A virtual private cloud (VPC) is dedicated to you on Alibaba Cloud. Alibaba Cloud provides various products and services that can be deployed in a VPC, such as Express Connect, VPN Gateway, Cloud Enterprise Network (CEN), and Smart Access Gateway (SAG).
The following table describes the different solutions to connect Alibaba Cloud services to a VPC.
|Establish connections between VPCs|
|CEN||Establishes connections between VPCs in different regions or under different accounts.||
|What is Express Connect?||Supports peering connections between VPCs.||Supports free connections between VPCs in the same region.||-|
|Connect a VPC to an on-premises data center|
|VPN Gateway||Connects an on-premises data center to a VPC through an Internet-based and encrypted IPsec-VPN tunnel.||
||Serves your workloads with the network latency and availability that depends on the conditions of the Internet.|
|CEN||Enables communication among resources that are attached to the same CEN instance. The communication is implemented based on automatic route learning and distribution.||
|SAG||Connects an on-premises data center to Alibaba Cloud.||
|Express Connect||Connects an on-premises data center and a VPC by using the physical connections of Express Connect.||
|VPN software in the Alibaba Cloud Marketplace||Allows you to purchase a VPN gateway in the Alibaba Cloud Marketplace and deploy the VPN gateway in the VPC. You can connect an on-premises data center to the VPC through an Internet-based and encrypted IPsec-VPN tunnel.||
|Connect multiple sites|
|VPN Gateway||Establishes secure communication among multiple sites by using the VPN gateway. Supports the VPN-Hub feature to enable communication among sites and between sites and VPCs.||
|SAG + Express Connect||Allows you to purchase and configure SAGs for local branches. Then, you can add the SAGs to a cloud connect network (CCN).||
|VPN Gateway||Allows you to run interconnected applications and offices worldwide by using VPN Gateway and Express Connect.||
||The network latency and availability is dependent on the quality of the Internet connection.|
|Remote access to a VPC|
|VPN Gateway (SSL-VPN)||Uses the SSL-VPN feature to access a VPC from a remote client.||
|SSL-VPN software in the Alibaba Cloud Marketplace||After you purchase SSL-VPN software from the Alibaba Cloud Marketplace, you can deploy it in a VPC. You can access the VPN server from a remote client.||Supports multiple types of SSL-VPN software and images.||
You can run applications within the same VPC that are deployed in multiple regions. This enables access to the applications from the locations closest to users. This also minimizes the network latency and ensures high reliability based on redundant connections.
You can use CEN and VPN Gateway to connect VPCs in the same region or in different regions.
CEN can be used to establish internal connections and connect resources within multiple VPCs based on automatic route distribution and learning. This allows you to accelerate network convergence and improve the quality and security of cross-network communication.
VPN Gateway is an Internet-based service that ensures secure and reliable connections among enterprise data centers, corporate networks, or Internet clients with a VPC through encrypted tunnels over the Internet. The hot-standby architecture of VPN Gateway ensures automatic failovers within a few seconds. You can use a VPN gateway to establish IPsec-VPN connections between your on-premises data centers and VPCs.
Connect a VPC to an on-premises data center
You can connect a VPC to an on-premises data center to build a hybrid cloud. You can establish secure and reliable connections between the VPC and the on-premises data center. This allows you to integrate the computing, storage, network, CDN and BGP resources of Alibaba Cloud with your IT infrastructure and support the scaling of workloads.
Express Connect supports connections through leased lines. After a leased line has accessed an Alibaba cloud access point, you can create a VBR to connect your on-premises data center with Alibaba Cloud. This way, you can build a hybrid cloud to enable connections over a private network, instead of the Internet.
Physical connections of Express Connect support communication over private networks, instead of the Internet. This optimizes user experience in terms of security, reliability, transmission rate, and latency.
VPN Gateway is an Internet-based service that securely and reliably connects enterprise data centers, corporate networks, or Internet clients with an Alibaba Cloud VPC through encrypted tunnels over the Internet. The hot-standby architecture of VPN Gateway ensures automatic failovers within a few seconds. You can use VPN Gateway to establish IPsec-VPN connections between your on-premises data centers and VPCs.
