Set Up Flink Workspace Network Access via NAT Gateway and VPC Peering - Realtime Compute for Apache Flink

Realtime Compute for Apache Flink workspaces run inside a Virtual Private Cloud (VPC) and cannot directly access the internet. To connect your Flink workspace to external data sources, choose one of the following options based on where those sources are hosted:

Connect to the internet — for data sources accessible only via a public IP address
Connect to other VPCs — for data sources in a different VPC, including cross-account and inter-region scenarios
Connect to on-premises networks — for hybrid and multi-cloud deployments

Key concepts

Before selecting a connectivity option, understand the following infrastructure concepts.

Region

A region is an independent geographic area where Alibaba Cloud data centers are located. Region names reflect their physical location — for example, China (Hangzhou) indicates data centers in Hangzhou. Select a region close to your data to minimize network latency.

Zone

A zone is an isolated physical area within a region, with independent power and networking. Each region contains multiple zones. Zones in different regions are completely isolated. Deploy your workloads across multiple zones to achieve cross-zone high availability.

Connect to the internet

Note

Internet latency is unpredictable. For low-latency, high-stability connections, use VPC-based connectivity instead.

Use this option when a data source must be accessed via a public IP address — for example, because it does not support private network connections or is not directly connected to a VPC.

The setup uses Alibaba Cloud NAT Gateway to route outbound traffic from your Flink workspace through a public elastic IP address (EIP).

Step 1: Create a NAT Gateway and configure an EIP

Log on to the NAT Gateway console.
Click Create Internet NAT Gateway.

Configure the NAT gateway:

Region, VPC, and Associate vSwitch: Select the region, VPC, and vSwitch of your Flink workspace. To find these details, go to the Realtime Compute for Apache Flink management console and click More > Workspace Details for your workspace.
Access Mode: Select SNAT-enabled Mode.
EIP: Select Purchase EIP. If you already have an EIP, select Select EIP.

Line Type: Select BGP (Multi-ISP). This field appears only if you selected Purchase EIP in the previous field.

Note

If your Flink workspace is in a region outside the Chinese mainland, additional line types are available when you create an EIP directly in the EIP console (see the comparison table below). However, the NAT Gateway console only supports BGP (Multi-ISP). To use a different line type, create the EIP in the EIP console first, then select it when creating the NAT gateway.

EIP line type comparison

Item	EIP (BGP Multi-ISP)	EIP (BGP Multi-ISP Pro)	Anycast EIP
Core advantage	Cost-effective internet access via high-quality BGP lines	Low-latency access from the Chinese mainland via Chinese mainland ISPs	Multiple regions share one Anycast EIP; traffic routes to the nearest Alibaba Cloud access point
Suitable when	Workloads in any region; users access from anywhere via regular carrier lines	Workloads in regions outside the Chinese mainland; users access from the Chinese mainland	Workloads in regions outside the Chinese mainland; users access from outside the Chinese mainland
Quality	Low	High	High
Cost	Low	Medium	High

Click Buy Now, complete the payment, and wait for the resource to be ready.
(Optional) Configure SNAT:
1. In the Actions column of your NAT gateway instance, click Configure SNAT.
2. Click Create SNAT Entry.
3. In the SNAT Entry field, select Specify VPC. In the Select EIP field, select an EIP.
4. Click OK.

Step 2: Authorize access to upstream and downstream systems

At this point, your Flink workspace can reach the internet through the EIP. Next, add the EIP to the firewall rules or security group policies of your upstream and downstream systems so they accept inbound traffic from Flink.

Example: Allow Flink to access a MySQL database on ECS (with an EIP already bound)

Go to the ECS console and click the target ECS instance name.
Select the Security Groups tab, then click the security group name.
Under Security Group Details, select the Inbound subtab in the Access Rule section, and click Quick Add.
In the Quick Add dialog:
- Authorization Object: Enter the EIP from Step 1.
- Port Range: Select MySQL (3306).
Click OK.

Your Flink workspace can now access the MySQL database using the ECS instance's public IP address.

Verify connectivity

In the Realtime Compute for Apache Flink development console, click the Network detection icon in the upper-right corner to test the connection.

