Elastic Desktop Service (Enterprise Edition) separates responsibilities between two user roles and isolates cloud desktop traffic across three types of virtual private clouds (VPCs). This page explains both the service architecture and the network architecture, including how end users connect to cloud computers.
Service architecture
Two roles interact with Elastic Desktop Service (Enterprise Edition):
Administrators create and maintain cloud computers. They manage office networks (formerly workspaces), cloud computers, policies, images, networks, storage, enterprise applications, and cloud computer templates.
End users access cloud computers from Alibaba Cloud Workspace terminals.
Network architecture
Elastic Desktop Service (Enterprise Edition) uses three VPC types, all maintained by Alibaba Cloud:
| VPC type | Purpose |
|---|---|
| Management VPCs | Deploy management components, cloud computers, and other resources |
| Elastic Desktop Service VPCs | Deploy management components, cloud computers, and other resources |
| Office network VPCs | Provide secure office networks, created from the IPv4 CIDR blocks you specify when creating office networks |
Network connection
End users connect to cloud computers either over the Internet or over a VPC. The connection type is determined by the attributes you set when creating the office network where the cloud computers reside.
Choose a connection method
| Internet | VPC | |
|---|---|---|
| Use when | End users access cloud computers from locations with Internet connectivity | End users connect from on-premises offices over a private network |
| Requirement | Alibaba Cloud Workspace terminals must have Internet access | You must establish connectivity using Express Connect, Smart Access Gateway (SAG), or VPN Gateway |
| PrivateLink | Not applicable | Automatically activated; free of charge |
Access over the Internet
End users connect to cloud computers over Alibaba Cloud networks. Make sure that Alibaba Cloud Workspace terminals can access the Internet before deploying this option.
Access over VPCs
End users connect to cloud computers over office networks using a private network path. Use one of the following services to establish connectivity between your on-premises and off-premises networks: Express Connect, Smart Access Gateway (SAG), or VPN Gateway.
VPC connection relies on Alibaba Cloud PrivateLink, which establishes a private connection between your VPC and Alibaba Cloud services. PrivateLink is free of charge. If you select VPC or Internet and VPC as the connection method when creating an office network, the system automatically activates PrivateLink.
If you activate Elastic Desktop Service (Enterprise Edition) using an Alibaba Cloud account on the China site (aliyun.com) in regions outside the Chinese mainland, or on the International site (alibabacloud.com) in regions within the Chinese mainland, business data may be transmitted to the geographic locations or regions you specified. Make sure you have the authority to manage that business data and can apply appropriate technologies and policies to protect it. Data transmission must comply with applicable legal regulations and must not violate relevant policies or include forbidden or confidential content.
If your operations may involve cross-border data transmission — for example, from the Chinese mainland to countries and regions outside the Chinese mainland, or between other countries and regions — consult legal or compliance professionals before proceeding. Cross-border data transmission must comply with applicable laws and regulations, including obtaining individual information permissions, completing required service agreements, and fulfilling any security assessment or other statutory obligations (if applicable).