Alibaba Cloud provides a secure and scalable cloud network that supports fast connections between the cloud and data centers. You can use a virtual private cloud (VPC) to access the Internet, other VPCs, and data centers, tailoring networking solutions to your needs.
Internet access scenarios
Select the public IP address type
To enable Internet access for services deployed on an Elastic Compute Service (ECS) instance, you must configure a public IP address, which comes in two types:
Static IP: Assigned automatically when creating an ECS or Classic Load Balancer (CLB) instance, this IPv4 address supports Internet access and is accessible from the Internet. However, it is fixed upon creation and can only be released along with the instance, leading to inflexible management and unbinding.
Elastic IP (EIP): An EIP is an independent public IP address that can be dynamically associated with or dissociated from an instance, which makes management easier and more flexible. We recommend that you bind an EIP with the application server when configuring a public IP address.
Unified ingress Internet traffic
Using a single public IP on a single backend server to provide services can lead to a single point of failure (SPOF), compromising system availability.
Employ Server Load Balancer (SLB) to centralize ingress Internet traffic and connect backend servers across zones. This approach distributes traffic to different backend services, enhances service throughput, eliminates SPOFs, and boosts system availability.
Select an appropriate type of SLB: Application Load Balancer (ALB), Network Load Balancer (NLB), or Classic Load Balancer (CLB).
Unified egress Internet traffic
While only a single server can access the Internet using a public IP, multiple servers doing so will require additional public IPs. You can use the SNAT feature of Internet NAT Gateway to save addresses, while allowing ECS instances in a VPC to access the Internet through a shared EIP.
Internet access control
When ECS instances offer services over the Internet, appropriate access control is crucial to prevent unwanted or potentially harmful access.
For example, to achieve centralized access control to an ECS within a VPC, consider the following options:
An IPv4 gateway is a gateway for IPv4 public traffic. Without this feature, an ECS instance with a public IP can access the Internet. After the IPv4 gateway is created and activated, Internet access from the VPC is governed by the gateway and you can centrally control Internet access by using the gateway and subnet routing.
An IPv6 gateway is a gateway for IPv6 public traffic. By default, an IPv6 address in a VPC is only capable of private network communication. To access the Internet, activate IPv6 Internet bandwidth for the IPv6 address in the IPv6 gateway. You can also configure an egress-only rule to restrict the IPv6 address to accessing the Internet only.
Select an appropriate cloud resource or feature from the following table based on your business requirements. The features and strengths are summarized as follows:
Scenario | Product | Description | Strengths and limits |
Public IP for application server | Static IP | Assign a public IP address when creating an ECS instance. The system automatically assigns one that can access and be accessed by the Internet. | Use the Data Transfer Plan to reduce Internet costs. You cannot detach a static public IP from an ECS instance, but you can convert a static IP address into an EIP. |
A cloud resource can access the Internet after being associated with an EIP. | EIPs can be dynamically attached to and detached from ECS instances. Use Internet Shared Bandwidth and Data Transfer Plan to reduce Internet costs. | ||
Ingress Internet traffic | Use an Internet-facing SLB instance to unify traffic ingress. Traffic is distributed to multiple backend servers to create an elastic, highly available application system. | SLB distributes traffic to ECS instances to extend the service capabilities of application systems. This also increases the availability of the application systems by eliminating SPOFs. ECS instances cannot actively access the Internet through SLB. | |
Egress Internet traffic | When multiple ECS instances in a VPC need to access the Internet, use the SNAT feature of the NAT gateway for secure access. | An EIP can only be associated with a single cloud resource for Internet communication. Multiple ECS instances can access the Internet through the EIP associated with the Internet NAT Gateway. This simplifies management and reduces the risk of exposing internal resources. | |
Internet access control | Use route tables to control Internet traffic through the IPv4 gateway, reducing security risks brought by scattered accesses. | Resources in a VPC can communicate with the Internet by associating with a public IPv4 address. In some cases, Internet access is not overseen by the O&M department. For example, business departments configure public IP addresses for ECS instances without informing O&M. Using an IPv4 gateway to centrally control Internet access reduces such security risks. |
Connect VPCs
Connect two VPCs
To quickly connect two VPCs and build a secure network, VPC peering connection is recommended.
VPC peering connection enables private communication between VPCs in either the same or different regions, and either the same or different accounts. After creating a peering connection, configure route entries for both the requester and accepter VPCs to facilitate interconnection.
Connect multiple VPCs
Businesses operating in extensive cloud computing environments usually manage numerous VPCs that carry critical operations across various locations. They can use Cloud Enterprise Network (CEN) to create a network architecture and establish fast, secure connections among these VPCs.
