A virtual private cloud (VPC) is dedicated to you on Alibaba Cloud. Alibaba Cloud provides various products and services that can be deployed in a VPC, such as Express Connect, VPN Gateway, Cloud Enterprise Network (CEN), and Smart Access Gateway (SAG).

The following table describes the different solutions to connect Alibaba Cloud services to a VPC.

Establish connections between VPCs
Service Solution Benefit Limit
CEN Establishes connections between VPCs in different regions or under different accounts.
  • Enables simple configurations and support automatic route learning and distribution.
  • Supports low latency and efficient transmission.
  • Allows instances such as VPCs and VBRs that are attached to the same CEN instance to communicate with each other.
  • Supports free communication between instances that are deployed in the same region.
-
What is Express Connect? Supports peering connections between VPCs. Supports free connections between VPCs in the same region. -
Connect a VPC to an on-premises data center
Service Scenario Benefit Limit
VPN Gateway Connects an on-premises data center to a VPC through an Internet-based and encrypted IPsec-VPN tunnel.
  • Minimizes the costs.
  • Ensures secure connections.
  • Immediately applies the latest configurations.
Serves your workloads with the network latency and availability that depends on the conditions of the Internet.
CEN Enables communication among resources that are attached to the same CEN instance. The communication is implemented based on automatic route learning and distribution.
  • Enables simple configurations and support automatic route learning and distribution.
  • Low latency and high speed.
  • The network instances (VPCs/VBRs) that are attached to the same CEN instance are all connected with each other.
  • Connecting networks in the same region is free of charge.
-
SAG Connects an on-premises data center to Alibaba Cloud.
  • Supports the out-of-the-box feature to ensure automatic configuration.
  • Builds a secure hybrid cloud. Data transmission among VPCs and over the Internet is encrypted.
  • Connects to nearby access points in a metropolitan area network. On-premises networks can be connected to Alibaba Cloud through primary and secondary connections or devices.
-
Express Connect Connects an on-premises data center and a VPC by using the physical connections of Express Connect.
  • Ensures optimal network quality.
  • Provides a high bandwidth.
  • Requires high initial setup costs.
  • The service activation takes a long time.
VPN software in the Alibaba Cloud Marketplace Allows you to purchase a VPN gateway in the Alibaba Cloud Marketplace and deploy the VPN gateway in the VPC. You can connect an on-premises data center to the VPC through an Internet-based and encrypted IPsec-VPN tunnel.
  • Ensures secure connections.
  • Supports multiple types of VPN software to meet your business requirements.
  • Configurations take effect immediately.
  • Requires manual deployment and maintenance of the VPN gateway.
  • The network latency and availability is dependent on the quality of the Internet connection.
Connect multiple sites
Service Scenario Benefit Limit
VPN Gateway Establishes secure communication among multiple sites by using the VPN gateway. Supports the VPN-Hub feature to enable communication among sites and between sites and VPCs.
  • Low cost.
  • Zero touch provisioning (ZTP), and configurations immediately take effect.
None
SAG + Express Connect Allows you to purchase and configure SAGs for local branches. Then, you can add the SAGs to a cloud connect network (CCN).
  • Supports the out-of-the-box feature to ensure automatic configuration.
  • Enables encrypted connections over a private network between local branches and Alibaba Cloud. Encryption and authentication are required for transmission over the Internet.
  • Access to nearby access points in a metropolitan area network is supported. On-premises networks can be connected to Alibaba Cloud by using primary and secondary connections and devices.
None
VPN Gateway Allows you to run interconnected applications and offices worldwide by using VPN Gateway and Express Connect.
  • High network quality.
  • Zero touch provisioning (ZTP), and configurations immediately take effect.
The network latency and availability is dependent on the quality of the Internet connection.
Remote access to a VPC
Service Scenario Benefit Limit
VPN Gateway (SSL-VPN) Uses the SSL-VPN feature to access a VPC from a remote client.
  • Low cost.
  • Reliable.
  • Enables simple configuration and deployment.
-
SSL-VPN software in the Alibaba Cloud Marketplace After you purchase SSL-VPN software from the Alibaba Cloud Marketplace, you can deploy it in a VPC. You can access the VPN server from a remote client. Supports multiple types of SSL-VPN software and images.
  • High cost.
  • Low reliability.
  • Requires manual deployment and maintenance of the SSL-VPN software.

Connect VPCs

You can run applications within the same VPC that are deployed in multiple regions. This enables access to the applications from the locations closest to users. This also minimizes the network latency and ensures high reliability based on redundant connections.

You can use CEN and VPN Gateway to connect VPCs in the same region or in different regions.

  • CEN

    CEN can be used to establish internal connections and connect resources within multiple VPCs based on automatic route distribution and learning. This allows you to accelerate network convergence and improve the quality and security of cross-network communication.

  • VPN Gateway

    VPN Gateway is an Internet-based service that ensures secure and reliable connections among enterprise data centers, corporate networks, or Internet clients with a VPC through encrypted tunnels over the Internet. The hot-standby architecture of VPN Gateway ensures automatic failovers within a few seconds. You can use a VPN gateway to establish IPsec-VPN connections between your on-premises data centers and VPCs.

