Alibaba Cloud VPC Networking

Alibaba Cloud VPC Networking

Virtual Private Cloud (VPC) is the foundational networking service on Alibaba Cloud, providing logically isolated network environments where you deploy and interconnect your cloud resources. Every production workload on Alibaba Cloud starts with a VPC — ECS instances, RDS databases, SLB load balancers, ACK clusters, and most other services must be deployed within a VPC. Understanding VPC architecture is essential for building secure, scalable, and highly available applications.

Alibaba Cloud VPC is built on a software-defined networking (SDN) infrastructure powered by the Apsara network virtualization layer. This provides full isolation between customer VPCs at the network level — no traffic can cross VPC boundaries unless you explicitly configure peering, Transit Router, or VPN connections. Each VPC gets its own private IP address space (RFC 1918), route tables, and network ACLs, giving you complete control over your network topology.

This guide covers VPC design patterns, vSwitch planning, NAT gateways, security groups, VPC peering, Transit Router (CEN), hybrid connectivity with VPN Gateway and Express Connect, and best practices for multi-zone high availability.

VPC Architecture Fundamentals

A VPC on Alibaba Cloud consists of several key components that work together to provide a complete networking environment:

• VPC: The top-level container defining a private IP address space. You choose a CIDR block (e.g., 10.0.0.0/16, 172.16.0.0/12, or 192.168.0.0/16). A VPC is region-specific but spans all availability zones within that region.
• vSwitch: A subnet within a VPC, mapped to a specific availability zone. Each vSwitch has a CIDR block that is a subset of the VPC CIDR. Resources deployed in a vSwitch get private IP addresses from that vSwitch's CIDR range.
• Route Table: Controls traffic routing within the VPC. Each vSwitch is associated with exactly one route table (either the system default or a custom route table). Routes determine whether traffic goes to the internet (via NAT Gateway), to another VPC (via peering/CEN), or to on-premises (via VPN/Express Connect).
• Security Group: A stateful firewall that controls inbound and outbound traffic at the instance level. Functions similarly to AWS Security Groups. Each ECS instance must belong to at least one security group.
• Network ACL: An optional stateless firewall at the vSwitch level. Provides an additional layer of network filtering before traffic reaches security groups. Useful for implementing subnet-level deny rules.

Designing a Multi-Zone VPC

High availability on Alibaba Cloud requires distributing resources across multiple availability zones. A well-designed VPC creates vSwitches in at least two zones and deploys resources symmetrically across them:

# Create a production VPC
aliyun vpc CreateVpc \
  --VpcName "prod-vpc" \
  --CidrBlock "10.0.0.0/16" \
  --Description "Production VPC with multi-AZ design"

# Create web tier vSwitches (public-facing)
aliyun vpc CreateVSwitch \
  --VpcId vpc-bp1**** \
  --VSwitchName "web-vsw-a" \
  --CidrBlock "10.0.1.0/24" \
  --ZoneId cn-hangzhou-g \
  --Description "Web tier - Zone A"

aliyun vpc CreateVSwitch \
  --VpcId vpc-bp1**** \
  --VSwitchName "web-vsw-b" \
  --CidrBlock "10.0.2.0/24" \
  --ZoneId cn-hangzhou-h \
  --Description "Web tier - Zone B"

# Create application tier vSwitches (private)
aliyun vpc CreateVSwitch \
  --VpcId vpc-bp1**** \
  --VSwitchName "app-vsw-a" \
  --CidrBlock "10.0.10.0/24" \
  --ZoneId cn-hangzhou-g

aliyun vpc CreateVSwitch \
  --VpcId vpc-bp1**** \
  --VSwitchName "app-vsw-b" \
  --CidrBlock "10.0.11.0/24" \
  --ZoneId cn-hangzhou-h

# Create database tier vSwitches (isolated)
aliyun vpc CreateVSwitch \
  --VpcId vpc-bp1**** \
  --VSwitchName "db-vsw-a" \
  --CidrBlock "10.0.20.0/24" \
  --ZoneId cn-hangzhou-g

aliyun vpc CreateVSwitch \
  --VpcId vpc-bp1**** \
  --VSwitchName "db-vsw-b" \
  --CidrBlock "10.0.21.0/24" \
  --ZoneId cn-hangzhou-h

NAT Gateway

NAT Gateway provides outbound internet access for resources in private vSwitches without exposing them to inbound internet traffic. It also supports DNAT (Destination NAT) rules for port forwarding inbound traffic to specific instances. Alibaba Cloud offers two NAT Gateway types:

• Enhanced NAT Gateway: The current generation with higher performance, session-level metrics, and support for multiple EIPs. Recommended for all new deployments.
• Standard NAT Gateway: Legacy NAT Gateway type, still supported but not recommended for new deployments.

