Virtual private clouds (VPCs) are isolated from each other based on a tunneling technology. Each VPC is identified by a unique tunnel ID, which corresponds to a virtualized network.

Background information

The development of cloud computing technologies leads to higher requirements for virtual networks, such as scalability, security, reliability, privacy, and robust connectivity performance. This speeds up the development of various network virtualization technologies.

In earlier solutions, virtual and physical networks are merged to generate a flat network architecture, such as large-scale Layer 2 networks. As the scale of virtual networks grows, these solutions encounter problems such as Address Resolution Protocol (ARP) spoofing, broadcast storms, and host scanning. To resolve these problems, various network isolation technologies emerged. With these technologies, physical networks are isolated from virtual networks. One of these technologies adopts virtual local area networks (VLANs) to isolate networks. However, VLANs support at most 4,096 VLAN IDs and do not apply to large-scale networks.

How VPC works

VPCs are isolated from each other based on a tunneling technology. Each VPC is identified by a unique tunnel ID, which corresponds to a virtual network.
  • Data packets are encapsulated with a unique tunnel ID and transmitted over a physical network between Elastic Compute Service (ECS) instances in a VPC.
  • Data packets transmitted over ECS instances in different VPCs have different tunnel IDs. Therefore, ECS instances in different VPCs cannot communicate with each other.

Alibaba Cloud developed VPCs that are integrated with gateways and vSwitches by adopting the tunneling and Software Defined Network (SDN) technologies.

Logical architecture of VPCs

A VPC contains a gateway, a controller, and one or more vSwitches, as shown in the following figure. The vSwitches and the gateway form a data path where data is transferred. The controller uses a protocol developed by Alibaba Cloud to distribute the forwarding table to the gateway and the vSwitches, forming a configuration path. The data path is isolated from the configuration path. vSwitches in VPCs are distributed nodes while gateways and controllers are deployed in clusters in multiple data centers. All VPC connections support disaster recovery, which ensures high availability.

Logical architecture of VPCs