Cloud network design becomes uninteresting at the boundary of a single VPC. The harder problem begins once a deployment spans multiple VPCs, multiple regions, an on-premises data centre, and a set of branch offices. The default answer routes everything through the public internet behind VPN tunnels, which fails on latency variability, uncapped-only-in-theory throughput, and exposure to networks the organisation neither operates nor audits.
Alibaba Cloud divides the response across two services. Express Connect provides the private circuits and logical attachments that bring non-cloud networks onto the Alibaba Cloud backbone. CEN distributes routes and allocates bandwidth across those attachments and across VPCs, composing them into a single reachable topology. The boundary between the two is the starting point for any private connectivity design on the platform.
Figure 1: Express Connect and CEN architecture across two regions.
The anchoring construct is the Physical Connection, a dedicated leased circuit terminated at an Alibaba Cloud access point, provisioned at speeds from 1 Gbps to 100 Gbps. A Physical Connection on its own carries no tenant traffic. It is subdivided through Virtual Border Routers, each a logical attachment with its own VLAN tag, BGP session, and allocated bandwidth. A single circuit can serve multiple VBRs simultaneously, which lets one expensive piece of physical infrastructure isolate different business units or environments at the access layer without further provisioning.
Where leased-line provisioning is not feasible, Express Connect supports VPN Gateway attachments running IPsec over the public internet. These present downstream as attachments indistinguishable in routing terms from a VBR, though their throughput and jitter characteristics depend on the underlying public path. The choice between leased and tunnelled connectivity should follow workload sensitivity rather than convenience.
All Express Connect attachments use BGP. Each VBR runs a BGP session with the customer-edge router, exchanging prefixes dynamically and signalling failure through session withdrawal. Static routing is supported but operationally hazardous: a failed circuit with static routes continues to attract traffic until the entry is manually removed.
Express Connect attaches a non-cloud network to a cloud access point. It does not, by itself, distribute that network’s routes to the VPCs that need to reach it. The earlier mechanism, pairwise VPC peering with manual route table maintenance, scales quadratically: ten VPCs requiring full-mesh connectivity demand forty-five peering relationships, with route tables that must be synchronised as the network changes. CEN replaces this with a hub model. VPCs, VBRs, and Cloud Connect Network attachments are joined to a CEN instance, after which route information propagates automatically across all attachments subject to policy. Adding the eleventh VPC requires one new attachment rather than ten new peerings.
Cross-region traffic between attachments traverses the Alibaba Cloud backbone rather than the public internet. Two billing models govern this transit. Bandwidth Packages reserve guaranteed capacity between specified region pairs and suit predictable, sustained workloads. Pay-by-data-transfer bills on actual usage and suits bursty or exploratory workloads. Both models can coexist within a single CEN instance.
Route control inside CEN is exercised through route maps and ordered policy lists that match on prefix, source attachment, AS path, or community attribute, and take permit, deny, or modify actions. A common application is to deny advertisement of on-premises prefixes between business-unit VPCs that should remain isolated, while permitting both to reach a shared-services VPC.
A single-region hybrid deployment attaches one on-premises data centre to one or more VPCs in a single region via a VBR, with both the VBR and the target VPCs joined to a CEN instance. This is the foundational pattern for lift-and-shift migrations. A multi-region deployment extends the same shape across regions, with on-premises traffic entering through the nearest VBR and reaching distant resources through CEN backbone transit; Bandwidth Packages between region pairs provide deterministic capacity. Branch offices that cannot justify dedicated circuits attach through Smart Access Gateway devices over encrypted overlay tunnels, and present as CCN attachments indistinguishable in routing terms from VBR-attached sites. The uniformity matters because route policy and operational tooling apply equally regardless of how individual sites are physically connected.
Bandwidth sizing is the most common source of avoidable production incidents. Cross-region Bandwidth Packages should be sized against measured P95 traffic with growth headroom, not against pre-production peaks. CEN throttles to the committed value rather than silently degrading; the application-visible symptom is latency, which is easily misattributed to the workload before the network is examined.
Redundancy choices have lasting operational consequences. Equal-cost multipath across dual Physical Connections uses both circuits in normal operation and absorbs the loss of either onto the survivor, maximising bandwidth utilisation at the cost of sizing each circuit for full load. Active-standby keeps the secondary circuit idle until BGP withdrawal triggers failover, simplifying capacity planning at the cost of paid-but-unused bandwidth. Neither is universally correct.
Route policy is not a security boundary. Route maps determine which prefixes are advertised and accepted; they do not perform stateful inspection. Where east-west traffic between VPCs requires inspection, a Cloud Firewall instance or a self-managed virtual appliance should be inserted into the forwarding path, typically via a transit VPC.
Not every multi-VPC deployment justifies a CEN instance. For two or three VPCs in a single region with simple connectivity needs, VPC peering remains a valid and lower-cost choice. Express Connect and CEN solve the private connectivity problem; treating them as the answer to every networking question tends to produce designs heavier than the workload requires.
The clearest way to think about Express Connect and CEN is as a separation of concerns. Express Connect answers how non-cloud networks join the Alibaba Cloud backbone and how a single physical circuit is subdivided into independent attachments. CEN answers how those attachments and VPCs exchange routes, how bandwidth is allocated across regions, and how policy is expressed across the resulting topology. Treating the two as independent design problems rather than collapsing them into a single network setup step produces designs that age better, because each layer can be modified without disturbing the other.
Disclaimer: The views expressed herein are for reference only and don’t necessarily represent the official views of Alibaba Cloud.
102 posts | 2 followers
FollowPM - C2C_Yuan - August 16, 2021
Alibaba Clouder - April 30, 2020
vincentsiu - September 5, 2023
James Lee - February 28, 2024
Alibaba Clouder - February 7, 2020
zivyer - January 11, 2019
102 posts | 2 followers
Follow
Networking Overview
Connect your business globally with our stable network anytime anywhere.
Learn More
Alibaba Cloud PrivateZone
Alibaba Cloud DNS PrivateZone is a Virtual Private Cloud-based (VPC) domain name system (DNS) service for Alibaba Cloud users.
Learn More
Hybrid Cloud Solution
Highly reliable and secure deployment solutions for enterprises to fully experience the unique benefits of the hybrid cloud
Learn More
Hybrid Cloud Storage
A cost-effective, efficient and easy-to-manage hybrid cloud storage solution.
Learn MoreMore Posts by PM - C2C_Yuan
