Virtual private clouds (VPCs) are private networks that are dedicated to users. Alibaba Cloud provides services such as Express Connect, VPN Gateway, Cloud Enterprise Network (CEN), and Smart Access Gateway (SAG) to help you connect your applications to VPCs in various scenarios.
The following table describes the connection solutions for each scenario.
| Connect two VPCs | |||
| Service | Description | Benefit | Limit |
| CEN | You can establish connections among VPCs that belong to different regions and Alibaba Cloud accounts. |
| N/A |
| VPC peering connection | You can establish peering connections between two VPCs. | If the two VPCs are deployed in the same region, data transfer is free of charge. | N/A |
| Connect a data center to a VPC | |||
| Service | Description | Benefit | Limit |
| VPN Gateway | You can connect a data center to a VPC by using an encrypted IPsec-VPN tunnel over the Internet. |
| The network latency and availability vary based on the Internet. |
| CEN | Automatic route learning and advertisement are supported. To enable communication among resources that are attached to the same CEN instance, you need to only attach the VBR that is associated with the data center to the CEN instance. |
| N/A |
| SAG and CEN | You can connect a data center to Alibaba Cloud by using SAG. |
| N/A |
| Express Connect | You can connect a data center to a VPC by using Express Connect circuits. |
|
|
| VPN software deployment | You can purchase a VPN gateway and deploy the VPN gateway in a VPC. Then, you can connect a data center to the VPC by using an encrypted IPsec-VPN tunnel over the Internet. |
|
|
| Connect multiple sites | |||
| Service | Description | Benefit | Limit |
| VPN Gateway | You can establish secure connections among multiple sites by using VPN gateways. The VPN-Hub feature enables communication among different sites, or between sites and VPCs. |
| N/A |
| SAG | You can purchase SAG instances for branch offices and attach the SAG instances to a CCN instance. Then, the branch offices can communicate with each other. |
| N/A |
| VPN Gateway and VPC peering connection | You can connect application systems and offices around the world by using a combination of VPN gateways and VPC peering connections. |
| The network latency and availability vary based on the Internet. |
| Remote access to a VPC | |||
| Service | Description | Benefit | Limit |
| VPN Gateway (with SSL-VPN) | You can connect a client to a VPC by using the SSL-VPN feature. |
| N/A |
| SSL-VPN software deployment | You can purchase SSL-VPN software and deploy the SSL-VPN software in a VPC. Then, you can connect to the VPN server from a client. | Multiple types of SSL-VPN software and images are supported. |
|
Connect two VPCs
You can deploy a system in VPCs that are created in different regions and build a network across regions. Then, users can access the services from the nearest locations. This minimizes network latency and ensures high availability by deploying backup systems.
You can connect VPCs that reside in different regions or in the same region by using CEN instances or VPN gateways.
CEN
You can use CEN to establish private network connections between VPCs in different regions, or between VPCs and data centers. CEN supports automatic route advertisement and learning, which speeds up network convergence, improves the quality and security of cross-network communication, and connects all network resources. CEN helps you build enterprise-class networks that provide high-performance network communication.
VPN Gateway
VPN Gateway is an Internet-based service that can be used to connect data centers, office networks, and terminals to VPCs by using an encrypted tunnel in a secure and reliable manner. By default, VPN Gateway supports the active-standby mode in which two VPN gateways are used. In this mode, the system performs failovers when one VPN gateway becomes faulty. You can use VPN gateways to establish IPsec-VPN connections between your data center and VPCs.
Connect a data center to a VPC
You can connect a data center to a VPC to build a hybrid cloud. After a secure and reliable connection is established between your data center and the VPC, you can seamlessly migrate on-premises IT infrastructure resources to Alibaba Cloud by using computing, storage, networking, CDN, and BGP resources that are provided by Alibaba Cloud. This helps you to handle business fluctuations.
Express Connect
Express Connect supports connections over Express Connect circuits. After an Express Connect circuit is used to connect to Alibaba Cloud, you can create a VBR and connect your data center to Alibaba Cloud. This way, you can build a hybrid cloud and access your data center over a private network.
