All Products
Search
Document Center

Virtual Private Cloud:Terms

Last Updated:Mar 13, 2024

This topic describes the terms of Virtual Private Cloud (VPC) to help you use VPC in a more appropriate way.

Term

Description

VPC

A VPC is a private network on Alibaba Cloud. VPCs are logically isolated from each other. You can create and manage cloud resources in your VPC, such as Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and ApsaraDB RDS instances.

vSwitch

A vSwitch is a basic network component of a VPC. A vSwitch connects different cloud resources. When you create a cloud resource in a VPC, you must specify a vSwitch to which the cloud resource is connected.

VPC sharing

A VPC owner (resource owner) can share non-default vSwitches in the VPC with one or more Alibaba Cloud accounts (principals). The principals can create cloud resources in the shared vSwitches. A resource owner can share resources with Alibaba Cloud accounts in the same or a different enterprise organization.

Route

vRouter

A vRouter is a virtual router that connects all vSwitches in a VPC and serves as a gateway that connects the VPC to other networks. A vRouter also forwards network traffic based on the routes in the route table.

A route table consists of routes in a vRouter.

  • System route table

    After you create a VPC, the system creates a system route table to manage routes of the VPC. By default, vSwitches in the VPC use the system route table. You cannot create or delete a system route table. However, you can add custom routes to a system route table.

  • Custom route table

    You can create a custom route table in a VPC and associate the custom route table with a vSwitch. This allows you to manage network traffic in a more flexible manner.

  • Gateway route table

    You can create a custom route table in a VPC and associate the custom route table with an IPv4 gateway. This route table is called a gateway route table.

Route

Each item in a route table is a route. A route specifies the next hop address for the network traffic that is destined for a destination CIDR block. Routes are classified into system routes and custom routes.

Prefix list

A prefix list is a set of one or more CIDR blocks. You can create a prefix list for some commonly used IP addresses and set the prefix list as the destination for routes in a route table. This way, you do not have to configure a route for each IP address. If you want to expand the destination and access another CIDR block, you can add the CIDR block to the prefix list. Then, the routes with the prefix list as the destination will be updated.

NAT gateway

NAT Gateway provides the DNAT and SNAT features. NAT gateways are classified into Internet NAT gateways and VPC NAT gateways. Internet NAT gateways provide NAT services for public IP addresses, while VPC NAT gateways provide NAT services for private IP addresses. You can choose Internet NAT gateways or VPC NAT gateways based on your business requirements.

VPC peering connection

A VPC peering connection is a private network connection between two VPCs. You can enable two VPCs to communicate with each other by establishing a VPC peering connection. You can create a VPC peering connection between two VPCs within your Alibaba Cloud account (same-account), or between a VPC within your Alibaba Cloud account and a VPC within another Alibaba Cloud account (cross-account). You can also create VPC peering connections between VPCs that belong to the same region (intra-region) or different regions (inter-region).

DHCP options set

DHCP is a network management protocol. DHCP provides a standard for passing configuration information to servers in a TCP/IP network. The DHCP options set feature allows you to configure domain names and DNS server IP addresses for ECS instances in a VPC.

IPv4 gateway

An IPv4 gateway is a network component that connects a VPC to the Internet. An IPv4 gateway can enable a VPC to access the Internet by routing IPv4 traffic and translating private IP addresses to public IP addresses. When a VPC accesses the Internet by using an IPv4 gateway, IPv4 traffic flows through the IPv4 gateway.

ClassicLink

VPC supports the ClassicLink feature, which allows ECS instances in classic networks to communicate with cloud resources in VPCs.

Network ACL

Network access control lists (ACLs) allow you to implement access control for a VPC. You can create network ACL rules and associate a network ACL with a vSwitch. This allows you to control inbound and outbound traffic of Elastic Compute Service (ECS) instances that are attached to the vSwitch.

Security group

A security group acts as a virtual firewall to control the inbound and outbound traffic of ECS instances to improve security. Security groups provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups and security group rules to define security domains in the cloud.

High-availability virtual IP address (HAVIP)

An HAVIP is a private IP address that can be created and released as an independent resource. You can use HAVIPs with high-availability (HA) software such as Keepalived to deploy services in active/standby mode. This improves the availability of your services.

Flow log

VPC provides the flow log feature. The feature records information about inbound and outbound traffic of an elastic network interface (ENI). You can check access control rules, monitor network traffic, and troubleshoot network errors based on the flow logs.

Traffic mirroring

The traffic mirroring feature can mirror packets that flow through an ENI and that meet the filter conditions. The traffic mirroring feature mirrors network traffic from an ECS instance in a VPC and forwards the traffic to a specified ENI or an internal-facing Classic Load Balancer (CLB) instance. You can use this feature in scenarios such as content inspection, threat monitoring, and troubleshooting.

Idle instance

The VPC console can display idle instances. You can release idle instance to save costs.

Tag

VPC supports the tag feature. You can use tags to label and classify VPCs, route tables, and vSwitches, which facilitates resource search and aggregation.

Quota management

Alibaba Cloud sets quotas on the cloud resources and API operations for each Alibaba Cloud account. Alibaba Cloud service quotas are classified into the following types: general quotas, API rate limits, and privileges.

RAM authorization

You use an Alibaba Cloud account to grant permissions to a RAM user. Then, the RAM user can manage VPCs based on the granted permissions.