All Products
Search
Document Center

Virtual Private Cloud:Select a private network service

Last Updated:Feb 18, 2024

A virtual private cloud (VPC) is a private network in the cloud. Alibaba Cloud provides different services to access VPCs, such as Express Connect, VPN Gateway, Cloud Enterprise Network (CEN), and Smart Access Gateway (SAG).

Overview

The following table describes the connection solutions for each scenario.

  • Connect VPCs

    Service

    Description

    Benefit

    Limit

    CEN

    You can establish connections among VPCs that belong to different regions and Alibaba Cloud accounts.

    • Ease of use. Automatic route learning and advertising are supported.

    • Low latency and high speed.

    • Network instances, such as VPCs, virtual border routers (VBRs), and Cloud Connect Network (CCN) instances, that are attached to the same CEN instance can communicate with each other.

    None

    VPC peering connection

    You can establish peering connections between two VPCs.

    If the two VPCs are deployed in the same region, data transfer is free of charge.

    None

  • Connect a data center to a VPC

    Service

    Description

    Benefit

    Limit

    VPN gateway

    You can connect a data center to a VPC by using an encrypted IPsec-VPN tunnel over the Internet.

    • Low cost.

    • Security.

    • Immediately takes effect after configuration.

    The network latency and availability vary based on the Internet.

    CEN

    Automatic route learning and advertisement are supported. To enable communication among resources that are attached to the same CEN instance, you need to only attach the VBR that is associated with the data center to the CEN instance.

    • Ease of use. Automatic route learning and advertising are supported.

    • Low latency and high speed.

    • Network instances, such as VPCs and VBRs, that are attached to the same CEN instance can communicate with each other.

    None

    SAG and CEN

    You can connect a data center to Alibaba Cloud by using SAG.

    • Ready-to-use. Automatic configuration is supported.

    • Data transmitted over the Internet between the data center and the VPC is encrypted.

    • You can connect to nearby access points in a MAN. Branch offices can be connected to Alibaba Cloud by using active and standby access devices or connections.

    None

    Express Connect

    You can connect a data center to a VPC by using Express Connect circuits.

    • High network quality.

    • High bandwidth.

    • High costs.

    • Service activation is time-consuming.

    VPN software deployment

    You can purchase a VPN gateway and deploy the VPN gateway in a VPC. Then, you can connect a data center to the VPC by using an encrypted IPsec-VPN tunnel over the Internet.

    • Security.

    • Different types of VPN software are available.

    • Immediately takes effect after configuration.

    • VPN gateways must be manually deployed and maintained.

    • The network latency and availability depend on the Internet.

  • Connect multiple sites

    Service

    Description

    Benefit

    Limit

    VPN gateway

    Establishes secure connections among multiple sites. The VPN-Hub feature enables communication among different sites, or between sites and VPCs.

    • Low cost.

    • Ready-to-use.

    • Immediately takes effect after configuration.

    None

    SAG

    You can purchase SAG instances for branch offices and attach the SAG instances to a CCN instance. Then, the branch offices can communicate with each other.

    • Ready-to-use. Automatic configuration is supported.

    • Data transmitted over the Internet between the data center and the VPC is encrypted.

    • You can connect to nearby access points in a MAN. Branch offices can be connected to Alibaba Cloud by using active and standby access devices or connections.

    None

    VPN Gateway and VPC peering connection

    You can connect application systems and offices around the world by using a combination of VPN gateways and VPC peering connections.

    • High network quality.

    • Ready-to-use. The service takes effect immediately after configuration.

    The network latency and availability depend on the Internet.

  • Remote access to a VPC

    Service

    Description

    Benefit

    Limit

    VPN Gateway (with SSL-VPN)

    You can connect a client to a VPC by using the SSL-VPN feature.

    • Lost cost.

    • Reliability.

    • Easy configuration and deployment.

    None

    SSL-VPN software deployment

    You can purchase SSL-VPN software and deploy the SSL-VPN software in a VPC. Then, you can connect to the VPN server from a client.

    Multiple types of SSL-VPN software and images are supported.

    • Low reliability.

    • High costs.

    • Manual deployment and maintenance.

Connect VPCs

You can deploy applications in VPCs in different regions. This way, services can be provided to the nearest regions and the network latency is low. Services in the VPCs can back up each other, which improves the availability of the system.

CEN and VPN Gateway can enable communication among VPCs in the same region or in different regions.

Connect a data center to a VPC

You can connect a data center to a VPC to build a hybrid cloud. After a secure and reliable connection is established between your data center and the VPC, you can seamlessly migrate on-premises IT infrastructure resources to Alibaba Cloud by using computing, storage, networking, CDN, and BGP resources that are provided by Alibaba Cloud. This helps you to handle business fluctuations.

You can connect a data center to a VPC by using Express Connect circuits, VPN gateways, and CEN instances.

