Set Up a Virtual Private Cloud Network


In this tutorial, we’ll show you how to get started with Alibaba Cloud’s Virtual Private Cloud (VPC) infrastructure and networking architecture.

First, we’ll show you how to set up and configure a simple VPC with an ECS instance that is accessible via a public Elastic IP. We’ll show you have to configure a NAT Gateway onto your VPC.

As well as that, we’ll also show you how to connect up two VPCs with an Alibaba Cloud VPN Gateway and with Alibaba Cloud’s Express Connect service.

Finally, we’ll show you how to build an Alibaba Cloud Server Load Balancer to guarantee continued access to your applications in the cloud.

What Is Alibaba Cloud Networking?

Alibaba Cloud Networking allows you to build complex networked virtual architectures that mimic your physical network infrastructure in simple steps via the Alibaba Cloud web user interface.


• You’ll need an Alibaba Cloud account – we’ll assume you already have one.
• You’ll need Alibaba Cloud Resource Access Management (RAM) authorization and an Access Key – we’ll assume you have set these up already.
• Whenever we need to pick a region, we’ll use US East 1 (Virginia).
• Anything else that comes up, we’ll show you as we go along.

Set up and Configure a Virtual Private Cloud Network

Login to your Alibaba Cloud account and select Virtual Private Cloud (VPC) on the Products page.

Create a VPC in the required region.

Configuration options will appear for the VPC and the VSwitch which ships with the VPC.

First, give your VPC a name and set the destination CIDR block. Remember, you cannot change the CIDR block configuration once you have set it. Here, we have set the CIDR block to as an example. This CIDR block allows us 65,534 possible host IP addresses in our VPC.

Now let’s configure the VPC’s VSwitch. Every Alibaba Cloud VPC comes with one VSwitch.

Give the VSwitch a name and configure the CIDR block for the VSwitch. Again, once you have set the CIDR block for the VSwitch it cannot be changed. Here, we have given the VSwitch a smaller range of the available VPC private IP addresses with which allows us 254 possible hosts.

This VSwitch will manage a subsection of our VPC infrastructure.

When you’re done, click OK.

Once the VPC and VSwitch are configured, check the details. Notice that the VPC and VSwitch are given unique ID numbers. Click Complete to create the VPC.

You will now see your VPC in the list for the region. Notice the Route Table that comes with every VPC and the VSwitch which we just configured.

Click Manage to go to the VPC details.

On the VPC details page you can see the full configuration details for the VPC.

Now, let’s add an ECS instance to the VPC. We have created ECS instances in previous tutorials so, this time, let’s first create the Elastic IP addresses we need for accessing each ECS instance.

Go to Elastic IP Addresses and, in the correct region, click Create EIP.

The Elastic IP purchase screen comes up. Check the details. Here, we chose the minimum configuration details and requested two EIPs.

Agree to terms and click Activate.

Your Elastic IP Addresses are listed by region on the Elastic IP Addresses page. Now we can bind the addresses to live ECS instances. Click Bind under the Actions option.

The Bind configuration box appears. The IP Address box shows the public Elastic IP Address details that you have just bought. It needs to be bound to an ECS instance.

When you click the drop down, you will see that there are no ECS instances available. Click Create ECS instance in a new browser window.

You are taken to the Alibaba Cloud Elastic Compute Service (ECS) page where you can configure and create an ECS instance. For the tutorial’s purposes, we have chosen the pay-as-you-go basic configuration in Zone A of our region.

Click Next.

Step 2 details the network configuration. Pick the VPC and VSwitch we have just created. We will leave the Security Group details for now. Click Next.

Step 3 is System Configurations where you can give your server instance a name and set the logon credentials. We will leave these for now.

Click Next: Grouping to go to the next step.

Step 4 is Grouping by tags for organizing your ECS instances. Let’s also skip this for now and go to Preview.

Check all the details are correct and click Create Instance.

You will notice a success box. Wait for a moment or two before going back to the page where you were going to bind an ECS instance to an EIP.

The instance you just created, with the server name and id, is now available for binding to your EIP in the drop down. Click OK.

You can check that your ECS instance is available via the public EIP by pinging it on the terminal. All ECS instances have ICMP open by default.

Let’s delete one of the Elastic IP Addresses we created, the one we are not going to use right now. Go to the Elastic IP Addresses page and select the EIP you want to delete. Click Release.