Connect a VPC to an on-premises data center

You can connect a VPC to an on-premises data center to build a hybrid cloud. You can establish secure and reliable connections between the VPC and the on-premises data center. This allows you to integrate the computing, storage, network, CDN and BGP resources of Alibaba Cloud with your IT infrastructure and support the scaling of workloads.

You can connect an on-premises data center to a VPC by using Express Connect, VPN Gateway, or CEN.
  • Express Connect

    Express Connect supports connections through leased lines. After a leased line has accessed an Alibaba cloud access point, you can create a VBR to connect your on-premises data center with Alibaba Cloud. This way, you can build a hybrid cloud to enable connections over a private network, instead of the Internet.

    Physical connections of Express Connect support communication over private networks, instead of the Internet. This optimizes user experience in terms of security, reliability, transmission rate, and latency.

  • VPN gateways

    VPN Gateway is an Internet-based service that securely and reliably connects enterprise data centers, corporate networks, or Internet clients with an Alibaba Cloud VPC through encrypted tunnels over the Internet. The hot-standby architecture of VPN Gateway ensures automatic failovers within a few seconds. You can use VPN Gateway to establish IPsec-VPN connections between your on-premises data centers and VPCs.

  • CEN

    CEN can be used to establish internal connections and connect resources within multiple VPCs based on automatic route distribution and learning. After you attach the VBR that is associated with an on-premises data center to a CEN instance, the on-premises data center can communicate with all cloud resources that are attached to the same CEN instance based on VPCs or VBRs.

  • SAG

    Smart Access Gateway provides an end-to-end cloud deployment solution. SAG allows enterprises to connect to the nearest access points of VPC through encrypted connections over the Internet. SAG provides more intelligent, reliable, and secure connections to the cloud.

    You can buy SAG devices for the on-premises data center, and attach the CCN instance that is associated with the devices to the CEN instance. This allows you to connect the on-premises data center to Alibaba Cloud.

  • VPN software in the Alibaba Cloud Marketplace

    The Alibaba Cloud Marketplace provides various types of VPN software and images. You can purchase the required VPN software from the Alibaba Cloud Marketplace and deploy it on your ECS instance. Then you can use an elastic IP address (EIP) to connect the VPC to the gateway of your on-premises data center through the Internet.

Connect multiple sites

You can connect multiple sites by using SAG or the VPN-Hub feature of VPN Gateway.

  • SAG

    SAG is an all-in-one solution for connecting your workloads to Alibaba Cloud. SAG allows enterprises to connect to the nearest access points of VPCs through encrypted connections over the Internet. SAG supports more intelligent, reliable, and secure connections to the cloud.

    You can purchase SAG devices for local branches, and attach the CCN instance associated with the devices to the CEN instance. This allows you to connect the local branches.

  • VPN Gateway

    The IPSec-VPN feature of VPN Gateway provides site-to-site VPN connection. Each VPN Gateway supports up to10 IPsec-VPN connections. You can purchase a VPN gateway to establish connections among up to 10 on-premises data centers or branches in different regions.

    You can create multiple site-to-site IPsec connections among sites, or between sites and VPCs by using VPN-Hub. VPN-Hub allows large enterprises to establish internal connections across offices that run business in different regions.

    By default, the VPN-Hub function is enabled. You must configure the IPsec-VPN connection between each office site and Alibaba Cloud. No additional configurations or payments are required. A VPN gateway supports up to 10 IPsec connections. You can connect 10 office sites in different areas by using one VPN gateway. The following figure shows how to establish connections among the offices in Shanghai, Hangzhou, and Ningbo by using a VPN gateway.

  • Build a high-speed global network

    You can run applications and offices worldwide by using VPN Gateway and Express Connect. This ensures secure transmission and optimal network quality, and minimizes the costs of your business.

    The following figure shows how to establish connections among the offices that are connected to the VPC in the US (Virginia) region and the VPC in the China (Shanghai) region. You can run applications in both VPCs, connect the VPCs by using Express Connect, and connect the offices to each VPC by using IPsec-VPN.

Remote access to a VPC

The SSL-VPN feature of VPN Gateway provides point-to-site VPN connection. You can use a client to access a VPC without the need to configure a gateway. You can deploy internal applications in a VPC and enable access to the applications through SSL-VPN connections over internal networks. For example, network maintenance and management can be implemented through the connections between an office and the VPC. Remote access is allowed for the applications in the VPC.

Both VPN Gateway or VPN software or images from the Alibaba Cloud Marketplace can be used to achieve remote access to the VPC.

  • VPN Gateway (SSL-VPN)

    You can create an SSL-VPN connection to connect a remote client to applications and services that are deployed in a VPC. After you deploy your applications or services, you must import the certificate to the client to initiate a connection. The hot-standby architecture of SSL-VPN server ensures automatic failovers within a few seconds.

  • Purchase SSL-VPN software in Alibaba Cloud Marketplace

    The Alibaba Cloud Marketplace provides various types of SSL-VPN software and images. You can purchase the required SSL-VPN software from the Alibaba Cloud Marketplace and deploy it on your ECS instance. Then you can use an EIP to connect the VPC to a client over the Internet.