All Products
Search

This Product

    Virtual Private Cloud:Infrastructure security

    Document Center

    Virtual Private Cloud:Infrastructure security

    Last Updated:Aug 19, 2025

    This topic describes the infrastructure security of virtual private cloud (VPC).

    Network isolation

    A virtual private cloud (VPC) is a private network on Alibaba Cloud. VPCs are isolated from each other.

    vSwitches are basic components in VPCs and are used to connect different instances. You can create multiple vSwitches to divide a VPC and deploy Elastic Compute Service (ECS) instances in different vSwitches. You can isolate vSwitches from each other. Each vSwitch has a CIDR block and a route table. You can use a route table to enable access control.

    Control network traffic

    You can control the network traffic of a VPC using one of the following methods:

    • When you create an ECS instance in a VPC, you can use the default security group rules or select other security groups in the VPC to control the outbound and inbound traffic of the ECS instance. A security group is a virtual firewall within a VPC that controls traffic to and from ECS instances. You can place ECS instances that have the same security requirements and trust each other into the same security group to partition security domains and protect your cloud resources. In addition, a network ACL can control traffic to and from vSwitches. You can attach the same network ACL to multiple vSwitches to uniformly control traffic for these vSwitches. Using security groups and network ACLs together, you can effectively protect the resources in your VPC.

    • An IPv4 gateway is a component at the border of a VPC that controls public IPv4 traffic. You can use an IPv4 gateway with route table configurations to route all traffic to the Internet through a single gateway. This reduces the security risks associated with decentralized access.

    • An IPv6 gateway is a public IPv6 traffic gateway for a VPC. You can use IPv6 Internet bandwidth configuration and egress-only rules to flexibly control inbound and outbound IPv6 traffic.

    • You can create a custom route table, attach it to a vSwitch, and add custom route entries to control the traffic of the vSwitch for more flexible network management.

    • You can establish private connectivity between VPCs by creating a VPC peering connection and configuring routes for the VPCs at both ends. The peering connection feature supports connectivity between VPCs that belong to the same or different accounts and reside in the same or different regions. Before you configure the connection, you must ensure that the CIDR blocks of the two VPCs do not overlap.

    • Cloud Enterprise Network is a solution for multi-VPC interconnection. It enables network communication between multiple VPCs within an enterprise to create a flexible, reliable, and large-scale enterprise-level cloud network.

    • You can use Express Connect and VPN Gateway to establish communication between an Alibaba Cloud VPC and your on-premises data center, office terminals, or networks of other cloud providers.

    • A gateway endpoint is a virtual gateway device. When you create a gateway endpoint for an Alibaba Cloud service in a VPC and associate it with a route table, the system automatically adds a route whose next hop points to the gateway endpoint. This enables private access to the Alibaba Cloud service.

    • You can use the flow log feature of a VPC to capture inbound and outbound traffic for elastic network interfaces (ENIs) in the VPC network. This helps you check access control rules, monitor network traffic, and troubleshoot network faults.

    Comparison between network ACLs and security groups

    Alibaba Cloud provides two access control methods: security groups and network ACLs. You can use them to implement network isolation at the instance or vSwitch level within a VPC.

    Item

    Security groups

    Network ACLs

    Illustration

    		image

    Applicable scope

    Instance level

    Attach a security group to one or more ECS instances.

    vSwitch level

    Attach a network ACL to one or more vSwitches.

    Working mode

    Stateful. Returned packets are automatically allowed.

    For example, to allow inbound traffic on port 80, add an inbound rule for the request. An outbound rule is not required because the corresponding response traffic is automatically allowed.

    Stateless. Returned packets must be manually allowed.

    For example, to allow inbound traffic on port 80, you must add an inbound rule for the request and an outbound rule for the response.

    Intra-group control policy

    Basic security group: Choose to allow or deny traffic between instances.

    Enterprise security group: Internal isolation is enabled by default.

    Do not control traffic between ECS instances that are in the same vSwitch.

    Application scenarios

    Control access between instances and allow public inbound traffic on a port.

    Isolate at the vSwitch level and enforce access policies across vSwitches.