Community Blog Multi-Tier Approach With Virtual Private Cloud – Part 1

Multi-Tier Approach With Virtual Private Cloud – Part 1

Part 1 of this 3-part series introduces Virtual Private Cloud (VPC) and gives a detailed architectural layout of the solution.

By Shantanu Kaushik

The continuous development and expansion of cloud computing technologies have led to a significant increase in demands for virtual networks to evolve and operate with more refinements, such as

  • Scalability
  • Security
  • Reliability
  • Privacy
  • Seamless Connectivity
  • High Performance

Alibaba Cloud created virtualization network technologies to achieve this, including the Virtual Private Cloud (VPC) solution.


Traditionally, the network solutions used to work as a combination of virtual and physical networks to generate a consistent network architecture with a data-centric approach. These network systems had to go through the evolution cycle as the enterprise’s scale grew. The scale of virtual networks grew and evolved with the growth of enterprises.

Traditionally, the solutions faced serious problems, such as:

  • Address Resolution Protocol (ARP) spoofing
  • Broadcast Storms
  • Host Scanning

A host of network isolation technologies emerged to overcome these issues. These technologies focused on isolating the physical networks from the virtual networks. However, there were multiple dependencies and restrictions that made the deployment of these technologies limited to a small fraction.

A prime example was the usage of VLAN to isolate users. A restriction surfaced as VLAN could support only up to 4096 users, making the service useless if a larger number of active users accessed the system in isolation. This was not feasible in the current cloud computing scenario.

What Does Alibaba Cloud VPC Do?

Alibaba Cloud Virtual Private Cloud helps you build an isolated network environment with the following tools:

  • Customizing the IP address range
  • Seamless Network Segmentation
  • Route Tables
  • Gateways

Alibaba Cloud enables you to connect your VPC with a traditional IDC using:

  • A Virtual Private Network (VPN)
  • Internet Leased Line
  • GRE tunnel (GRE tunnel provides hybrid cloud services.)

Instead of sharing resources in a public infrastructure, Virtual Private Clouds (VPCs) create an isolation practice between entities. This security and isolation practice is why it is called a virtual private network.

VPCs offer enormous advantages and the benefits of cloud computing in a highly secure way. Alibaba Cloud Virtual Private Cloud (VPC) gives you full control, so you do not have to depend on any physical infrastructure or resource orchestration. Alibaba Cloud VPC uses Express Connect and IPsec tunnel to connect to on-premises data centers.

Alibaba Cloud VPC provides an isolated virtual network to manage cloud resources in a secure environment. Alibaba Cloud VPC is based on tunneling technology, and each VPC is identified with a unique tunnel ID. Whenever there is a transfer, the data packets are encapsulated with a unique tunnel ID and transmitted over the network.

These transfers are typically between the Elastic Compute Service (ECS) instances in a VPC. Remember, if you are dealing with different VPCs, they will be using Alibaba Cloud ECS instances with different tunnel IDs. These ECS instances may be located on two different routing planes and cannot communicate with each other. Alibaba Cloud introduced newer tunneling and Software Defined Network (SDN) technologies to overcome this communication challenge. This way, the VPCs can be integrated with gateways and vSwitches to provide smoother communication.

While adapting to the cloud model, organizations generally have concerns related to security, privacy, and sensitive data discovery and protection. Keeping that in mind, the Virtual Private Cloud solution was designed to keep all these concerns at bay. As a user, you should be in control, with operations and management in-house.


With VPC architecture, cloud providers ensure that the public infrastructure is well-isolated and tenants of the system can never access anything they are not supposed to access. Security policies to ensure isolation are implemented for the VPC components. Some of the practices VPC follows are listed below:

A Virtual Private Cloud (VPC) is a private network for your use. You have full control over your VPC. For example, you can specify the CIDR block and configure route tables and gateways. You can also deploy Alibaba Cloud resources in a VPC, such as:

You can seamlessly connect your VPC to other VPCs or on-premises networks to create a custom network environment. This way, you can migrate applications to the cloud and extend data centers.


Virtual Private Cloud (VPC) provides an isolated virtual network that allows you to manage cloud resources in a secure environment based on tunneling technology. Let’s take a look at the architectural flow depicted above. Here, the VPC consists of:

  • A gateway
  • A controller
  • One or more vSwitches

The steps the Alibaba Cloud Virtual Private Cloud (VPC) architecture follows are listed below:

  • vSwitches and Gateways together form a key data path
  • It uses an Alibaba Cloud in-house protocol.
  • The controller distributes the forwarding table to the gateway and vSwitches to enable the key configuration path.

Alibaba Cloud VPC separates the configuration path and the data path from each other efficiently, as shown on the architectural flow above.

The vSwitches work as the distributed nodes within the Alibaba Cloud VPC architecture, where the gateway and controller are deployed in multiple clusters. Multiple data centers are established to facilitate better backup and recovery scenarios. These data centers also account for redundant links for disaster recovery scenarios. This deployment mode improves the overall availability of the VPC.

When we talk about network layer isolation within this architecture, all the ECS instances within the Alibaba Cloud VPC use security groups, such as Cloud Firewall and Web Application Firewall (WAF), to control traffic going to and from ECS instances. This enables a far better security structure.

Wrapping Up

In Part 2 of this 3-part series, we will discuss all the components that make up the VPC solution. We will also talk about the significant features and benefits related to Alibaba Cloud VPC.

Upcoming Articles

  1. Multi-Tier Approach With VPC – Part 2
  2. Multi-Tier Approach With VPC – Part 3
0 0 0
Share on

Alibaba Clouder

2,600 posts | 750 followers

You may also like