Overview
Background information
With the rapid development of cloud computing, more and more enterprises build complex network architectures for different business scenarios. Enterprises transit to finer-grained operations and management and focus on network security, scalability, and disaster recovery. Designing an inter-region network that consists of multiple virtual private clouds (VPCs) is particularly important to network efficiently, security, and availability. This topic describes how to use VPC peering connections and transit routers to build a high-efficiency, high-security, and high-availability network architecture that contains multiple VPCs in the same region on Alibaba Cloud. It is a well-architected design solution that focuses on the requirements and business scenarios of different customers.
Terms
VPC: VPCs are custom private networks that customers create on Alibaba Cloud. VPCs are isolated from each other. You can specify CIDR blocks, subnets, and route tables for your VPC.
VPC peering connection: A VPC peering connection is a network connection that connects two VPCs. VPC peeing connections support IPv4 and IPv6. VPC peering connections support IPv4 and IPv6 network communication. You can create peering connections to connect VPCs that are in the same region or in different regions and belong to the same different Alibaba Cloud account or different Alibaba Cloud accounts.
Cloud Enterprise Network (CEN): CEN supports custom communication, isolation, and redirection policies in regions to help you build flexible, reliable, large-scale, and enterprise-class global networks.
Transit router: Transit routers are a type of CEN component. They are routers that connect different VPCs, VPN gateways, virtual border routers (VBRs), and cloud services. Transit routers support highly flexible routing features. For example, you can use multiple route tables and advanced routing policies to manage traffic forwarding in a complex network environment. Transit routers are key components if you want to design a complex network architecture that contains multiple VPCs across accounts. You can use transit routers to manage and control network traffic between different networks and simplify the network architecture and operations.
Solution highlights
Sustainable architecture: When customers deploy more and more businesses in the cloud, more VPC connections, route entries, and security policies are required without the need to change the architecture.
Secure and limited access: To implement finer-grained permission management and access control, communication between VPC CIDR blocks is established only on demand to protect sensitive data and systems from unauthorized access.
High service performance: Networks are designed based on business requirements. For example, the network topology is customized for a specific application, or network performance is optimized based on the traffic pattern.
Key design
VPC peering connections and transit routers have different advantages. When you deploy multiple VPCs in the same region, take into consideration your businesses requirements.
VPC peering connections are suitable for environments that have simple network architectures, low traffic volumes, and low scalability requirements. In addition, VPC peering connections support direct and low-latency access. Therefore, VPC peering connections reduce operation complexity and costs.
Transit routers are suitable for scenarios that require large-scale network communication, high reliability, high scalability, and flexible route management. Transit routers require higher costs but provide more advanced features and higher operation flexibility. If you have a network architecture that contains a large number of VPCs, you need to take into consideration security, reliability, performance, cost optimization, and deployment optimization. Transit routers are more suitable if you value the preceding key benefits of Well-Architected Framework.
Security
VPC-to-VPC communication: Other than security groups and network access control lists (ACLs), you can configure routing policies on transit routers to manage traffic forwarding. Unified security policies and monitoring can be implemented. You can integrate transit routers with Cloud Firewall to isolate data and enhance security between different business units.
Multiple route tables for a transit router: A transit router supports multiple route tables. You can use different route tables to isolate network traffic among the public, production, test, and development environments. Each VPC can be associated with specific route tables and routing policies so that you can control access between different environments. A transit router supports multiple route tables to allow you to define the vSwitches that can access the Internet, the vSwitches that can be accessed only within private networks, and the vSwitches that can access each other.
Service chain: A service chain is a set of network services which are performed in a specific order, such as firewalls, intrusion detection systems, and load balancers. Service chains improve security and compliance because you can use a service chain to specify security checkpoints for network traffic. For example, you can redirect all inbound or outbound traffic to Cloud Firewall, which filters the traffic to allow only trusted traffic.
Isolation by transit routers: You can use different transit routers to isolate network environments, such as the production, development, and network management environments. You can also use transit routers to isolate networks between subsidiaries. Each transit router supports route tables and security policies to implement finer-grained network isolation and access control. Such design is commonly used by enterprises that have complex organization structures in which networks must be isolated between different departments or business lines so that internal governance and compliance requirements can be met.
Performance
VPC peering connections support direct and stable access. You can configure static routes to reduce the network distance and improve network reliability. VPC peering connections support higher availability and easier management in simple network topologies.