  • Express Connect

    Express Connect provides dedicated circuits to establish connections. After an Express Connect circuit is used to connect to Alibaba Cloud, you can create a VBR and connect your data center to Alibaba Cloud. This way, you can build a hybrid cloud and access your data center over a private network.

    An Express Connect circuit connects your data center to Alibaba Cloud over a private network. Compared with Internet-based connections, connections over Express Connect circuits reduce network latency, enhance security, and improve reliability.

    For more information, see Connect a data center to a VPC by using an Express Connect circuit.

  • VPN Gateway

    VPN Gateway can be used to connect data centers, office networks, and terminals to VPCs by using an encrypted tunnel in a secure and reliable manner. By default, VPN Gateway supports the active-standby mode in which two VPN gateways are used. In this mode, the system performs failovers when one VPN gateway becomes faulty. You can use VPN gateways to establish IPsec-VPN connections between your data center and VPCs.

    For more information, see IPsec-VPN overview.

  • CEN

    CEN supports automatic route advertisement and learning to connect resources in a hybrid cloud. After you attach the VBR that is associated with your data center to a CEN instance, the data center can communicate with other network instances that are attached to the CEN instance, such as VPCs and VBRs.

    For more information, see Use Enterprise Edition transit routers to enable intra-region communication between on-premises and cloud networks.

  • SAG

    SAG is an all-in-one solution that can be used to connect your workloads to Alibaba Cloud. You can use SAG to connect private networks to Alibaba Cloud over the Internet. The connections established by SAG are secure and reliable.

    You can purchase SAG instances for your data center and attach the CCN instance that is associated with the SAG instances to the CEN instance. This allows you to connect your data center to Alibaba Cloud.

    For more information, see Deploy an SAG device in inline mode.

  • VPN software deployment

    Alibaba Cloud provides various types of VPN software and images. You can purchase VPN software and deploy the VPN software on an ECS instance. Then, you can connect your data center to the VPC over the Internet by using an elastic IP address (EIP).

Connect multiple sites

You can connect multiple sites by using SAG or the VPN-Hub feature of VPN Gateway.

  • SAG

    SAG is an all-in-one solution that can be used to connect your workloads to Alibaba Cloud. You can use SAG to connect private networks to Alibaba Cloud over the Internet. The connections established by SAG are secure and reliable.

    You can purchase SAG instances for branch offices and attach the SAG instances to a CCN instance. Then, the branch offices can communicate with each other.

  • VPN Gateway

    The IPSec-VPN feature of VPN Gateway provides site-to-site VPN connections. Each VPN gateway supports at most 10 IPsec-VPN connections. You can purchase a VPN gateway and establish connections among up to 10 data centers or branch offices in different regions.

    You can create multiple site-to-site IPsec connections among sites, or between sites and VPCs by using VPN-Hub. VPN-Hub allows large enterprises to establish private connections across branch offices that run business in different regions.

    By default, the VPN-Hub feature is enabled. You need only to configure an IPsec-VPN connection between each branch office and Alibaba Cloud. No additional configurations or payments are required. Each VPN gateway supports up to 10 IPsec-VPN connections, which indicates that you can connect up to 10 branch offices in different regions by using one VPN gateway. The following figure shows how to establish connections among the branch offices in Shanghai, Hangzhou, and Ningbo by using a VPN gateway.

    For more information, see Connect multiple offices to each other and to a VPC.

  • Build a high-speed global network

    You can establish connections among applications and branch offices worldwide by using VPC peering connections and VPN gateways. This solution ensures secure communication and optimal network quality, and minimizes your costs.

    The following figure shows how to establish connections among the branch offices that are connected to the VPC in the US (Virginia) region and the VPC in the China (Shanghai) region. You can deploy applications in both VPCs and connect the two VPCs by using a VPC peering connection. Then, you can connect the branch offices to each VPC by using the IPsec-VPN tunnel.

Remote access to a VPC

The SSL-VPN feature of VPN Gateway provides point-to-site VPN connections. You can use a client to access a VPC without the need to configure a gateway. You can deploy internal applications in a VPC and enable access to the applications by using SSL-VPN connections over internal networks. For example, on-site IT staff must connect to the VPC over an internal network to perform O&M operations. Remote access is allowed for the applications in the VPC.

VPN gateways and VPN software and images from Alibaba Cloud Marketplace can be used to achieve remote access to VPCs.

  • VPN Gateway (SSL-VPN)

    You can use the SSL-VPN feature to connect a client to applications and services that are deployed in a VPC. After you deploy the applications and services, you can load the SSL client certificate to your client and initiate an SSL-VPN connection between the client and the VPC. By default, VPN gateways support the active-standby mode in which two VPN gateways are used. In this mode, the system automatically performs failovers when one VPN gateway becomes faulty.

    For more information, see Connect a client to a VPC.

  • Installation and deployment of SSL-VPN software

    For more information, see Connect a client to a VPC.