Connect to other VPCs

Note

If the services you need to access are in an early planning stage or migration cost is low, consider redeploying those resources into the same VPC as your Flink workspace — or create a new Flink workspace in the same VPC as your other services.

Use this option when a data source is in a different VPC and must be accessed over a secure, low-latency private network connection. Cross-account and inter-region connections are supported.

Three methods are available. Use the descriptions below to identify which best fits your situation before consulting the full comparison table.

VPC peering connections — best for connecting a small number of VPCs directly. Offers low latency and no intra-region charge, but requires non-overlapping CIDR blocks and manual route table updates on both sides. Configuration effort scales with the number of VPC pairs.
Transit routers — best for connecting many VPCs through a central hub. Routes are synchronized automatically, keeping ongoing management simple. The extra routing hop adds medium latency, and connections are charged within the same region.
PrivateLink — best for a unidirectional connection from one VPC to a specific service in another. Supports overlapping CIDR blocks and requires no route table configuration. Does not support inter-region connections.

Item	VPC peering connections	Transit routers	PrivateLink
Connection method	VPCs connected in pairs	VPCs connected through a transit router	Unidirectional connection via an endpoint service
Route propagation	Not supported	Supported	Not supported
Connection direction	Bidirectional	Bidirectional	Unidirectional
Cross-account	Supported	Supported	Supported
Inter-region	Supported	Supported	Not supported
Overlapping CIDR blocks	Not supported	Not supported	Supported
Configuration complexity	High — requires a peering connection per VPC pair and route table updates on both sides	Low — connect to a transit router and update the VPC route table	Low — no route table configuration needed
Network latency	Low	Medium — the transit router adds an extra hop	Low
Intra-region cost	No charge	Charged for connections and data forwarding	Pay-as-you-go: instance fees and data transfer fees
Inter-region cost	Charged for outbound traffic by Cloud Data Transfer (CDT)	Charged for bandwidth plans, connections, and data forwarding	Not supported

For more information on each method, see:

VPC peering connections — a networking connection between two VPCs that allows private IP communication as if they were in the same network
Transit routers — connects and forwards traffic between multiple network instances in the same region or across regions; only one transit router is allowed per region. To create inter-region connections, deploy a transit router in each region.
PrivateLink — accesses resources in a remote VPC over a private network, without exposing traffic to the internet

Example: VPC peering connection

A company has its Realtime Compute for Apache Flink workspace in VPC A (China (Hangzhou)) and its ECS-based data storage and development environment in VPC B (China (Beijing)). A VPC peering connection links the two VPCs.

Constraints:

VPCs and vSwitches in the peering must have non-overlapping CIDR blocks. For example, VPC A with CIDR block 192.168.0.0/16 and VPC B with 192.168.0.0/24 cannot be connected, even with a peering connection in place.
For cross-account peering, both the requester and accepter accounts must have VPCs.

For detailed setup instructions, see Use VPC peering connection for private communication.

Connect to on-premises networks

Use this option for hybrid and multi-cloud deployments where your Flink workspace needs to reach on-premises data centers or other cloud platforms.

Two services are available:

Express Connect — a dedicated physical circuit between your on-premises infrastructure or other cloud platforms and Alibaba Cloud. Delivers high bandwidth, low packet loss, and low latency, even across long distances. Best for financial organizations or government agencies that require secure, high-quality connectivity.
VPN Gateway — encrypted tunnels over the internet connecting your data centers, office networks, or internet clients to Alibaba Cloud. Ready to use immediately with no provisioning lead time. Best for moving basic services to the cloud, such as office networks or data storage systems.

Item	Express Connect	VPN Gateway
Quality	High (over dedicated circuits)	Low (over the internet)
Setup time	Long (2–3 months)	Short (out-of-the-box)
Cost	High	Low
Bandwidth	Up to 100 Gbps per circuit; Tbps-level with multiple circuits	Limited by the bandwidth of your public IP address
Suitable scenarios	Financial organizations or government agencies requiring secure cloud access	Moving basic services to the cloud (office networks, data storage)

For more information, see Express Connect and VPN Gateway.