CEN can be used to establish internal connections and connect resources within multiple VPCs based on automatic route distribution and learning. After you attach the VBR that is associated with an on-premises data center to a CEN instance, the on-premises data center can communicate with all cloud resources that are attached to the same CEN instance based on VPCs or VBRs.
Smart Access Gateway provides an end-to-end cloud deployment solution. SAG allows enterprises to connect to the nearest access points of VPC through encrypted connections over the Internet. SAG provides more intelligent, reliable, and secure connections to the cloud.
You can buy SAG devices for the on-premises data center, and attach the CCN instance that is associated with the devices to the CEN instance. This allows you to connect the on-premises data center to Alibaba Cloud.
VPN software in the Alibaba Cloud Marketplace
The Alibaba Cloud Marketplace provides various types of VPN software and images. You can purchase the required VPN software from the Alibaba Cloud Marketplace and deploy it on your ECS instance. Then you can use an elastic IP address (EIP) to connect the VPC to the gateway of your on-premises data center through the Internet.
Connect multiple sites
You can connect multiple sites by using SAG or the VPN-Hub feature of VPN Gateway.
SAG is an all-in-one solution for connecting your workloads to Alibaba Cloud. SAG allows enterprises to connect to the nearest access points of VPCs through encrypted connections over the Internet. SAG supports more intelligent, reliable, and secure connections to the cloud.
You can purchase SAG devices for local branches, and attach the CCN instance associated with the devices to the CEN instance. This allows you to connect the local branches.
The IPSec-VPN feature of VPN Gateway provides site-to-site VPN connection. Each VPN Gateway supports up to10 IPsec-VPN connections. You can purchase a VPN gateway to establish connections among up to 10 on-premises data centers or branches in different regions.
You can create multiple site-to-site IPsec connections among sites, or between sites and VPCs by using VPN-Hub. VPN-Hub allows large enterprises to establish internal connections across offices that run business in different regions.
By default, the VPN-Hub function is enabled. You must configure the IPsec-VPN connection between each office site and Alibaba Cloud. No additional configurations or payments are required. A VPN gateway supports up to 10 IPsec connections. You can connect 10 office sites in different areas by using one VPN gateway. The following figure shows how to establish connections among the offices in Shanghai, Hangzhou, and Ningbo by using a VPN gateway.
Build a high-speed global network
You can run applications and offices worldwide by using VPN Gateway and Express Connect. This ensures secure transmission and optimal network quality, and minimizes the costs of your business.
The following figure shows how to establish connections among the offices that are connected to the VPC in the US (Virginia) region and the VPC in the China (Shanghai) region. You can run applications in both VPCs, connect the VPCs by using Express Connect, and connect the offices to each VPC by using IPsec-VPN.
Remote access to a VPC
The SSL-VPN feature of VPN Gateway provides point-to-site VPN connection. You can use a client to access a VPC without the need to configure a gateway. You can deploy internal applications in a VPC and enable access to the applications through SSL-VPN connections over internal networks. For example, network maintenance and management can be implemented through the connections between an office and the VPC. Remote access is allowed for the applications in the VPC.
Both VPN Gateway or VPN software or images from the Alibaba Cloud Marketplace can be used to achieve remote access to the VPC.
VPN Gateway (SSL-VPN)
You can create an SSL-VPN connection to connect a remote client to applications and services that are deployed in a VPC. After you deploy your applications or services, you must import the certificate to the client to initiate a connection. The hot-standby architecture of SSL-VPN server ensures automatic failovers within a few seconds.
Purchase SSL-VPN software in Alibaba Cloud Marketplace
The Alibaba Cloud Marketplace provides various types of SSL-VPN software and images. You can purchase the required SSL-VPN software from the Alibaba Cloud Marketplace and deploy it on your ECS instance. Then you can use an EIP to connect the VPC to a client over the Internet.