By Jonathan Peng, Staff Solutions Architect
"How can I design and build my network on Alibaba Cloud platform?" This is a common question that we have often been asked by many enterprises. It's also a very fundamental question that needs to be addressed before migrating to any cloud platform. But the answer may not be that straightforward, in many cases the right answer would be, "It depends". Today, I would like to offer a solution that incorporates best practices for traditional on-premises network practices and Alibaba Cloud VPC design, to fulfill the security and operation policies that most enterprises have.
The Transit VPC Solution is a combination of traditional networking concepts and Alibaba Cloud VPC networking features. By using this Transit VPC, you can connect multiple VPCs all together without the need of managing the complexity of a full mesh network. It simplifies network management and minimizes the connections that need to be managed, and provide the networking consistency of security and operation that as on-premises network.
Before we dive deep into the concept and design of Transit VPC, let's have a quick look at the typical networking design now. As shown in the following diagram, we often separate front tier, application tier, and data tier into different subnets and use security groups to create the security layer to control the access right for different subnets and ports. With products such as VPN and ExpressConnect, we can connect these groups to an internet data center (IDC) to create a hybrid network for an enterprise.
This is a very neat and simple design for many systems with the following pros and cons:
But in many cases, enterprise's IT wants the design to have the below capabilities:
So, how to design our VPC network on Alibaba Cloud if we need to deploy many VPCs with different Production/UAT/SIT, etc. environments in it, as the following diagram? Furthermore, how can we meet the requirements from many enterprises as above?
This is where we can apply Transit VPC in this complex situation. As the following diagram, by using VPC-to-VPC ExpressConnect and Transit VPC, we create a hub-and-spoke network on the Cloud platform. This can simplify the network topology and create a centralized point for access control between different VPCs and On-premises, etc.
We can also use Transit VPC with Alibaba Cloud CEN service to connect different regions altogether, without the need to connect all VPC in different regions at once, like the following one.
First of all, you need to create a Transit VPC and Transit vSwitch in different VPCs as a transit network. As the route table in green, we create VPC-to-VPC connection from Production/Dev VPC to Transit VPC and connect the Transit vSwitches by associating the route entry to the Transit vSwitches.
After that, we need to build VPN instances on Transit vSwitches and create tunnels between Production/Dev VPC to Transit VPC. So now, we have routing information from production vSwitch to development vSwitch.
Finally, we add one more route entry (in blue line) in the default route table (in gray) and point to the VPN instances. Now, we connect different VPCs by getting through the traffic to the tunnel and Transit VPC.
With this approach, we can add more VPCs into the network topology and each provide different purposes. Such as DMZ, Sharing services, etc. and can isolate or control the access to different environment or services in the Transit VPC firewall instance.
We will be creating a step-by-step guide for this solution soon, stay tuned!
Marketplace - September 17, 2021
Alibaba Clouder - July 28, 2020
Alibaba Cloud Community - September 1, 2022
JDP - April 22, 2022
Alibaba Cloud Community - September 27, 2021
Alibaba Clouder - March 3, 2021
A virtual private cloud service that provides an isolated cloud network to operate resources in a secure environment.Learn More
A global network for rapidly building a distributed business system and hybrid cloud to help users create a network with enterprise level-scalability and the communication capabilities of a cloud networkLearn More
A dedicated network connection between different cloud environmentsLearn More
More Posts by Alibaba Clouder