All Products
Search
Document Center

Virtual Private Cloud:Overview of connecting a VPC to an external network

Last Updated:Jan 22, 2024

This topic provides an overview about how to connect a virtual private cloud (VPC) to the Internet, another VPC, or a data center.

Enable Internet access

The following table describes the services that you can use to enable Internet access for VPCs.
ServiceFeatureBenefit
Static public IP addressWhen you create an ECS instance in a VPC, you can specify whether you want the system to assign a public IPv4 address to the ECS instance. The ECS instance can use the public IP address to communicate with the Internet.

You cannot disassociate the public IP address from the ECS instance. However, you can convert the public IP address to an EIP. For more information, see Convert the static public IP address of an ECS instance in a VPC to an EIP.

You can purchase data transfer plans for an ECS instance that is assigned a public IP address. You can also purchase EIP bandwidth plans for an ECS instance after you convert the public IP address of the ECS instance to an EIP. For more information, see What is an Internet Shared Bandwidth? and What is a data transfer plan?.

EIPYou can associate EIPs with or disassociate EIPs from ECS instances anytime. ECS instances in a VPC can use EIPs in SNAT entries to access the Internet and use EIPs in DNAT entries to provide Internet-facing services.

You can associate EIPs with or disassociate EIPs from ECS instances anytime.

You can use EIP bandwidth plans and data transfer plans to reduce the cost of data transfer over the Internet.

Internet NAT GatewayECS instances in a VPC can use SNAT entries to access the Internet and use DNAT entries to provide Internet-facing services.
Note Internet NAT gateways do not provide load balancing services. To balance the loads of ECS instances, use SLB.
An Internet NAT gateway allows multiple ECS instances in a VPC to communicate with the Internet. However, each EIP can be used by only one ECS instance.
SLB
SLB provides load balancing services at Layer 4 and Layer 7. You can specify the ports on which SLB listens to distribute requests from the Internet to ECS instances. Alibaba Cloud provides two types of SLB instances: CLB and ALB.
Note SLB does not support SNAT. ECS instances deployed in a VPC cannot access the Internet through SLB.
SLB supports DNAT. Each port on an SLB instance can be mapped to one or more ECS instances.

SLB distributes network traffic across multiple ECS instances to prevent single points of failure. This improves the availability of application systems.

After you associate an EIP with an SLB instance, you can purchase EIP bandwidth plans and data transfer plans to reduce costs.

Connect VPCs

The following table describes the services that you can use to connect two VPCs.
ServiceFeatureBenefit
CEN

You can establish connections among VPCs that belong to different regions and Alibaba Cloud accounts.

For more information, see Connect VPCs.

  • Connects networks in different regions.
  • Low network latency and high speed.
  • Connects networks through nearby access points.
  • Connection redundancy and disaster recovery.
  • Systematic management.
VPC peering connections

A VPC peering connection is a private network connection between two VPCs. You can enable two VPCs to communicate with each other by establishing a VPC peering connection. You can establish a VPC peering connection between VPCs that belong to the same Alibaba Cloud account or different Alibaba Cloud accounts. In addition, the VPCs can be deployed in the same region or in different regions.

For more information, see Overview of VPC peering connections.

  • Low costs: VPC peering connections in the same region are free of charge.
  • Low network latency.
VPN GatewayYou can establish an IPsec-VPN connection between two VPCs for encrypted data transmission.

For more information, see Establish IPsec-VPN connections between two VPCs.

  • Security.
  • High availability.
  • Cost-effectiveness.
  • Ease of use.

Connect a data center to a VPC

The following table describes the services that you can use to connect a data center to a VPC.
ServiceFeatureBenefit
Express ConnectYou can use an Express Connect circuit to connect a data center to a VPC.

For more information, see What is a connection over an Express Connect circuit?.

  • Network traffic is distributed across the backbone networks of connectivity providers to minimize network latency.
  • Express Connect circuits ensure the security and reliability of data transfer.
VPN Gateway
  • You can establish an IPsec-VPN connection between a data center and a VPC for encrypted data transmission.
  • You can establish an SSL-VPN connection between a client and a VPC.
  • Security.
  • High availability.
  • Cost-effectiveness.
  • Ease of use.
CEN
  • Connects a VPC to a data center.

    You can connect a VPC to a data center by attaching the VBR associated with the data center to a CEN instance.

  • Connects multiple VPCs to a data center.

    You can connect multiple VPCs to a data center by attaching multiple network instances such as VPCs and VBRs to a CEN instance.

  • Connects networks in different regions.
  • Low network latency and high speed.
  • Connects networks through nearby access points.
  • Connection redundancy and disaster recovery.
  • Systematic management.
SAG
  • Connects on-premises networks, such as data centers and branches, to Alibaba Cloud to build a hybrid cloud.
  • Connects on-premises networks.
  • Supports automatic configurations and zero touch provisioning (ZTP), and automatically adapts to network topology changes.
  • Connects to nearby access points in a metropolitan area network. Branch offices can be connected to Alibaba Cloud through active and standby access devices or connections.
  • Data transmitted over the Internet between the data center and the VPC is encrypted.