Community Blog How to Create and Configure a VPC (Virtual Private Cloud)?

How to Create and Configure a VPC (Virtual Private Cloud)?

A virtual private cloud is a private cloud that exists in a shared or public cloud, and also name an Internet cloud.

Building a Global Enterprise VPC in 3 Minutes

In this article, the Alibaba Cloud Network Team talked about the key features and use cases of the newly launched Smart Access Gateway (SmartAG).

At the main forum of the Computing Conference 2018 in Hangzhou, Jiang Jiangwei, General Manager of Alibaba Technology R&D, demonstrated how to build an enterprise Virtual Private Cloud (VPC) in just minutes.

The procedure involved only three steps: powering on a PC, connecting its WAN port to the Internet, and connecting its LAN port to another PC. The on-site PC successfully connected to the enterprise SAP system deployed on Alibaba Cloud through the VPC without any other operations on this PC.

In addition, the network quality test results showed that the network quality of the enterprise VPC built using SmartAG was improved in aspects of delay and packet loss.

The centralized configuration and automatic route learning capabilities of SmartAG are mainly implemented by one system and two components.

One System: Alibaba Cloud Apsara Virtual Network System

Apsara Virtual Network System is responsible for cloud networks in the Alibaba Cloud Apsara system. It provides various network products for Alibaba Cloud, such as Virtual Private Cloud (VPC), Server Load Balancer (SLB), Cloud Enterprise Network (CEN), and Smart Access Gateway (SmartAG). It is also the network infrastructure of more than 100 cloud products such as Elastic Compute Service (ECS), Relational Database Service (RDS), Object Storage Service (OSS), and Network Attached Storage (NAS). In addition, Apsara Virtual Network System supports many types of business for Alibaba Group and Ant Financial Services Group, such as e-commerce, payment, and logistics. It is now a world-leading cloud network system.

Two Components: Cloud Connect Network (CCN) and CEN

CCN can be understood as an access matrix that consists of Alibaba Cloud's distributed access points. Multiple SmartAGs can access one another after connecting to CCN. CCN can also connect to CEN, so that CCN and cloud resources, such as VPC and Virtual Boarder Router (VBR), can access each other.

CEN provides communication channels between cloud resources, and between cloud resources and Internet data centers (IDCs). Through automatic route distribution and learning, CEN also supports fast network convergence and high-quality cross-city communication. CEN is devoted to helping users build a globally interconnected enterprise-scale network with communication capabilities.

What Are the Main Functions of SmartAG?

SmartAG is a one-stop cloud access solution provided by Alibaba Cloud. It enables an enterprise to access the nearest cloud resources through the Internet in encrypted mode and build an enterprise VPC in minutes. SmartAG provides enterprises with more intelligent, reliable, and secure cloud access experience.

Related Blogs

How to Build a Transit VPC on Alibaba Cloud

This article shows you how you can connect multiple VPCs all together without the need of managing the complexity of a full mesh network by using a transit VPC.

"How can I design and build my network on Alibaba Cloud platform?" This is a common question that we have often been asked by many enterprises. It's also a very fundamental question that needs to be addressed before migrating to any cloud platform. But the answer may not be that straightforward, in many cases the right answer would be, "It depends". Today, I would like to offer a solution that incorporates best practices for traditional on-premises network practices and Alibaba Cloud VPC design, to fulfill the security and operation policies that most enterprises have.

The Transit VPC Solution is a combination of traditional networking concepts and Alibaba Cloud VPC networking features. By using this Transit VPC, you can connect multiple VPCs all together without the need of managing the complexity of a full mesh network. It simplifies network management and minimizes the connections that need to be managed, and provide the networking consistency of security and operation that as on-premises network.

Before we dive deep into the concept and design of Transit VPC, let's have a quick look at the typical networking design now. As shown in the following diagram, we often separate front tier, application tier, and data tier into different subnets and use security groups to create the security layer to control the access right for different subnets and ports. With products such as VPN and ExpressConnect, we can connect these groups to an internet data center (IDC) to create a hybrid network for an enterprise.