Transit routers support dynamic routing and failover, which improve network redundancy and connection failover. VPC peering connections are point-to-point connections. However, transit routers support more complex network communication to improve network reliability. In addition, transit routers support resource management at the zone level. You can select the transit router in the zone of your resource to reduce forwarding latency and build a visualized high availability architecture.
Elasticity
VPC peering connections support low network latency and are more suitable for latency-sensitive applications. VPC peering connections provide the most direct data transmission among VPCs in the same region.
Transit routers support high-speed data transmission among VPCs and can dynamically select the optimal route based on network status. Transit routers are suitable for scenarios that use large-scale and complex network architectures or require a high throughput capacity. The maximum bandwidth between a network instance and a transit router in the China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), and Singapore is 50 Mbit/s. The maximum bandwidth in other regions is 10 Gbit/s.
Observability
VPC peering connections allow you to use flow logs and Simple Log Service to analysis traffic between VPCs.
You can use Network Intelligence Service (NIS) to discover transit routers, manage the topology, monitor the performance between VPCs in the same region, and analyze VPC traffic. NIS is integrated with Artificial Intelligence for IT Operations (AIOps) methods such as machine learning and knowledge graphs to simplify network management and implement automated O&M. NIS allows network architects and O&M engineers to design and use networks with higher efficiency.
Best practices
After you deploy multiple VPCs in the same region, maintaining high-efficiency connections between the VPCs is of great importance. Both VPC peering connections and transit routers are applicable. VPC peering connections are point-to-point connections. Transit routers are more suitable for complex network environments, such as multi-VPC communication, across-account communication, and advanced routing. By properly configuring transit routers, you can flexibly adjust and optimize traffic paths to ensure network scalability and security.
Simple network communication scenarios
In the following simple network communication scenario, two business units are deployed in separate VPCs. VPC peering connections are used to establish secure network communication while maintaining isolation between the business units. This architecture is stable and efficient given that network scale-outs are not required for a long term. VPC A and VPC B can share resources and access each other. When both VPC A and VPC B are associated with an IPv6 CIDR block, you can add IPv4 and IPv6 routes to the route tables of the VPCs. Users can access the VPCs over IPv4 routes or IPv6 routes based on their requirements.
Complex network communication scenarios
Demilitarized zone (DMZ): A DMZ is a security buffer for networks. A DMZ typically contains external-facing and internal-facing service components, such as DDoS, Web Application Firewall (WAF), NAT Gateway, Server Load Balancer (SLB), and frontend servers. A DMZ is an intermediate layer between the internal network such as the production environment and external networks such as the Internet. DMZs enhance network security.
Shared services: Such services are shared by multiple environments. For example, identify authentication services, log management services, and internal DNS resolution services can be accessed by different environments. Shared services save the need to repeatedly deploy services.
Production environment: A production environment hosts running business applications and services with the highest level of security control and monitoring. You must strictly monitor and manage your production environment to ensure high availability and performance. You can use different VPCs to distinguish between different businesses and projects.
Development environment: A development environment is isolated from the production environment and is used by developers for code writing and preliminary testing. This prevents development activities from affecting services in the production environment. You can use different VPCs to distinguish between different businesses and projects.
Test environment: As an in-depth testing area, the test environment simulates the production environment for integration testing, performance testing and user acceptance testing to ensure that issues are detected before actual deployment.
Security VPC: A security VPC hosts security-related tools and services, such as east-west firewalls, intrusion detection systems (IDS), and cloud security scanners, to monitor and protect the entire multi-VPC architecture.
O&M and VPN integration area: An area that allows remote access from O&M engineers and cloud environment. This area typically contain VPN services and remote access tools, such as Elastic Desktop Service (EDS), that allow you to control access to cloud services.
Scenario 1: Single-pane networking
Use transit routers to connect multiple VPCs, and establish communication between the VPCs based on business requirements. Create a DMZ VPC to manage all inbound and outbound Internet traffic. Add route entries to transit router route tables and create routing policies to control access among the production, development, and test environments.
Scenario 2: Multi-pane networking
A corporation maps its organization structure to form a three-layer network layout: corporation-subsidiary-business unit. This layout requires a multi-plane structure. Multi-plane structures typically use the following strategies: multiple transit routers or transit router route tables that can split planes. A plane can be horizontally or vertically split. Horizontal splitting is ideal for centralized O&M. The network is split into production, development, test, and shared service planes. Vertical splitting is ideal for subsidiaries which have independent O&M teams. The network is split based on subsidiaries.
