Use Cloud Enterprise Network (CEN) or VPN Gateway to connect ApsaraMQ for Kafka instances deployed in different virtual private clouds (VPCs).
CEN compared with VPN Gateway
| Dimension | CEN | VPN Gateway |
|---|---|---|
| Connection type | Private network | Encrypted tunnel over the Internet |
| Latency | Low (private backbone) | Higher (Internet-dependent) |
| Availability | At least four standby connections between nodes with automatic failover | Hot-standby architecture with failover in seconds |
| Setup | Automatic route distribution and learning | Out-of-the-box, immediately effective |
When to use CEN:
Production workloads that need low latency and high throughput between VPCs
Multi-region deployments that require consistent network quality
Environments where automatic route management reduces operational overhead
When to use VPN Gateway:
Cost-sensitive environments where Internet-level latency is acceptable
Point-to-point connections between two VPCs
Scenarios where encrypted Internet-based tunnels meet your security requirements
CEN
CEN establishes private channels between VPCs with automatic route distribution and learning, which accelerates network convergence and improves quality and security in cross-network communication.
A CEN instance connects VPCs that belong to the same or different Alibaba Cloud accounts:
| Scenario | Configuration guide |
|---|---|
| VPCs in the same account | Use Basic Edition transit routers to connect VPCs in the same region |
| Use CEN and Basic Edition transit routers to connect VPCs in different regions and Alibaba Cloud accounts |
CEN provides the following capabilities:
Global reach: Access points and nodes in more than 60 regions worldwide with automatic route convergence across all connected networks. CEN can also connect the network resources of enterprises that are connected to Alibaba Cloud. IP addresses must be unique and non-conflicting across connected VPCs.
Low latency: Private backbone connections deliver lower latency than Internet-based alternatives. Data transfers at the highest rate supported by device ports.
High availability: At least four standby connections between any two nodes. If a connection fails, traffic automatically shifts to a standby path without service interruption or network jitter.
Automatic route management: Controllers automatically learn and distribute routes among nodes. Built-in monitoring detects route conflicts caused by system changes.
For more information, see What is CEN?
VPN Gateway
VPN Gateway creates route-based IPsec-VPN connections between VPCs over the Internet, providing secure and reliable communication through encrypted tunnels.
VPN Gateway provides the following capabilities:
Security: IKE and IPsec protocols protect data in transit.
High availability: Hot-standby architecture supports failover in seconds, with session persistence and zero service downtime.
Lower cost: Encrypted connections over the Internet cost less than dedicated leased lines.
Quick setup: Ready to use immediately after configuration.
For setup instructions, see Establish IPsec-VPN connections between two VPCs.