This enables efficient resource sharing, flexible scheduling, data synchronization and application migration across regions and accounts in a multi-cloud environment. This solution significantly reduces network management complexity and enhances operational efficiency.
CEN connects instances and routes traffic in the same region or across regions through transit routers. After you connect a VPC to a transit router, routes are automatically synchronized. Each region supports only one transit router, and you must connect transit routers for cross-region connections. When you plan to connect VPCs in different regions, create a CEN and employ Enterprise Edition transit routers.
A visual monitoring feature is available on the CEN console for you to learn about the network status and enhance O&M efficiency.
Secure access to VPCs in a region
To provide cloud services deployed within a VPC to other VPCs, you can use PrivateLink, which eliminates the need to create a public network egress, such as NAT gateway and EIP, and provides higher data security and network quality because data is not transmitted over the Internet. PrivateLink creates a safe and stable connection between the VPC hosting the endpoint and the VPC with the endpoint service. This simplifies the network architecture and enables private network access while mitigating Internet-induced security risks.
Select a solution based on your business needs and scenarios. For more information, see Overview of VPC connections.
Scenario | Feature | Description | Strengths and limits |
Connect two VPCs | Enables communication between two VPCs across regions and accounts. | Low network latency. Low cost with no charge for intra-region connections. Does not support route propagation. Complex configuration and management on a large scale. | |
Connect multiple VPCs | Enables fast and secure connection among multiple VPCs across regions and accounts. | Supports route propagation. Enables fast connection among VPCs in different regions. Realizes systematic management with high O&M efficiency. Provides low-latency transmission capabilities. Offers connection redundancy and disaster recovery. Connects networks through nearby access points. | |
Access VPCs in a region | Connects the VPC where the endpoint is located with the VPC where the endpoint service is located through an endpoint connection. | Low network latency. Independent networks for service providers and users, improving network reliability. Secure and controllable. Source authentication is achieved through adding security group rules and endpoint policies. Simple management without complex routing and security configurations. Supports flexible cross-account and cross-VPC access. Provides flow logs that monitor and analyze inbound and outbound traffic of endpoint elastic network interface (ENI), ensuring that network communication is transparent and managed. Does not support inter-region connections. |
Hybrid cloud
To select an appropriate solution to connect networks such as data centers to a VPC and build a hybrid cloud, you must consider network performance, data security, cost-effectiveness, and scalability.
Highly available hybrid cloud
Express Connect is the recommended choice in the following scenarios that require highly available connections between data centers and VPCs:
When you conduct large data migration or frequent data synchronization between data centers and VPCs, Express Connect circuits reduce the time required for data transmission.
When critical operations in data centers demand high availability, creating Express Connect circuits at various access points ensures elastic expansion and disaster recovery, while integrating with data centers.
Simple hybrid cloud
IPsec-VPN connections, established over the Internet, are subject to Internet latency and availability.
For scenarios with less stringent latency requirements, consider the VPN gateway as a solution to connect data centers, office networks, Internet clients, and Alibaba Cloud through encrypted tunnels.
VPN gateway offers two types of connections, IPsec-VPN and SSL-VPN, each applicable to different scenarios:
Enterprise-level hybrid cloud
For large, complex network architectures, CEN facilitates unified management and monitoring of globally distributed resources, enhancing O&M efficiency. CEN enables connectivity between multiple clouds and between cloud and on-premises networks, creating a flexible hybrid cloud architecture that meets varied business requirements.
Choose an appropriate solution based on your business needs and scenarios. The features and advantages are summarized as follows:
Scenario | Product | Description | Strengths and limits |
Highly available hybrid cloud | Connects on-premises data centers and VPCs over an Express Connect circuit. | Low network latency because network traffic is distributed across the backbone networks of connectivity providers. High communication quality and secure connections. Long construction period and high cost. | |
Simple hybrid cloud | Establishes IPsec-VPN to connect on-premises data centers and VPCs. Establishes SSL-VPN to connect local clients and VPCs. | Highly available connection at a low cost. Higher latency because traffic must be forwarded over the Internet. | |
Enterprise-level hybrid cloud | Connects the virtual border router (VBR) associated with the data centers to the CEN instance. Connects multiple instances, such as VPCs and VBRs, to the CEN instance to build an enterprise-level network. | Supports route propagation. Fast connection of networks across regions. Allows for systematic management with high O&M efficiency. Provides low-latency transmission capabilities. Offers connection redundancy and disaster recovery. Connects networks through nearby access points. |