Multi-plane networking based on multiple transit routers
A multi-plane network that contains multiple VPCs is created by using transit routers. Environments are isolated from each other. Only the shared-service VPC is connected to other VPCs on all planes. As shown in the following figure, Transit Router-1 is used to build a network on Plane 1. Transit Router-2 is used to build a network on Plane 2. Only the shared-service VPC can access VPCs connected to Transit Router-1 or Transit Router-2.
Multi-plane networking based on multiple transit router route tables
The network is divided into multiple planes based on transit router route tables. The VPC of each subsidiary is associated with a separate transit router route table. Network communication among the VPCs is controlled based the routes in the transit router route tables and routing policies. Meanwhile, you can use an Internet route table to control traffic forwarding of the DMZ VPC, which functions as the egress and ingress of north-south Internet traffic for the VPC of each subsidiary.
Scenarios
Simple networking for businesses: ideal for simple cloud network structures that require direct communication between Business A and Business B, such as simple service calls which do not require high security or elasticity.
Standard networking in the cloud: ideal for medium-scale and large-scale corporations that have diverse business units and require different communication modes, such as full communication, limited communication, and isolation. Such communication modes require high network reliability, security, and elasticity to support rapid business development and centralized network management.
Terraform references
Simple networking by using VPC peering connections
Item | References |
Website of Terraform modules | |
GitHub URL | |
Examples |
Coding process:
Create VPCs in the cloud.
Create VPC peering connections and configure routes to establish network communication between the VPCs.
Required resources:
Three VPCs
Three VPC peering connections
Complex networking by using multiple transit router route tables
Item | References |
Website of Terraform modules | Complex networking by using multiple transit router route tables |
GitHub URL | Complex networking by using multiple transit router route tables |
Examples |
Coding process:
Divide the production, test, and DMZ environment, and deploy multiple VPCs and vSwitches in each environment.
Create a CEN instance and a transit router. Attach the VPCs to the CEN instance by connecting the VPCs to the transit router.
Create a transit router for each environment, and add routes to each route table to isolate or establish network communication.
Associate the transit router route tables with the attachments on the transit routers.
Required resources:
5 VPCs
15 vSwitches
1 CEN instance
1 transit router
5 transit router attachments
3 transit router route tables
Virtualize the architecture on CADT
Simple networking by using VPC peering connections
Scenario | Item | References |
Simple networking | Template ID | CUMEUBXUD20D4IQ3 |
Template library address | ||
Sample code | WA - Deploy multiple VPCs in a region - Simple network communication scenarios |
Visualized deployment architecture
Procedures
Visualized deployment
Create the required cloud resources, including three VPCs, three vSwitches, and three VPC peering connections.
Create an application based on a template. The default region is China (Beijing). Create the cloud resources, instead of using existing cloud resources.
Save and verify the application, and calculate the fees. In this example, all cloud resources are billed on a pay-as-you-go basis.
Confirm the configurations, select a protocol, and start the deployment of all resources. Routes are automatically configured.
API calls
Call the corresponding API operations to deploy and use cloud resources.
Refer to the documentation to initialize the configurations by using a command-line interface (CLI).
Refer to the sample YAML file to deploy and output the architecture.
If you want to change the region, change the value of the area_id field. For example, change cn-beijing to cn-shanghai.
Complex networking by using multiple transit router route tables
Scenario | Item | References |
Complex networking | Template ID | S5JCNNWUFQMSZFQ9 |
Template library address | ||
Sample code | WA - Deploy multiple VPCs in a region - Complex network communication scenarios |
Visualized deployment architecture
Procedures
Visualized deployment
Create required cloud resources, including 4 VPCs, 12 vSwitches, and 1 CEN instance.
Create an application based on a template. The default region is China (Beijing). Create the cloud resources, instead of using existing cloud resources.
Save and verify the application, and calculate the fees. In this example, all cloud resources are billed on a pay-as-you-go basis.
Confirm the configurations, select a protocol, and start the deployment of all resources. Routes are automatically configured.
API calls
Call the corresponding API operations to deploy and use cloud resources.
Refer to the documentation to initialize the configurations by using a command-line interface (CLI).
Refer to the sample YAML file to deploy and output the architecture.
If you want to change the region, change the value of the area_id field. For example, change cn-beijing to cn-shanghai.