For hybrid cloud and enterprise cloud scenarios, you can use Cloud Enterprise Network (CEN) to connect your corporate intranet to a Virtual Private Cloud (VPC). CEN supports connection types such as Express Connect circuits, Smart Access Gateway (SAG), and VPN connections. This setup lets you access Alibaba Cloud services or self-managed private services over an internal network. For personal devices, you can use SSL-VPN to connect to a VPC and then access Alibaba Cloud services or self-managed services over the VPN.
Security risks
Alibaba Cloud services provide public network access. This lets you access and use the cloud from any network location. It is also easy to enable public network access for self-managed services. Although public network access is convenient, it also exposes you to potential attacks from the Internet. These attacks include DDoS, remote vulnerability exploits, and unauthorized access that uses leaked credentials. To meet core enterprise requirements for data security, unified network management, and cost control, many scenarios require access to Alibaba Cloud services over a private network instead of the Internet:
Hybrid cloud collaboration: Connect your on-premises data center to cloud resources, such as Object Storage Service (OSS) and Elastic Compute Service (ECS), using a leased line or VPN. This creates a unified private network environment. This setup simplifies data backup, disaster recovery, and unified address planning.
Corporate intranet access: Employees on the corporate intranet can access internal systems deployed on the cloud, such as ERP and OA systems. They can also use Alibaba Cloud services such as OSS. This ensures that core business operations and data are not exposed to the Internet.
Secure remote work: Remote employees must first connect to the corporate intranet through a VPN before accessing cloud resources. This approach unifies security policies and avoids the risks of logging in directly from the Internet with an account and password.
Service-to-service access on the cloud: When an ECS instance in a VPC calls an Alibaba Cloud service API, such as for auto scaling, accessing it over an internal network improves security, reduces latency, and saves on Internet traffic costs.
Alibaba Cloud provides comprehensive private connection solutions to help enterprises and individual users securely and efficiently connect to the cloud. These solutions allow you to use almost all Alibaba Cloud services in a private network environment.
Best practices
Use a VPC Endpoint to access Alibaba Cloud services from an ECS instance
Almost all Alibaba Cloud services provide public Endpoints and VPC Endpoints. ECS instances in a VPC should use VPC Endpoints to access Alibaba Cloud services. For more information, see How to call APIs over an internal network.
Example: When you use the Aliyun command-line interface (CLI) on an ECS instance in the China (Hangzhou) region to access ECS services, specify the VPC Endpoint.
# The --endpoint parameter specifies the VPC Endpoint for the China (Hangzhou) region
aliyun ecs DescribeZones --RegionId cn-hangzhou --endpoint ecs-vpc.cn-hangzhou.aliyuncs.comNote: Alibaba Cloud services have independent VPC Endpoints in each region. Cross-region private network access is not supported. To enable cross-region private communication, you can connect the VPCs across regions and configure the routes.
Note: If you resolve a VPC Endpoint domain name, it might return a public IP address. This is a virtual IP address (VIP) used by Alibaba Cloud. The traffic does not travel over the Internet, and you cannot access the service from the Internet using these VIPs.
Use CEN to connect a corporate network to a cloud VPC
In hybrid cloud or enterprise private cloud scenarios, you can connect your corporate intranet to a public cloud VPC. CEN is the recommended way to do this. CEN supports multiple connection types, such as Express Connect circuits, SAG (for gateway access only), and virtual private network (VPN). Each type offers different levels of security, reliability, and bandwidth.
As shown in the following figure, an enterprise on-premises data center is connected to the Alibaba Cloud Hangzhou region. This connection enables mutual access between the VPC and the private network of the data center. For more information, see Enable communication between on-premises and cloud networks. After you configure the routes, the corporate intranet can also access the VPC endpoints of Alibaba Cloud services and avoid accessing these services over the Internet.
Use a VPN to connect a personal device to a cloud VPC
You can use SSL-VPN to connect a personal device to a cloud VPC and then access self-built services or Alibaba Cloud services through a private endpoint or a VPC Endpoint (as shown in the following figure). For more information, see Connect a client to a VPC by using SSL-VPN.
The Alibaba Cloud console does not currently support VPC Endpoints. It can be accessed only from the Internet.