# Create an Enhanced NAT Gateway
aliyun vpc CreateNatGateway \
  --VpcId vpc-bp1**** \
  --NatGatewayName "prod-nat" \
  --NatType Enhanced \
  --VSwitchId vsw-bp1**** \
  --Spec Small

# Allocate an Elastic IP
aliyun vpc AllocateEipAddress \
  --Bandwidth 100 \
  --InternetChargeType PayByTraffic \
  --InstanceChargeType PostPaid

# Associate EIP with NAT Gateway
aliyun vpc AssociateEipAddress \
  --AllocationId eip-bp1**** \
  --InstanceId ngw-bp1**** \
  --InstanceType Nat

# Create SNAT entry for outbound internet access
aliyun vpc CreateSnatEntry \
  --SnatTableId stb-bp1**** \
  --SnatIp "47.xxx.xxx.xxx" \
  --SourceVSwitchId vsw-bp1**** \
  --SnatEntryName "app-tier-snat"

Server Load Balancer (SLB)

Alibaba Cloud Server Load Balancer distributes incoming traffic across multiple ECS instances to improve availability and scalability. SLB operates at two levels:

• Classic Load Balancer (CLB): Supports Layer 4 (TCP/UDP) and Layer 7 (HTTP/HTTPS) load balancing. Mature and widely deployed.
• Application Load Balancer (ALB): Next-generation Layer 7 load balancer with advanced routing rules, gRPC support, slow start, and integration with WAF and DDoS protection.
• Network Load Balancer (NLB): High-performance Layer 4 load balancer with millions of CPS (connections per second) and ultra-low latency.

For new deployments, use ALB for HTTP/HTTPS workloads and NLB for TCP/UDP workloads. CLB remains fully supported but ALB and NLB provide better performance, features, and integration with other Alibaba Cloud services.

VPC Peering and Cross-VPC Connectivity

When you need to connect multiple VPCs, Alibaba Cloud provides several options depending on your requirements:

Cloud Enterprise Network (CEN) with Transit Router

CEN is the recommended solution for connecting multiple VPCs, including cross-region and cross-account connectivity. CEN uses Transit Router as the hub for routing traffic between attached VPCs and on-premises networks. Key features include:

• Connect VPCs across different regions with automatic cross-region bandwidth allocation
• Connect VPCs from different Alibaba Cloud accounts
• Route table management with route policies for traffic steering
• Bandwidth package for inter-region traffic with guaranteed SLA
• Support for transitive routing between all attached networks

# Create a CEN instance
aliyun cbn CreateCen \
  --CenName "enterprise-network" \
  --Description "Central network hub for all VPCs"

# Create a Transit Router in a region
aliyun cbn CreateTransitRouter \
  --CenId cen-**** \
  --RegionId cn-hangzhou \
  --TransitRouterName "hangzhou-tr"

# Attach a VPC to the Transit Router
aliyun cbn CreateTransitRouterVpcAttachment \
  --CenId cen-**** \
  --TransitRouterId tr-**** \
  --VpcId vpc-bp1**** \
  --ZoneMappings '[{"ZoneId":"cn-hangzhou-g","VSwitchId":"vsw-bp1****"},{"ZoneId":"cn-hangzhou-h","VSwitchId":"vsw-bp2****"}]'

VPC Peering

For simple point-to-point connections between two VPCs in the same region, VPC Peering provides a lightweight alternative to CEN. Peering connections are non-transitive — if VPC A peers with VPC B and VPC B peers with VPC C, VPC A cannot reach VPC C through VPC B. For hub-and-spoke or mesh topologies, use CEN with Transit Router instead.

