A virtual private cloud (VPC) is a private network dedicated for your use. Alibaba Cloud provides various services that can be connected to a VPC, such as Express Connect, VPN Gateway, Cloud Enterprise Network (CEN), and Smart Access Gateway (SAG).

The following table describes different solutions of connecting Alibaba Cloud services to a VPC.

Connect VPCs
Service Description Benefit Limit
CEN Establishes connections among VPCs in different regions or within different accounts.
  • Ease of use. Automatic route learning and distribution are supported.
  • Low latency and high speed.
  • Network instances, such as VPCs and virtual border routers (VBRs), that are attached to the same CEN instance can communicate with each other.
  • Data transfer is free of charge if the network instances are deployed in the same region.
N/A
What is Express Connect? Establishes peering connections between two VPCs. Data transfer is free of charge if the two VPCs are deployed in the same region. N/A
Connect a data center to a VPC
Service Description Benefit Limit
VPN Gateway Connects a data center to a VPC through an encrypted IPsec-VPN tunnel over the Internet.
  • Cost-effectiveness.
  • Ensures security.
  • Immediately takes effect after configuration.
The network latency and availability depend on the Internet.
CEN Automatic route learning and distribution are supported. To enable communication among resources that are attached to the same CEN instance, you need only to attach the VBR that is associated with the data center to the CEN instance.
  • Ease of use. Automatic route learning and distribution are supported.
  • Low latency and high speed.
  • Network instances, such as VPCs and VBRs, that are attached to the same CEN instance can communicate with each other.
  • Data transfer is free of charge if the network instances are deployed in the same region.
N/A
SAG Connects a data center to Alibaba Cloud.
  • Ready-to-use. Automatic configuration is supported.
  • Data transmitted over the Internet between the data center and the VPC is encrypted.
  • Connects to nearby access points in a metropolitan area network. Branch offices can be connected to Alibaba Cloud through active and standby access devices or connections.
N/A
Express Connect Connects a data center to a VPC.
  • High network quality.
  • High bandwidth.
  • High costs.
  • Service activation is time-consuming.
VPN software in Alibaba Cloud Marketplace Allows you to purchase a VPN gateway in Alibaba Cloud Marketplace and deploy the VPN gateway in a VPC. Then, you can connect a data center to the VPC through an encrypted IPsec-VPN tunnel over the Internet.
  • Ensures security.
  • Different types of VPN software are available.
  • Immediately takes effect after configuration.
  • VPN gateways must be manually deployed and maintained.
  • The network latency and availability depend on the Internet.
Connect multiple sites
Service Description Benefit Limit
VPN Gateway Establishes secure connections among multiple sites. The VPN-Hub feature enables communication among different sites, or between sites and VPCs.
  • Cost-effectiveness.
  • Ready-to-use. The service takes effect immediately after configuration.
N/A
SAG Allows you to purchase SAG instances for branch offices and connects the SAG instances to a cloud connect network (CCN) instance. Then, the branch offices can communicate with each other.
  • Ready-to-use. Automatic configuration is supported.
  • Data transmitted over the Internet between the data center and the VPC is encrypted.
  • Connects to nearby access points in a metropolitan area network. Branch offices can be connected to Alibaba Cloud through active and standby access devices or connections.
N/A
VPN Gateway and Express Connect Allows you to connect applications and branch offices worldwide.
  • High network quality.
  • Ready-to-use. The service takes effect immediately after configuration.
The network latency and availability depend on the Internet.
Remote access to a VPC
Service Description Benefit limit
VPN Gateway (with SSL-VPN) Connects a remote client to a VPC.
  • Cost-effectiveness.
  • Reliability.
  • Easy configuration and deployment.
N/A
SSL-VPN software in Alibaba Cloud Marketplace After you purchase SSL-VPN software from Alibaba Cloud Marketplace and deploy it in a VPC, you can connect to the VPN server from a remote client. Multiple types of SSL-VPN software and images are supported.
  • High costs.
  • Low reliability.
  • VPN gateways software must be manually deployed and maintained.

Connect VPCs

You can deploy a system in VPCs that are created in different regions and build a network across regions. Then, users can access the services from the nearest locations. This also minimizes network latency and ensures high availability by deploying backup systems.

You can connect VPCs across regions or in the same region by using CEN instances and VPN gateways.

  • CEN

    CEN can be used to establish private connections among VPCs. CEN supports automatic route distribution and learning, which speed up network convergence, improve the quality and security of cross-network communication, and connect all network resources. CEN helps build a network with enterprise-level communication capabilities.

  • VPN Gateway

    VPN Gateway is an Internet-based service that can be used to securely and reliably connect data centers, office networks, and terminals to VPCs through an encrypted tunnel. By default, VPN Gateway supports the active-standby mode where two VPN gateways are used. In this mode, the system performs a failover when one VPN gateway is down. You can use VPN gateways to establish IPsec-VPN connections between your data center and VPCs.