An Express Connect circuit connects your data center to Alibaba Cloud over a private network. Compared with Internet-based connections, connections over Express Connect circuits reduce network latency, enhance security, and improve reliability.
VPN Gateway
VPN Gateway is an Internet-based service that can be used to connect data centers, office networks, and terminals to VPCs by using an encrypted tunnel in a secure and reliable manner. By default, VPN Gateway supports the active-standby mode in which two VPN gateways are used. In this mode, the system performs failovers when one VPN gateway becomes faulty. You can use VPN gateways to establish IPsec-VPN connections between your data center and VPCs.
CEN
CEN supports automatic route advertisement and learning to connect resources in a hybrid cloud. After you attach the VBR that is associated with your data center to a CEN instance, the data center can communicate with other network instances that are attached to the CEN instance, such as VPCs and VBRs.
- SAG
SAG is an all-in-one solution that can be used to connect your workloads to Alibaba Cloud. You can use SAG to access the Internet from the nearest locations. The connections that are established by SAG are secure and reliable.
You can purchase SAG instances for your data center and attach the CCN instance that is associated with the SAG instances to the CEN instance. This allows you to connect your data center to Alibaba Cloud.
VPN software deployment
Alibaba Cloud provides various types of VPN software and images. You can purchase VPN software and deploy the VPN software on an ECS instance. Then, you can connect your data center to the VPC over the Internet by using an elastic IP address (EIP).
Connect multiple sites
You can connect multiple sites by using SAG or the VPN-Hub feature of VPN Gateway.
- SAG
SAG is an all-in-one solution that can be used to connect your workloads to Alibaba Cloud. You can use SAG to access the Internet from the nearest locations. The connections that are established by SAG are secure and reliable.
You can purchase SAG instances for branch offices and attach the SAG instances to a CCN instance. Then, the branch offices can communicate with each other.
VPN Gateway
The IPsec-VPN feature of VPN Gateway provides site-to-site VPN connections. Each VPN gateway supports up to 10 IPsec-VPN connections. You can purchase a VPN gateway and establish connections among up to 10 data centers or branch offices in different regions.
You can create multiple site-to-site IPsec connections among sites, or between sites and VPCs by using VPN-Hub. VPN-Hub allows large enterprises to establish private connections across branch offices that run business in different regions.
By default, the VPN-Hub feature is enabled. You need to only configure an IPsec-VPN connection between each branch office and Alibaba Cloud. No additional configurations or payments are required. Each VPN gateway supports up to 10 IPsec-VPN connections, which indicates that you can connect up to 10 branch offices in different regions by using one VPN gateway. The following figure shows how to establish connections among the branch offices in Shanghai, Hangzhou, and Ningbo by using a VPN gateway.
Build a high-speed global network
You can establish connections among applications and branch offices worldwide by using VPC peering connections and VPN gateways. This solution ensures secure communication and optimal network quality, and minimizes your costs.
The following figure shows how to establish connections among the branch offices that are connected to the VPC in the US (Virginia) region and the VPC in the China (Shanghai) region. You can deploy applications in both VPCs and connect the two VPCs by using a VPC peering connection. Then, you can connect the branch offices to each VPC by using the IPsec-VPN tunnel.
Remote access to a VPC
The SSL-VPN feature of VPN Gateway provides point-to-site VPN connections. You can use a client to access a VPC without the need to configure a gateway. You can deploy internal applications in a VPC and enable access to the applications by using SSL-VPN connections over internal networks. For example, on-site IT staff must connect to the VPC over an internal network to perform O&M operations. Remote access is allowed for the applications in the VPC.
VPN gateways and VPN software and images from Alibaba Cloud Marketplace can be used to achieve remote access to VPCs.
VPN Gateway (SSL-VPN)
You can use the SSL-VPN feature to connect a client to applications and services that are deployed in a VPC. After you deploy the applications and services, you can load the SSL client certificate to your client and initiate an SSL-VPN connection between the client and the VPC. By default, VPN gateways support the active-standby mode in which two VPN gateways are used. In this mode, the system automatically performs failovers when one VPN gateway becomes faulty.
Installation and deployment of SSL-VPN software
For more information, see Connect a client to a VPC.