the resulting network.
Figure 1: Alibaba Cloud VPC Network Architecture
A VPC is defined by a single primary IPv4 CIDR block selected at creation, drawn from 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, with a prefix length between /8 and /24. The block is permanent for the lifetime of the VPC; neither the CIDR nor its prefix length can be modified after provisioning. Conservative sizing matters: a /16 accommodates virtually any single-region deployment, while a /20 exhausts quickly as availability zones and managed-service attachments accumulate. Overlapping CIDRs across VPCs cannot be peered or attached to the same Cloud Enterprise Network instance without address translation, so non-overlapping ranges should be reserved organisation-wide before the first VPC is created.
VSwitches subdivide the VPC CIDR into subnets, each bound to a single availability zone. The first and last addresses are reserved for network and broadcast use, alongside two further addresses reserved for the gateway and system services. A/24 VSwitch yields 252 usable addresses, not 256. A common production pattern places three VSwitches in three zones for application workloads, with separate VSwitches for database and managed-service tiers so that distinct security group and route table policies can be applied per tier without rule-set entanglement.
Every VPC is created with a default route table containing system routes that enable intra-VPC traffic between all VSwitches. The system route is non-modifiable. Custom routes direct specific destination prefixes to next hops such as a NAT Gateway, VPN Gateway, an ECS instance acting as a software appliance, or a Cloud Enterprise Network attachment. Route selection follows longest-prefix-match semantics; when two routes share the same prefix length, system routes take precedence over custom routes.
Multiple route tables enable per-VSwitch routing differentiation. A common architecture associates a public route table with VSwitches hosting load balancers and bastion hosts, including a 0.0.0.0/0 route to a NAT Gateway. In contrast, a private route table associated with database VSwitches omits any default route to the internet. This is a stronger control than security group rules because it is enforced before any instance-level policy is evaluated.
Network security operates at two enforcement points. Security groups apply at the Elastic Network Interface level, and stateful return traffic for established connections is permitted automatically. Network ACLs apply at the VSwitch level and are stateless; both directions must be explicitly allowed. A packet must be permitted by both layers for a connection to be established.
Security group rules are evaluated in priority order; the first matching rule determines the outcome. Source-by-security-group, rather than a CIDR block, is the preferred pattern for intra-VPC service-to-service rules. A database security group permitting inbound TCP/3306 from an application-tier security group adjusts automatically as instances scale. A common mistake is layering broad allow rules with narrow deny rules at lower priority; because evaluation stops at the first match, the deny rules never execute. Specific deny rules must be placed at a higher priority than the broader allow rules they are intended to constrain.
VPC resources have no inherent internet reachability. An Elastic IP (EIP) is a public IPv4 address that attaches to an individual ECS instance, NAT Gateway, or load balancer, appropriate when a small number of resources require direct bidirectional internet connectivity. For private-VSwitch workloads requiring outbound access without inbound reachability, a NAT Gateway provides source NAT for a defined CIDR range. SNAT entries can be scoped per VSwitch or per ECS instance, enabling differentiated egress IP assignment across workload tiers when downstream services apply IP-based access controls. DNAT entries on the same gateway forward specific inbound ports to private instances without assigning each one an EIP.
Hybrid connectivity uses two mechanisms with different characteristics. VPN Gateway establishes IPsec or SSL VPN tunnels over the public internet, suitable for control-plane traffic and low-volume transfer. Express Connect provides a dedicated physical circuit between an on-premises facility and an Alibaba Cloud region access point, offering deterministic latency and bandwidth at a fixed monthly charge. Production architectures frequently combine the two Express Connect for primary traffic with VPN Gateway as a failover path activated through BGP route preference.
Multi-VPC connectivity is established through Cloud Enterprise Network (CEN), with Transit Router as its management plane. A Transit Router instance aggregates VPC attachments, Express Connect attachments, and inter-region attachments into a single routing domain, replacing one-to-one peering with a hub-and-spoke topology that scales without combinatorial growth. When VPCs have overlapping CIDR blocks but require inter-connection, PrivateLink provides endpoint-based access without exposing the underlying address space. A service VPC publishes an endpoint service, and consumer VPCs attach endpoints presented through addresses within their own CIDRs.
The VPC architecture comprises a small set of primitives: address space, routes, filtering rules, and connectivity attachments that interact in well-defined ways. Provisioning-time decisions, particularly CIDR selection and VSwitch segmentation, are difficult to revisit once production workloads are running, making upfront design more consequential than ongoing tuning. VPC flow logs, combined with Log Service, provide the observability foundation for traffic accounting and security forensics, and should be enabled from the outset rather than retrofitted after an incident.
Disclaimer: The views expressed herein are for reference only and don't necessarily represent the official views of Alibaba Cloud.
Designing a Production Object Storage Architecture on Alibaba Cloud OSS
98 posts | 2 followers
FollowPM - C2C_Yuan - May 15, 2026
PM - C2C_Yuan - May 6, 2026
Alibaba Clouder - September 23, 2019
Wenson - August 4, 2020
JJ Lim - January 4, 2022
Alibaba Clouder - April 13, 2021
98 posts | 2 followers
Follow
Hybrid Cloud Solution
Highly reliable and secure deployment solutions for enterprises to fully experience the unique benefits of the hybrid cloud
Learn More
Hybrid Cloud Storage
A cost-effective, efficient and easy-to-manage hybrid cloud storage solution.
Learn More
Security Center
A unified security management system that identifies, analyzes, and notifies you of security threats in real time
Learn More
VPC
A virtual private cloud service that provides an isolated cloud network to operate resources in a secure environment.
Learn MoreMore Posts by PM - C2C_Yuan
