You can establish network connectivity between Alibaba Cloud VPCs and your data centers, office terminals, or networks of other cloud providers using Express Connect and VPN Gateway.
Connect VPC to data center
Select a connection solution
There are two common connection solutions:
Express Connect: Connect your data center network to an Alibaba Cloud access point through a carrier's Express Connect circuit. Even when the two endpoints of the Express Connect circuit are far apart, it can still provide internal network-level communication quality with low latency, low packet loss rate, and high bandwidth.
VPN: Establish secure and reliable network connections between your data center and Alibaba Cloud VPC by creating encrypted tunnels over the Internet. The quality of VPN connections depends on Internet quality.
Connection method | Express Connect | VPN |
Network latency | Low | Medium |
Implementation time | Long | Short |
Total cost | High | Low |
Security | High | Medium |
Scalability | Low | High |
Using Express Connect
To connect your data center to Alibaba Cloud using Express Connect, you need to use the Express Connect product.
During the connection process, you need to perform the following operations:
Apply for a dedicated connection port and complete the connection over an Express Connect circuit from your data center equipment to Alibaba Cloud access point equipment. Express Connect circuits are categorized as dedicated or shared, involving carrier surveys, circuit deployment, and cabling work. The entire construction cycle is estimated in months, so we recommend planning your time and budget in advance.
Dedicated Express Connect circuit: The carrier adds a new circuit from your data center to an Alibaba Cloud access point, with an estimated construction cycle of 1 to 3 months. This circuit and the corresponding port are exclusively yours.
Shared Express Connect circuit: Some carriers establish connections to Alibaba Cloud access points in advance. Using a shared circuit requires the carrier to add a new circuit from the carrier's access point to your data center, with the entire construction cycle typically within 1 month. In this connection mode, the connection between the carrier's access point and the Alibaba Cloud access point is shared by multiple tenants.
Configure a virtual border router (VBR), Express Connect Router (ECR) instance, and complete the connection to the VPC.
Other recommendations:
To avoid network interruptions that might occur due to force majeure (such as accidental cutting of a circuit), you can use dual circuits and dual access points to improve the reliability of your Express Connect circuit. For non-critical workloads, you can consider using Express Connect + VPN as active/standby to reduce overall costs.
Because Express Connect traffic does not have an encryption mechanism by default, and some industries require sensitive data to be encrypted even when transmitted over Express Connect circuits due to security compliance policies, you can refer to: Implement encrypted communication over an Express Connect circuit using a private VPN gateway.
In production environments, multiple VPCs typically need to communicate with the data center, and VPCs also need to communicate with each other. Manual route configuration can be cumbersome, so you might consider a more convenient networking approach. You can connect VPCs and ECR to a transit router (TR) and use BGP dynamic routing to achieve efficient network interconnection. Dynamic routing automatically adjusts routing tables based on changes in network topology, reducing manual configuration workload and lowering the complexity of network configuration.
Using VPN connection
To connect your data center to Alibaba Cloud using VPN, we recommend using the IPsec-VPN product.
IPsec-VPN has two usage methods, with the following main differences:
Usage method | Attach to VPN Gateway | Attach to transit router (TR) |
Scenarios | The data center can only communicate with the VPC where the VPN gateway instance is located. | The data center can communicate with any VPC and other data centers in Cloud Enterprise Network (CEN) through a transit router (TR) instance. |
Method to achieve high availability with dual tunnels | Active/standby links | ECMP links ECMP (Equal-Cost Multipath Routing) distributes traffic across multiple paths simultaneously, achieving load balancing and link backup, improving network efficiency and reliability. |
Whether IPsec connection bandwidth can be expanded | No | Yes. You can create multiple IPsec connections and transmit traffic simultaneously through ECMP links, thereby indirectly expanding bandwidth. |
Attach to VPN Gateway
In the scenario where an IPsec connection is attached to a VPN gateway, the two tunnels function as active and standby. When one tunnel fails, traffic can be switched to the other tunnel.
In production environments, some enterprises design a separate DMZ VPC for unified Internet traffic control and security isolation. You can refer to this design for VPN cloud access: Connect to a DMZ VPC through a VPN gateway (active/standby tunnels).
Attach to transit router (TR)
In the scenario where an IPsec connection is attached to a transit router (TR), the two tunnels automatically form ECMP links. When the on-premises gateway device also enables ECMP, both tunnels transmit traffic. If one tunnel fails, traffic can be switched to the other tunnel.
Connect a VPC to another cloud (multicloud)
Connecting a VPC to other clouds is similar to connecting a VPC to a data center. You can treat other clouds as "special data centers" and use Express Connect or IPsec-VPN for connection to build a multicloud environment.
Take the interconnection between Alibaba Cloud VPC and AWS VPC as an example.
Connect to multiple clouds using Express Connect
We recommend using dual circuits and dual access points to improve the reliability of Express Connect circuits.
In a multicloud environment, multiple VPCs often need to communicate with each other, and manual route configuration can be cumbersome. You can connect VPCs and ECR to a transit router (TR) and use BGP dynamic routing to achieve efficient network interconnection. Dynamic routing automatically adjusts routing tables based on changes in network topology, reducing manual configuration workload and lowering the complexity of network configuration.
Connect to multiple clouds using IPsec-VPN
Both Alibaba Cloud and AWS platforms support dual-tunnel mode for IPsec-VPN connections. However, because the two tunnels on the AWS platform are associated with the same customer gateway by default, while the two tunnels on the Alibaba Cloud side have different IP addresses, the tunnels between the AWS platform and Alibaba Cloud cannot establish one-to-one connections.
To ensure that both tunnels of the IPsec-VPN connection on the Alibaba Cloud side are enabled simultaneously, you need to create two site-to-site VPN connections on the AWS platform, with each site-to-site VPN connection associated with a different customer gateway.
In a multicloud environment, multiple VPCs often need to communicate with each other, and manual route configuration can be cumbersome. You can attach IPsec connections to a transit router (TR) and use BGP dynamic routing to achieve efficient network interconnection. Dynamic routing automatically adjusts routing tables based on changes in network topology, reducing manual configuration workload and lowering the complexity of network configuration.
When Alibaba Cloud IPsec-VPN is attached to a transit router (TR), ECMP is enabled by default. We recommend that you also enable ECMP on the AWS side. If ECMP is not enabled on the AWS side, traffic from AWS to Alibaba Cloud needs to specify a connection, while traffic from Alibaba Cloud to AWS will automatically select a tunnel based on ECMP.
Connect office terminals to a VPC
To connect office terminals to an Alibaba Cloud VPC using a VPN connection, use the SSL-VPN product.
SSL-VPN supports mainstream desktop clients (Windows, Linux, macOS) and mobile clients (Android, iOS).
If some of your enterprise applications are also deployed in your data center, you can enable both IPsec-VPN and SSL-VPN features for a VPN gateway instance to connect both your data center and clients simultaneously.
After the connections are established, both clients and the data center can access the VPC, and clients and the data center can communicate with each other.