Connect a data center to a VPC

You can connect a data center to a VPC to build a hybrid cloud. After a secure and reliable connection is established between your data center and the VPC, you can migrate on-premises IT infrastructure resources to Alibaba Cloud seamlessly by using computing, storage, networking, CDN, and BGP resources provided by Alibaba Cloud. This allows you to better handle business fluctuations.

You can connect a data center to a VPC by using Express Connect circuits, VPN gateways, and CEN instances.
  • Express Connect

    Express Connect supports connections over Express Connect circuits. After an Express Connect circuit is connected to Alibaba Cloud, you can create a VBR and connect your data center to Alibaba Cloud. This way, you can build a hybrid cloud and access your data center over a private network.

    An Express Connect circuit connects your data center to Alibaba Cloud over a private network. Therefore, compared with Internet connections, using connections over Express Connect circuits can reduce network latency, enhance security, and improve reliability.

  • VPN Gateway

    VPN Gateway is an Internet-based service that can be used to securely and reliably connect data centers, office networks, and terminals to VPCs through an encrypted tunnel. By default, VPN Gateway supports the active-standby mode where two VPN gateways are used. In this mode, the system performs a failover when one VPN gateway is down. You can use VPN gateways to establish IPsec-VPN connections between your data center and VPCs.

  • CEN

    CEN can be used to connect resources in a hybrid cloud based on automatic route distribution and learning. After you attach the VBR that is associated with your data center to a CEN instance, the data center can communicate with other network instances that are attached to the same CEN instance, such as VPCs and VBRs.

  • SAG

    SAG is an all-in-one solution that can be used to connect your workloads to Alibaba Cloud. You can use SAG to connect private networks to Alibaba Cloud over the Internet. The connections established by SAG are secure and reliable.

    You can purchase SAG instances for your data center and attach the CCN instance that is associated with the SAG instances to the CEN instance. This allows you to connect your data center to Alibaba Cloud.

  • VPN software in Alibaba Cloud Marketplace

    Alibaba Cloud Marketplace provides various types of VPN software and images. You can purchase the required VPN software from Alibaba Cloud Marketplace and deploy the VPN software on an ECS instance. Then, you can connect your data center to the VPC over the Internet by using an elastic IP address (EIP).

Connect multiple sites

You can connect multiple sites by using SAG or the VPN-Hub feature of VPN Gateway.

  • SAG

    SAG is an all-in-one solution that can be used to connect your workloads to Alibaba Cloud. You can use SAG to connect private networks to Alibaba Cloud over the Internet. The connections established by SAG are secure and reliable.

    You can purchase SAG instances for branch offices and connect the SAG instances through a CCN instance. Then, the branch offices can communicate with each other.

  • VPN Gateway

    The IPSec-VPN feature of VPN Gateway provides site-to-site VPN connections. Each VPN gateway supports at most 10 IPsec-VPN connections. You can purchase a VPN gateway and establish connections among up to 10 data centers or branch offices in different regions.

    You can create multiple site-to-site IPsec connections among sites, or between sites and VPCs by using VPN-Hub. VPN-Hub allows large enterprises to establish private connections across branch offices that run business in different regions.

    By default, the VPN-Hub feature is enabled. You need only to configure an IPsec-VPN connection between each branch office and Alibaba Cloud. No additional configurations or payments are required. Each VPN gateway supports at most 10 IPsec-VPN connections. That means you can connect 10 branch offices in different regions by using one VPN gateway. The following figure shows how to establish connections among the branch offices in Shanghai, Hangzhou, and Ningbo by using a VPN gateway.

  • Build a high-speed global network

    You can establish connections among applications and branch offices worldwide by using VPN gateways and Express Connect circuits. This solution ensures secure communication and optimal network quality, and minimizes your costs.

    The following figure shows how to establish connections among the branch offices that are connected to the VPC in the US (Virginia) region and the VPC in the China (Shanghai) region. You can deploy applications in both VPCs and connect the two VPCs by using an Express Connect circuit. Then, you can connect the branch offices to each VPC through IPsec-VPN.

Remote access to a VPC

The SSL-VPN feature of VPN Gateway provides point-to-site VPN connections. You can use a client to access a VPC without the need to configure a gateway. You can deploy internal applications in a VPC and enable access to the applications through SSL-VPN connections over internal networks. For example, network maintenance and management can be implemented through the connections between an office and the VPC. Remote access is allowed for the applications in the VPC.

VPN gateways, VPN software and images from Alibaba Cloud Marketplace can be used to achieve remote access to VPCs.

  • VPN Gateway (SSL-VPN)

    You can create an SSL-VPN connection to connect a remote client to applications and services that are deployed in a VPC. After you deploy the applications and services, you can load the SSL client certificate to your client and initiate an SSL-VPN connection between the client and the VPC. By default, VPN gateways support the active-standby mode where two VPN gateways are used. In this mode, the system automatically performs a failover when one VPN gateway is down.

  • Purchase SSL-VPN software in Alibaba Cloud Marketplace

    Alibaba Cloud Marketplace provides various types of SSL-VPN software and images. You can purchase the required SSL-VPN software from Alibaba Cloud Marketplace and deploy it on your ECS instance that is associated with an EIP. Then, you can connect the VPC to the client over the Internet.