Hybrid Connectivity

Connecting your Alibaba Cloud VPC to on-premises data centers or other cloud providers requires hybrid connectivity solutions:

VPN Gateway

VPN Gateway creates encrypted IPsec tunnels over the public internet for secure connectivity between your VPC and on-premises networks. Supports both route-based and policy-based VPN configurations. Best for development environments, backup connectivity, and scenarios where Express Connect is not available.

Express Connect

Express Connect provides dedicated private connections between your on-premises data center and Alibaba Cloud VPC. Available through Alibaba Cloud partner network service providers or direct physical cross-connections at Alibaba Cloud data center locations. Express Connect offers guaranteed bandwidth, lower latency, and higher reliability compared to VPN over the public internet.

Smart Access Gateway (SAG)

SAG provides software-defined WAN capabilities for connecting branch offices, retail stores, and other distributed sites to your Alibaba Cloud network. SAG supports hardware appliances (SAG-1000, SAG-100WM) and software clients for remote access VPN.

DNS and Domain Resolution

Alibaba Cloud provides two DNS services for different use cases:

• Alibaba Cloud DNS: Public authoritative DNS service for internet-facing domains. Supports A, AAAA, CNAME, MX, TXT, SRV, and other record types. Includes GeoDNS for geographic routing, weighted routing, and failover routing.
• PrivateZone: Private DNS service for VPC-internal name resolution. Create DNS zones that are only resolvable within specified VPCs. Essential for service discovery and microservice architectures within VPCs.

Network Security Best Practices

A defense-in-depth approach to VPC security involves multiple layers of controls:

• Security Groups: Apply the principle of least privilege. Create separate security groups for each tier (web, app, database) and only allow necessary traffic between tiers.
• Network ACLs: Use Network ACLs for subnet-level deny rules. For example, deny all traffic from specific IP ranges known for malicious activity.
• Flow Logs: Enable VPC Flow Logs to capture metadata about IP traffic in your VPC. Flow logs are delivered to SLS (Simple Log Service) for analysis and alerting.
• Private Endpoints: Use VPC Endpoints (PrivateLink) to access Alibaba Cloud services (OSS, RDS, SLS) over the private network instead of the public internet. This improves security and reduces data transfer costs.
• Anti-DDoS: Alibaba Cloud provides Anti-DDoS Basic (free, automatic) for all EIP and SLB instances. For enhanced protection, use Anti-DDoS Pro or Anti-DDoS Premium with dedicated scrubbing centers.

# Enable VPC Flow Logs
aliyun vpc CreateFlowLog \
  --FlowLogName "prod-vpc-flowlog" \
  --ResourceType VPC \
  --ResourceId vpc-bp1**** \
  --TrafficType All \
  --ProjectName "network-logs" \
  --LogStoreName "vpc-flow-logs" \
  --Description "Flow logs for production VPC"

# Create a PrivateLink endpoint for OSS
aliyun privatelink CreateVpcEndpoint \
  --ServiceName "com.aliyuncs.privatelink.cn-hangzhou.oss" \
  --VpcId vpc-bp1**** \
  --SecurityGroupId sg-bp1**** \
  --Zone '[{"ZoneId":"cn-hangzhou-g","VSwitchId":"vsw-bp1****"}]'

Network Architecture Patterns

Common VPC architecture patterns on Alibaba Cloud include:

• Single VPC, Multi-Zone: The simplest pattern with one VPC spanning multiple AZs. Suitable for small to medium applications. Use separate vSwitches per AZ and tier.
• Hub-and-Spoke: A central shared-services VPC connected to multiple workload VPCs via CEN Transit Router. The hub VPC hosts shared resources like NAT gateways, VPN gateways, and monitoring infrastructure.
• Multi-Region Active-Active: Replicate VPC architecture across regions with Global Accelerator (GA) for intelligent traffic routing. Use CEN for private inter-region connectivity and GSLB (Global Server Load Balancing) for DNS-based failover.
• Hybrid Cloud: Extend on-premises networks into Alibaba Cloud using Express Connect or VPN Gateway. Use consistent IP addressing and DNS to provide seamless connectivity between on-premises and cloud resources.