Technical principles

Last Updated: Jun 27, 2017

Background information

With the continuous development of cloud computing, the requirements of the virtual network are getting higher and higher, such as scalability, security, reliability, privacy, and higher requirements of connection performance. This gives rise to a variety of network virtualization technologies.

The earlier solution is to combine the virtual machine’s network with the physical network to form a flat network architecture, such as the large Layer-2 network. With the increase in the scale of virtual networks, the problems such as ARP spoofing, broadcast storms, host scanning, and other issues are getting more and more serious for the earlier solutions. Various network isolation technologies emerge to resolve these problems by completely isolating the physical networks from the virtual networks. One of these technologies is to isolate users with VLAN. But a VLAN only supports a maximum of 4096 nodes, it cannot support the huge amount of users in the cloud.

Principle description

Based on the mainstream tunneling technologies, a Virtual Private Cloud (VPC) isolates the virtual networks. Each VPC has a unique tunnel ID, and a tunnel ID corresponds to only one VPC. A tunnel encapsulation that carries a unique tunnel ID is added to each data packet transmitted between the ECS instances within a VPC. Then the data packet is transmitted over the physical network. Because the tunnel IDs for the ECS instances in different VPCs are different and they are located on two different routing planes, the ECS instances from different VPCs cannot communicate with each other and are isolated by nature.

Based on the tunneling technologies, the Alibaba Cloud research and development team has developed the VSwitch, Software Defined Network (SDN) technology and hardware gateway, which are the basis for the team to successfully design and develop the VPC.

Logical architecture

As shown in the following figure, the VPC architecture contains three main components: VSwitches, a gateway and a controller.

  • The VSwitches and gateways form the key data path. A controller uses the self-developed protocol to forward the forwarding table to the gateway and the VSwitches, which completes the key configuration path. In the overall architecture, the configuration path and data path are separated from each other.

  • The VSwitches are distributed nodes, the gateway and controller are deployed in clusters, and all the links have redundant disaster recovery. This improves the overall availability of the VPC.

  • The performance of Alibaba Cloud VSwitch and gateway are in a leading position of the field. The self-developed SDN protocol and controllers can easily control thousands of tons of VPCs in the cloud.

VPC Architecture

In addition to an isolated private network, Alibaba Cloud provides each VPC with a separated VRouter and VSwitches, giving you the capability to design your VPC network in a rich set of ways.

If you have intranet security requirements, you can use the security group function to do the access control and isolation in a finer granularity. By default, a VPC ECS instance can only communicate with other ECS instances or other cloud services in the same VPC. You can use the VPC related products such as EIP and Express Connect to connect your VPC with the Internet, other VPCs and your on-premises data centers.

Thank you! We've received your feedback.