This is a very neat and simple design for many systems with the following pros and cons:


  1. Easy to create all resources at once without tons of communication.
  2. The whole design is very flat and clean without any single point of failure.
  3. Expandable and fit for microservices system, which put their routing and security policies on application level.


  1. Fit for different system environments with few applications in the VPC.
  2. Hard to separate resource roles for system, network and security team members.
  3. Enterprise networking and security teams are often quite against this distributed approaches.

But in many cases, enterprise's IT wants the design to have the below capabilities:

  1. Security Policy Requirements: Need to meet the network and security design standard as on-premises, which needs to be centralized with approval management.
  2. Multilayer Approach: Have the same approach as on-premises, can divide the network and security segments like DMZ, Application tier and Database tier, etc.
  3. Consistent Operation: Separate operation roles for different resources, such as Application, Compute, Networking, Database & Security, etc.
  4. Resilience & Flexible: The network design needs to be resilience with HA and DR capabilities, also able to scale to meeting the complexity of enterprise network design.

4 Easy Steps to Creating a VPC Without Using the Three Major Private CIDR Blocks

In this article, we'll show you how to implement public IP addresses for VPC creation through the use of APIs.

As a private network carrier, a virtual private cloud (VPC) only supports the following major private CIDR blocks by default:


However, to facilitate users' network planning, public IP addresses can be used for VPC creation. This function is not supported on the VPC console, but rather, it can be implemented through APIs.

Step 1: Log on to the web-based API platform at https://api.aliyun.com/

web-based API platform

As shown in the preceding UI image, click Virtual Private Cloud (VPC). Enter CreateVpc, as shown in the following UI image.

Enter CreateVpc

Step 2: Set the parameters accordingly.

Set the mandatory parameters, marked with asterisks (*).

In CidrBlock, enter the custom CIDR block that is required. This parameter defines the address range available for the creation of the VPC.

In UserCidr, enter the custom CIDR block as required. This allows route forwarding of the CIDR block information in the VPC to be created.

Create a VPN-secured VPC with Packer and Terraform

In this tutorial, we will deploy a Debian 9 machine running OpenVPN and use Packer and to deploy the infrastructure, Terraform.

Securing a web application in terms of access management can be tricky, as there are multiple ways to do it in an acceptable way.

We can use Security Groups to limit the available ports for a given instance and leaving a specific company IP to have unrestricted access, but in this way we are giving reachability to anyone connected to that network, which in most occasions is not ideal. A problem of limiting the access to a given IP will be the fact of blocking-out an engineer trying to fix a problem from the outside during after-hours. Another way to approach access management would be to set up a key-server with a very limited set of authorized users registered. With a key-server we have the problem of the need to set it up in every instance we want secured, which in some situations is not very feasible due to network size or other multiple factors.

Today we are going to approach this using a VPN, giving an authorized user a tunnel to a VPC and making it fell like if its devices were directly connected to the network.

What Is a VPN?

VPN stands for Virtual Private Network. Usually VPNs are used in corporate environments to protect the data transmission between branches located remotely in different cities or even countries. A VPN makes every computer connected to it operate like they were all in the same local network, making routing and maintenance very easy for the IT teams, as they can build an entire Intranet with many critical machines completely isolated from the Internet.

Do I Need a VPN?

The short answer is yes. Focusing on the use-case of this tutorial, we will benefit from a VPN connection because our computer, as IT engineers, are going to have access to the resources in machines that don't even have public IPs. But what's more, VPN provides more security as data that travels through the VPN is encrypted and private.

Preparing the Deployment

Now that we have a clear idea what a VPN is and why we need one, let's plan the deployment. The system will be a Debian 9 machine running OpenVPN. To build the image we will use Packer and to finally deploy the infrastructure, Terraform. You'll need to have an Alibaba Cloud Elastic Compute Service (ECS) server ready, so check out this tutorial if you are not sure how to set up one. Now just create a folder for the config files... and go!

