This topic describes terms related to Virtual Private Cloud (VPC).

VPCA VPC is a private network on Alibaba Cloud. VPCs are logically isolated from each other. You can create and manage cloud resources in your VPC, such as Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and ApsaraDB RDS instances.
vSwitchA vSwitch is a basic network component of a VPC. A vSwitch connects different cloud resources. When you create a cloud resource in a VPC, you must specify a vSwitch to which the cloud resource is connected.
VPC sharingA VPC owner (resource owner) can share non-default vSwitches in the VPC with one or more Alibaba Cloud accounts (principals). The principals can create cloud resources in the shared vSwitches. A resource owner can share resources with Alibaba Cloud accounts in the same or different enterprise organization.

A vRouter is a virtual router that connects all vSwitches in a VPC and serves as a gateway that connects the VPC to other networks. A vRouter also forwards network traffic based on the routes in the route table.

A route table consists of routes in a vRouter.
  • System route table

    After you create a VPC, the system creates a system route table to manage routes of the VPC. By default, vSwitches in the VPC use the system route table. You cannot create or delete a system route table. However, you can add custom routes to a system route table.

  • Custom route table

    You can create a custom route table in a VPC and associate the custom route table with a vSwitch. This allows you to manage network traffic in a more flexible manner.

  • Gateway route table

    You can create a custom route table in a VPC and associate the custom route table with an IPv4 gateway. This route table is called a gateway route table.


Each item in a route table is a route. A route specifies the next hop address for the network traffic that is destined for a destination CIDR block. Routes are classified into system routes and custom routes.

Prefix listA prefix list is a set of one or more CIDR blocks. You can create a prefix list for some commonly used IP addresses and set the prefix list as the destination for routes in a route table. This way, you do not have to configure a route for each IP address. If you want to expand the destination and access another CIDR block, you can add the CIDR block to the prefix list. Then, the routes with the prefix list as the destination will be updated.
NAT gatewayNAT Gateway provides the DNAT and SNAT features. NAT gateways are classified into Internet NAT gateways and VPC NAT gateways. Internet NAT gateways provide NAT services for public IP addresses, while VPC NAT gateways provide NAT services for private IP addresses. You can choose Internet NAT gateways or VPC NAT gateways based on your business requirements.
VPC peering connectionA VPC peering connection is a private network connection between two VPCs. You can enable two VPCs to communicate with each other by establishing a VPC peering connection. You can create a VPC peering connection between two VPCs within your Alibaba Cloud account (same-account), or between a VPC within your Alibaba Cloud account and a VPC within another Alibaba Cloud account (cross-account). You can also create VPC peering connections between VPCs that belong to the same region (intra-region) or different regions (inter-region).
DHCP options setDynamic Host Configuration Protocol (DHCP) is a network management protocol. DHCP provides a standard for passing configuration information to servers in a TCP/IP network. The DHCP options set feature allows you to configure domain names and DNS server IP addresses for ECS instances in a VPC.
IPv4 gatewayAn IPv4 gateway is a network component that connects a VPC to the Internet. An IPv4 gateway can enable a VPC to access the Internet by routing IPv4 traffic and translating private IP addresses to public IP addresses. When a VPC accesses the Internet by using an IPv4 gateway, IPv4 traffic flows through the IPv4 gateway.
ClassicLinkVPC supports the ClassicLink feature, which allows ECS instances in classic networks to communicate with cloud resources in VPCs.
Network ACLNetwork access control lists (ACLs) allow you to implement access control for a VPC. You can create network ACL rules and associate a network ACL with a vSwitch. This allows you to control inbound and outbound traffic of Elastic Compute Service (ECS) instances that are attached to the vSwitch.
Security groupA security group acts as a virtual firewall to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances to improve security. Security groups provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups and security group rules to define security domains in the cloud.
HAVIPA high-availability virtual IP address (HAVIP) is a private IP address that can be created and released as an independent resource. You can use HAVIPs with high-availability (HA) software such as Keepalived to deploy services in active/standby mode. This improves the availability of your services.
Flow logVPC provides the flow log feature. The feature records information about inbound and outbound traffic of an elastic network interface (ENI). You can check access control rules, monitor network traffic, and troubleshoot network errors based on the flow logs.
Traffic mirroringThe traffic mirroring feature can mirror packets that flow through an ENI and that meet the filter conditions. The traffic mirroring feature mirrors network traffic from an ECS instance in a VPC and forwards the traffic to a specified ENI or an internal-facing Classic Load Balancer (CLB) instance. You can use this feature in scenarios such as content inspection, threat monitoring, and troubleshooting.
Idle instanceThe VPC console can display idle instances. You can release idle instance to save costs.
TagVPC supports the tag feature. You can use tags to label and classify VPCs, route tables, and vSwitches, which facilitates resource search and aggregation.
QuotaAlibaba Cloud sets quotas on the cloud resources and API operations for each Alibaba Cloud account. Alibaba Cloud service quotas are classified into the following types: general quotas, API rate limits, and privileges.
RAM authorizationYou use an Alibaba Cloud account to grant permissions to a RAM user. Then, the RAM user can manage VPCs based on the granted permissions.