Connect VPCs - Virtual Private Cloud - Alibaba Cloud Documentation Center

You can connect multiple virtual private clouds (VPCs) by using Cloud Enterprise Network (CEN), VPN gateways, VPC peering connections, and PrivateLink. This topic describes the features, architecture, and configuration methods of these solutions.

Features

CEN
Before you use CEN to connect different VPCs, you must make sure that the CIDR blocks to be connected do not overlap.
CEN uses transit routers to build private network channels between VPCs. The VPCs can reside in the same region or in different regions. The hub-spoke connection mode of transit routers allows you to connect VPCs to transit routers over VPC connections. Then, the transit routers automatically synchronize the routes of the VPCs.
Transit routers require simple configuration and support various routing policies and quality of service (QoS) mechanisms. This helps you plan complex networks and implement access control. However, transit routers have limits on the bandwidth. You are also charged for traffic processing if you use transit routers. Therefore, the CEN solution costs more than the VPC peering connection solution.
VPC peering connection
When you connect VPCs by using VPC peering connections, make sure that the CIDR blocks to be connected do not overlap with each other.
If you want to create VPC peering connections for a large number of VPCs, the configuration becomes more complex because of the connection mode of VPC peering connections and the requirements for point-to-point route configuration. VPC peering connections are not suitable for scenarios in which a large number of VPCs must be fully connected. However, VPC peering connections provide benefits such as unlimited bandwidth, low latency, and no fees for the VPC peering connections created for VPCs in the same region.
PrivateLink
PrivateLink allows you to establish stable and secure private connections between VPCs in which endpoint services are deployed and VPCs in which endpoints are deployed. PrivateLink requires easy network configuration and meets the requirements of various scenarios. The VPCs that are connected by using PrivateLink must reside in the same zone.
When you use PrivateLink to connect different VPCs, the CIDR blocks of the VPCs in which endpoint services are deployed and VPCs in which endpoints are deployed can overlap.
This solution can tolerate overlapping CIDR blocks and does not require route configurations. It also provides strong network isolation and access control capabilities, enabling highly secure network connections. However, PrivateLink supports only one-way access.
VPN Gateway
Before you use VPN gateways to connect different VPCs, you must make sure that the CIDR blocks to be connected do not overlap.
This solution requires complex configuration. You must create VPN gateways, customer gateways, and IPsec-VPN connections, and configure routes for the VPN gateways. Therefore, we recommend that you do not use this method when you want to connect a large number of VPCs.

The following table lists the differences of the following items between different VPC connection methods: connection mode, bandwidth limit, network latency, and billing. The VPC connection methods include VPC peering, PrivateLink, transit routers, and VPN gateways.


Item	VPC peering	Transit router	PrivateLink	VPN gateway
Connection mode	Full mesh, which allows VPCs to communicate with each other over VPC peering connections.	Hub-spoke, which allows VPCs to connect to transit routers over VPC connections.	Connection of business network elements. This resembles connections of devices in physical networks, such as load balancers and firewalls.	Connection between VPCs through VPN.
Route propagation	Not supported.	Supported.	Not supported.	Supported.
Bandwidth limit	Unlimited.	Limited by the processing capabilities of the transit routers.	Limited by the bandwidth on the endpoint service side.	Limited by the bandwidth of the ECS instance on which the VPN gateway is deployed. The bandwidth can be up to 1 Gbit/s.
Configuration complexity	The configuration is complex. You must create VPC peering connections and configure the routes that point to each VPC peering connection for peer VPCs.	The configuration is simple. You need to only connect VPCs to a transit router and configure settings to route the network traffic of VPCs to the transit router.	The configuration is simple. You do not need to consider address conflicts or route configurations.	The configuration is complex. You must create VPN gateways, customer gateways, and IPsec-VPN connections, and configure routes for the VPN gateways.
Maximum number of connected VPCs	20.	200.	Unlimited. The quota can be increased through application.	10.
Latency	The latency is low.	The latency is high, because traffic passes through a transit router, which adds an additional hop.	The latency is low, because the VPCs that are connected by using PrivateLink reside in the same zone.	The latency is high, because traffic must be forwarded over the Internet when the VPCs are in different regions.
Billing method	You are not charged for VPC peering connections that are created for VPCs in the same region. If you create a VPC peering connection between VPCs that reside in different regions, you are charged for outbound traffic of the VPCs. The billing is managed by Cloud Data Transfer (CDT). For more information, see What is CDT?.	For connections among VPCs in the same region, you are charged connection fees and traffic processing fees. For connections among VPCs in different regions, you are charged fees for bandwidth plans and data transfer fees. For more information about pay-by-data-transfer, see What is CDT?. For more information about the billing of CEN, see Billing rules.	You are not charged when you activate PrivateLink. After you activate PrivateLink, you are charged on a pay-as-you-go basis. Bills are generated on an hourly basis. You are charged an instance fee and a data transfer fee. For more information, see Billing.	You are charged IPsec-VPN instance fees and data transfer fees. For more information, see Billing.