Related Courses

Internetworking with VPC

The Alibaba Cloud Interconnecting VPC with Express Connect and VPN Gateway course is designed to provide you with the fundamental knowledge to plan, configure and administer VPC connections. In this course we will discuss deployment best practices and use cases of interconnecting VPC using Express Connect and VPN Gateway.

Interconnecting VPC Using Cloud Enterprise Network

The Interconnecting VPC using Cloud Enterprise Network(CEN) course is designed to provide you with the fundamental knowledge to plan, configure and administer VPC connections in Enterprise enviroment. In this course we will discuss deployment best practices and use cases of Cloud Enterprise Network (CEN).

Establish virtual private connection with VPN Gateway

What is VPN? It’s an extension of private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. In this clouder course, you’ll learn how to conveniently establish virtual private connection on Alibaba Cloud with VPN Gateway.

Related Documentation

Create an IPv4 VPC network

This topic describes how to create a Virtual Private Cloud (VPC) network with an IPv4 CIDR block. After you create a VPC network, you can create an Elastic Compute Service (ECS) instance in the VPC network, and associate an Elastic IP address (EIP) with the ECS instance to allow the instance to access the Internet.


To deploy cloud resources in a VPC network, you must set up network connections first. For more information, see Plan a VPC network.

Step 1: Create a VPC network and a VSwitch

To create a VPC network and a VSwitch, follow these steps:

  1. Log on to the VPC console.
  2. On the top of the page, select a region for the VPC network.
    The VPC network and the cloud resources that you want to deploy must be in the same region. China (Qingdao) is used in this example.
  3. On the VPCs page, click Create VPC.
  4. In the Create VPC dialog box that appears, set the following parameters of the VPC network and VSwitches, and click OK.

Plan Kubernetes CIDR blocks under a VPC

Generally, you can select to create a Virtual Private Cloud (VPC) automatically and use the default network address when creating a Kubernetes cluster in Alibaba Cloud. In some complicated scenarios, plan the Elastic Compute Service (ECS) address, Kubernetes pod address, and Kubernetes service address on your own. This document introduces what the addresses in Kubernetes under Alibaba Cloud VPC environment are used for and how to plan the CIDR blocks.

Basic concepts of Kubernetes CIDR block

The concepts related to IP address are as follows:

VPC CIDR block

The CIDR block selected when you create a VPC. Select the VPC CIDR block from,, and

VSwitch CIDR Block

The CIDR block specified when you create a VSwitch in VPC. The VSwitch CIDR block must be the subset of the current VPC CIDR block, which can be the same as the VPC CIDR block but cannot go beyond that range. The address assigned to the ECS instance under the VSwitch is obtained from the VSwitch CIDR block. Multiple VSwitches can be created under one VPC, but the VSwitch CIDR blocks cannot overlap.

The VPC CIDR block structure is as follows.

Pod CIDR block

Pod is a concept in Kubernetes. Each pod has one IP address. You can specify the pod CIDR block when creating a Kubernetes cluster in Alibaba Cloud Container Service and the pod CIDR block cannot overlap with the For example, if the VPC CIDR block is, then the pod CIDR block of Kubernetes cannot use,, or any address that is included in

Service CIDR block

Service is a concept in Kubernetes. Each service has its own address. The service CIDR block cannot overlap with the VPC CIDR block or pod CIDR block. The service address is only used in a Kubernetes cluster and cannot be used outside a Kubernetes cluster.

Related Market Products

Internetworking with VPC

By the end of this course, you will be able to plan, configure and administer Alibaba Cloud VPC connection using Express Connect and VPN Gateway.

Interconnecting VPC Using Cloud Enterprise Network

By the end of this course, you will be able to plan, configure and administer Alibaba Cloud VPC connection using Cloud Enterprise Network (CEN) and establish global connectivity.

Related Products

Virtual Private Cloud

A virtual private cloud service that provides an isolated cloud network to operate resources in a secure environment.

VPN Gateway

VPN Gateway is an Internet-based service that establishes a connection between a VPC and your on-premise data center.

0 0 0
Share on

Alibaba Clouder

2,605 posts | 745 followers

You may also like