The EIP is gone.

Control access to your ECS instances by creating Security Groups and Key Pairs for your VPC and its ECS instances. Do this via the Networks & Security options in the Elastic Compute Service left-hand menu.

If we’re not using an ECS instance, it’s good practice to put it in a non-running status. There are other ways to get to ECS instance details. We’ll go there via the Elastic IP Addresses console in the VPC console left-hand menu.

Click the Bind Instance ECS link and click Stop to stop the instance.

If you go back to the Elastic Compute Service list, you will see the instance in the process of stopping. If your ECS instance is a pay-as-you-go, you will not be charged for it when it is stopped.

Configure a NAT Gateway on Your VPC

As you are creating and configuring a new VPC, you will see the option to Create NAT Gateway for the VPC.

You can also create a NAT Gateway from the VPC console.

Pick the correct region and VPC id to create a new NAT Gateway. Check the details and click Buy Now.

Agree to terms and click Activate.

You will see the Order complete screen.

After a few moments, your NAT Gateway will be ready. Go to the NAT Gateway console from the VPC left-hand menu. Here you will see the details of the NAT Gateway you just created.

The Actions options allow you to configure DNAT and SNAT entries.

In the Create DNAT Entry, you can map inbound traffic on a public IP (for example, a public EIP address bound to an ECS instance) to a private IP (for example, an IP address that is within your VPC’s CIDR range).

You can also supply port details for accessing specific services and applications.

IP addresses cannot be shared by DNAT and SNAT entries.

Create SNAT Entry for outbound private to public IP mapping.

Alibaba Cloud will auto-fill VPC, VSwitch, and available IP addresses and ids where possible.

Connect VPCs with a VPN Gateway

On the left-side navigation menu of the VPC, click VPN Gateway and Create VPN Gateway.

Check the details and click Buy Now.

Agree to terms and click Activate.

Go back to the VPN Gateway console and you will see the system preparing the VPN Gateway for your VPC.

Once the VPN Gateway is created, make a note of the IP Address.

For our US East VPC, the IP Address is

Follow the steps again to create a new VPC in a different region.

Configure a VPN Gateway for this VPC and make a note of the IP.

Our US West VPC’s VPN Gateway IP is

The IPs for the VPN Gateways are public IPs and are pingable.

Now we can connect up our VPCs by creating Customer Gateways in each region that connect to the VPN Gateway in the other region.

Click Customer Gateways and Create Customer Gateway.

Configure the Customer Gateway to connect to the VPN Gateway IP in the other region.

You can connect to more VPN Gateways by clicking Add.

Click OK.

Create a Customer Gateway in the other region in the same way.

Your VPCs are now connected up via the VPN Gateways we just built out. Now we have to configure an IPsec Connection which will create a VPN tunnel that allows network traffic between the two VPCs.

Go to IPsec Connections and click Create IPsec Connection.

Scroll down and make a note of all the configuration details in the advanced tab at the bottom.

There are a lot of these, so make sure you’ve noted all of them. We’re particularly interested in any shared keys and the authentication algorithms used.

When you’re ready, click OK.

Now repeat all the steps for creating an IPsec connection in the other region VPC. Make sure all the advanced settings are the same and click OK when you are ready.

The IPsec Connection is created.

Connect VPCs with Express Connect

The Alibaba Cloud Express Connect product is another way of connecting VPCs. Logon on to the Express Connect console. Go to the Router Interface option under VPC Connection and click Create Router Interface.

Select the relevant configuration details. We have chosen the most basic options for the Router Interface. Pay-as-you-go option only allows a receiver interface to be built.

Click Buy Now.

Agree to terms and click Activate.

Wait for the order to complete and then go back to the Express Connect console. You will see the new Express Connect Router Interface in the region list.

To learn more, please see our Express Connect tutorial.


To summarize, we first built a simple Alibaba Cloud Virtual Private Cloud network architecture on which we configured a VSwitch, a NAT Gateway, a couple of public EIP addresses, and one ECS instance running on it.

Next, we built a similar VPC in another region which we connected up to the first. We showed you how to connect your separate VPCs via the Alibaba Cloud VPN Gateway service and we mentioned that you can do exactly the same thing with the Alibaba Cloud Express Connect service too.

Make sure you keep your eyes out for more Alibaba Cloud whitepapers, blogs, tutorials, and videos.