You can connect multiple virtual private clouds (VPCs) by using Cloud Enterprise Network (CEN), VPN gateways, VPC peering connections, and PrivateLink. This topic describes the features, architecture, and configuration methods of these solutions.
Features
- CEN
Before you use CEN to connect different VPCs, you must make sure that the CIDR blocks to be connected do not overlap.
CEN uses transit routers to build private network channels between VPCs. The VPCs can reside in the same region or in different regions. The hub-spoke connection mode of transit routers allows you to connect VPCs to transit routers over VPC connections. Then, the transit routers automatically synchronize the routes of the VPCs.
Transit routers require simple configuration and support various routing policies and quality of service (QoS) mechanisms. This helps you plan complex networks and implement access control. However, transit routers have limits on the bandwidth. You are also charged for traffic processing if you use transit routers. Therefore, the CEN solution costs more than the VPC peering connection solution.
- VPC peering connection
When you connect VPCs by using VPC peering connections, make sure that the CIDR blocks to be connected do not overlap with each other.
If you want to create VPC peering connections for a large number of VPCs, the configuration becomes more complex because of the connection mode of VPC peering connections and the requirements for point-to-point route configuration. VPC peering connections are not suitable for scenarios in which a large number of VPCs must be fully connected. However, VPC peering connections provide benefits such as unlimited bandwidth, low latency, and no fees for the VPC peering connections created for VPCs in the same region.
- PrivateLink
PrivateLink allows you to establish stable and secure private connections between VPCs in which endpoint services are deployed and VPCs in which endpoints are deployed. PrivateLink requires easy network configuration and meets the requirements of various scenarios. The VPCs that are connected by using PrivateLink must reside in the same zone.
When you use PrivateLink to connect different VPCs, the CIDR blocks of the VPCs in which endpoint services are deployed and VPCs in which endpoints are deployed can overlap.
This solution can tolerate overlapping CIDR blocks and does not require route configurations. It also provides strong network isolation and access control capabilities, enabling highly secure network connections. However, PrivateLink supports only one-way access.
- VPN Gateway
Before you use VPN gateways to connect different VPCs, you must make sure that the CIDR blocks to be connected do not overlap.
This solution requires complex configuration. You must create VPN gateways, customer gateways, and IPsec-VPN connections, and configure routes for the VPN gateways. Therefore, we recommend that you do not use this method when you want to connect a large number of VPCs.
Item | VPC peering | Transit router | PrivateLink | VPN gateway |
---|---|---|---|---|
Connection mode | Full mesh, which allows VPCs to communicate with each other over VPC peering connections. | Hub-spoke, which allows VPCs to connect to transit routers over VPC connections. | Connection of business network elements. This resembles connections of devices in physical networks, such as load balancers and firewalls. | Connection between VPCs through VPN. |
Route propagation | Not supported. | Supported. | Not supported. | Supported. |
Bandwidth limit | Unlimited. | Limited by the processing capabilities of the transit routers. | Limited by the bandwidth on the endpoint service side. | Limited by the bandwidth of the ECS instance on which the VPN gateway is deployed. The bandwidth can be up to 1 Gbit/s. |
Configuration complexity | The configuration is complex. You must create VPC peering connections and configure the routes that point to each VPC peering connection for peer VPCs. | The configuration is simple. You need to only connect VPCs to a transit router and configure settings to route the network traffic of VPCs to the transit router. | The configuration is simple. You do not need to consider address conflicts or route configurations. | The configuration is complex. You must create VPN gateways, customer gateways, and IPsec-VPN connections, and configure routes for the VPN gateways. |
Maximum number of connected VPCs | 20. | 200. | Unlimited. The quota can be increased through application. | 10. |
Latency | The latency is low. | The latency is high, because traffic passes through a transit router, which adds an additional hop. | The latency is low, because the VPCs that are connected by using PrivateLink reside in the same zone. | The latency is high, because traffic must be forwarded over the Internet when the VPCs are in different regions. |
Billing method | You are not charged for VPC peering connections that are created for VPCs in the same region. If you create a VPC peering connection between VPCs that reside in different regions, you are charged for outbound traffic of the VPCs. The billing is managed by Cloud Data Transfer (CDT). For more information, see What is CDT?. | For connections among VPCs in the same region, you are charged connection fees and traffic processing fees. For connections among VPCs in different regions, you are charged fees for bandwidth plans and data transfer fees.
| You are not charged when you activate PrivateLink. After you activate PrivateLink, you are charged on a pay-as-you-go basis. Bills are generated on an hourly basis. You are charged an instance fee and a data transfer fee. For more information, see Billing. | You are charged IPsec-VPN instance fees and data transfer fees. For more information, see Billing. |
Architecture
You can connect multiple VPCs by using CEN, VPN gateways, VPC peering connections, and PrivateLink, so that the VPCs can access resources in the other VPCs. You can use PrivateLink to share the service resources in a VPC to other VPCs without establishing private network connections.
CEN

VPC peering connection

PrivateLink
In PrivateLink, endpoint services can use Classic Load Balancer (CLB) instances as service resources. You can use PrivateLink to enable a VPC to access a CLB instance that serves as the service resource in another VPC. The following figure shows how two VPCs are connected by using PrivateLink so that one of the VPCs can access the CLB instance in the other VPC.

VPN gateways

Configuration method
Solution | Configuration method |
---|---|
CEN |
|
VPC peering connection | |
PrivateLink |
|
VPN Gateway | Establish IPsec-VPN connections between two VPCs |