When your workloads span both Alibaba Cloud and an on-premises data center, a remote office network, or another cloud provider, you need a reliable network path between them. Alibaba Cloud Virtual Private Cloud (VPC) supports three hybrid connectivity scenarios: connecting to an on-premises data center, connecting remote clients for individual access, and connecting to another cloud provider (multicloud). Each scenario uses a different product combination depending on your latency, cost, and availability requirements.
Key concepts
| Term | Description |
|---|---|
| Express Connect | Alibaba Cloud's dedicated line product. Connects your on-premises network to Alibaba Cloud through a carrier's physical circuit. |
| VPN Gateway | Alibaba Cloud's VPN product. Establishes encrypted tunnels over the public internet using IPsec-VPN or SSL-VPN. |
| IPsec-VPN | Site-to-site VPN that connects a data center or another cloud to an Alibaba Cloud VPC. |
| SSL-VPN | Client VPN that connects individual devices (laptops, mobile phones) to a VPC. |
| Virtual border router (VBR) | A logical router on the Alibaba Cloud side that terminates an Express Connect circuit and connects to your VPC. |
| Express Connect Router (ECR) | A gateway that aggregates multiple VBRs and connects them to Cloud Enterprise Network (CEN). |
| Transit router (TR) | A hub inside Cloud Enterprise Network (CEN) that interconnects multiple VPCs, ECR instances, and VPN connections in one region. |
| Equal-Cost Multipath Routing (ECMP) | Distributes traffic across multiple network paths simultaneously, providing both load balancing and failover. |
Connect a VPC to a data center
Choose a connection method
Two methods are available: Express Connect (dedicated line) and IPsec-VPN. The right choice depends on your latency sensitivity, budget, and how quickly you need the connection.
| Express Connect | VPN | |
|---|---|---|
| Network latency | Low | Medium |
| Implementation time | Long (months) | Short |
| Total cost | High | Low |
| Security | High | Medium |
| Scalability | Low | High |
Decision guidance:
Choose Express Connect if your workloads are latency-sensitive, require high bandwidth (for example, large-scale data transfers or real-time financial transactions), or must avoid the public internet for compliance reasons.
Choose IPsec-VPN if you need a fast, flexible connection and can tolerate variable internet-based latency. VPN is also a cost-effective backup for Express Connect.
Use Express Connect
Express Connect provides internal-network-level communication quality: low latency, low packet loss rate, and high bandwidth.
How it works
Apply for a dedicated connection port and complete the physical wiring from your data center equipment to an Alibaba Cloud access point. This involves carrier surveys, circuit deployment, and cabling.
Create a Virtual Border Router (VBR) and an Express Connect Router (ECR) instance, then complete the logical connection to your VPC.
Express Connect circuit types
Two circuit types are available. Plan your timeline and budget before starting — the full process takes months.
| Dedicated Express Connect circuit | Shared Express Connect circuit | |
|---|---|---|
| How it works | Carrier builds a new circuit from your data center directly to an Alibaba Cloud access point | Carrier builds a new circuit from their access point to your data center; the carrier's access point-to-Alibaba Cloud segment is shared with other tenants |
| Estimated build time | 1–3 months | Within 1 month |
| Port ownership | Exclusively yours | Shared |
High availability
For production environments, use dual circuits and dual access points to protect against events such as accidental cable cuts. For non-critical workloads, pair Express Connect with an IPsec-VPN backup (active/standby) to reduce overall costs.
Because Express Connect traffic is unencrypted by default, industries with compliance requirements for in-transit encryption can layer a private VPN gateway on top of the Express Connect circuit. See Implement encrypted communication over an Express Connect circuit using a private VPN gateway.
Multi-VPC environments
In production, multiple VPCs typically need access to the same data center. Manual route configuration across many VPCs is error-prone. Attach your VPCs and ECR to a transit router (TR) and use Border Gateway Protocol (BGP) dynamic routing — route tables update automatically as your network topology changes.
Use IPsec-VPN
IPsec-VPN creates an encrypted tunnel over the public internet. Two deployment modes are available depending on whether you attach the IPsec connection to a VPN Gateway instance or to a transit router (TR).
| Attach to VPN Gateway | Attach to transit router (TR) | |
|---|---|---|
| Reachable destinations | The VPC where the VPN gateway is located only | Any VPC and data center in Cloud Enterprise Network (CEN) through the TR |
| High availability | Active/standby tunnels | ECMP — both tunnels carry traffic simultaneously |
| Bandwidth expansion | Not supported | Supported — add more IPsec connections to increase aggregate throughput |
Attach to VPN Gateway
Each IPsec-VPN connection on a VPN Gateway includes two tunnels in active/standby mode. If the active tunnel fails, traffic automatically switches to the standby tunnel.
For enterprises that centralize internet traffic through a DMZ VPC, see Connect to a DMZ VPC through a VPN gateway (active/standby tunnels).
Attach to transit router (TR)
When an IPsec connection is attached to a transit router (TR), the two tunnels automatically form Equal-Cost Multipath Routing (ECMP) links. Both tunnels carry traffic at the same time. If one tunnel fails, traffic shifts to the other tunnel.
Enable ECMP on your on-premises gateway device to get full utilization of both tunnels.
Connect office terminals to a VPC
For remote access from laptops and mobile devices, use SSL-VPN. SSL-VPN supports mainstream desktop clients (Windows, Linux, macOS) and mobile clients (Android, iOS).
If your enterprise applications span both the cloud VPC and an on-premises data center, enable both IPsec-VPN and SSL-VPN on the same VPN Gateway instance. After the connections are established, both remote clients and the data center can reach the VPC and communicate with each other.
Connect a VPC to another cloud (multicloud)
Connecting to another cloud uses the same options as connecting to a data center. Treat the other cloud as a remote network and connect via Express Connect or IPsec-VPN.
The following examples use the Alibaba Cloud VPC–AWS VPC interconnection as a reference.
Use Express Connect
Use dual circuits and dual access points for redundancy.
In a multicloud environment with multiple VPCs on either side, attach your VPCs and ECR to a transit router (TR) and use BGP dynamic routing. Route tables update automatically as the network topology changes, eliminating manual configuration.
Use IPsec-VPN
Both Alibaba Cloud and AWS support dual-tunnel mode for IPsec-VPN connections. However, there is an important compatibility consideration: the two tunnels on the AWS side are associated with the same customer gateway by default, while the two tunnels on the Alibaba Cloud side use different IP addresses. This prevents one-to-one tunnel pairing.
To enable both Alibaba Cloud tunnels simultaneously, create two site-to-site VPN connections on AWS — each associated with a different customer gateway.
For multi-VPC environments, attach IPsec connections to a transit router (TR) and use BGP dynamic routing to simplify route management.
When Alibaba Cloud IPsec-VPN is attached to a transit router (TR), ECMP is enabled by default. Enable ECMP on the AWS side as well. If ECMP is not enabled on the AWS side, traffic from AWS to Alibaba Cloud must specify a connection, while traffic from Alibaba Cloud to AWS automatically selects a tunnel based on ECMP.