Architecture

You can connect multiple VPCs by using CEN, VPN gateways, VPC peering connections, and PrivateLink, so that the VPCs can access resources in the other VPCs. You can use PrivateLink to share the service resources in a VPC to other VPCs without establishing private network connections.

CEN

You can use CEN to connect VPCs in the same region or in different regions. The following figure shows how CEN is used to connect three VPCs in the same region. CEN architecture

Note To allow VPCs in different regions to communicate with each other, you must purchase a bandwidth plan and set up cross-region connections. VPCs within the same region can communicate with each other through transit routers. You do not need to purchase a bandwidth plan or create cross-region connections. For information about how to purchase bandwidth plans and create cross-region connections, see Work with a bandwidth plan and Manage inter-region connections.

VPC peering connection

A VPC peering connection is a private network connection between two VPCs. You can enable multiple VPCs to communicate with each other by establishing VPC peering connections. If you want to connect more than two VPCs by using VPC peering connections, you must establish a peering connection for every pair of the VPCs. The following figure shows how to use the VPC peering connection solution to connect three VPCs. VPC peering connection architecture

Note When you create a VPC peering connection, one VPC serves as the requester and the other VPC serves as the accepter. The requester and the accepter can reside in the same region or in different regions.

PrivateLink

In PrivateLink, endpoint services can use Classic Load Balancer (CLB) instances as service resources. You can use PrivateLink to enable a VPC to access a CLB instance that serves as the service resource in another VPC. The following figure shows how two VPCs are connected by using PrivateLink so that one of the VPCs can access the CLB instance in the other VPC.

VPN gateways

You can connect two VPCs by connecting two VPN gateways through an encrypted IPsec-VPN tunnel. The following figure shows how two VPCs are connected by using VPN gateways. VPN gateways architecture

Note We recommend that you do not use this solution if you want to connect a VPC in a Chinese mainland region and one in a region outside the Chinese mainland. This is because cross-border connections are unstable. If you need to establish cross-border connections, we recommend that you use the CEN solution. For more information, see What is CEN?.

Configuration method


Solution	Configuration method
CEN	Connect VPCs in the same region. Use Enterprise Edition transit routers to enable intra-region communication between on-premises and cloud networks Connect VPCs in different regions. Use Enterprise Edition transit routers to connect VPCs across regions and accounts Use Basic Edition transit routers to connect VPCs across regions
VPC peering connection	Create and manage a VPC peering connection Examples of VPC peering connections
PrivateLink	Connect VPCs that belong to the same Alibaba Cloud account Specify a CLB instance as a service resource in PrivateLink Specify an ALB instance as a service resource in PrivateLink Connect VPCs that belong to different Alibaba Cloud accounts Access services in a VPC that belongs to another account
VPN Gateway	Establish IPsec-VPN connections between two VPCs