{"id":31,"date":"2026-04-12T14:22:11","date_gmt":"2026-04-12T14:22:11","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-virtual-private-cloud-vpc-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn\/"},"modified":"2026-04-12T14:22:11","modified_gmt":"2026-04-12T14:22:11","slug":"alibaba-cloud-virtual-private-cloud-vpc-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-virtual-private-cloud-vpc-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn\/","title":{"rendered":"Alibaba Cloud Virtual Private Cloud (VPC) Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking and CDN"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Networking and CDN<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Virtual Private Cloud (VPC)<\/strong> is the foundational networking service that lets you build an isolated, customizable private network in the cloud. It is where you define IP ranges, subnets, routing, and connectivity boundaries for almost every workload you run on Alibaba Cloud.<\/p>\n\n\n\n<p>In simple terms: <strong>a VPC is your private network in Alibaba Cloud<\/strong>. You pick a CIDR block (for example, <code>10.0.0.0\/16<\/code>), create one or more subnets (Alibaba Cloud calls them <strong>vSwitches<\/strong>), and then place resources like ECS instances, RDS databases (in a VPC), and load balancers into those subnets. You decide what can talk to what, and how traffic enters or leaves.<\/p>\n\n\n\n<p>Technically, Virtual Private Cloud (VPC) is a <strong>regional<\/strong> networking construct that provides <strong>layer-3 isolation, route control, and connectivity primitives<\/strong>. It integrates with other Networking and CDN services such as <strong>Elastic IP Address (EIP)<\/strong>, <strong>NAT Gateway<\/strong>, <strong>VPN Gateway<\/strong>, <strong>Express Connect<\/strong>, and <strong>Cloud Enterprise Network (CEN)<\/strong> to support internet egress\/ingress, hybrid connectivity, and multi-VPC architectures.<\/p>\n\n\n\n<p>The problem it solves is straightforward but critical: <strong>running secure, segmented, controllable networks in the cloud<\/strong>\u2014without losing the agility of on-demand infrastructure. VPC helps you replace flat, unsafe networks with well-designed network boundaries, routing, and access control that match real security and operations requirements.<\/p>\n\n\n\n<blockquote>\n<p>Service status\/naming: <strong>\u201cVirtual Private Cloud (VPC)\u201d is the current, active Alibaba Cloud service name<\/strong> and the standard network container for VPC-based resources. If any feature name or availability differs by region, <strong>verify in official docs<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Virtual Private Cloud (VPC)?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Alibaba Cloud Virtual Private Cloud (VPC) is designed to provide a <strong>logically isolated private network<\/strong> in Alibaba Cloud where you can:\n&#8211; Define your own IP address ranges (CIDR blocks)\n&#8211; Create subnets (<strong>vSwitches<\/strong>) in specific zones\n&#8211; Control routing between subnets and to external networks\n&#8211; Connect to the internet, other VPCs, or on-premises networks using dedicated connectivity services<\/p>\n\n\n\n<p>Official documentation entry point:<br\/>\nhttps:\/\/www.alibabacloud.com\/help\/en\/vpc<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (what you can do)<\/h3>\n\n\n\n<p>At a practical level, Virtual Private Cloud (VPC) enables:\n&#8211; <strong>Network isolation<\/strong> between environments (prod\/dev), business units, or tenants\n&#8211; <strong>Subnetting<\/strong> across zones for high availability\n&#8211; <strong>Routing control<\/strong> with route tables and route entries\n&#8211; <strong>Private connectivity<\/strong> to other networks (VPC peering, CEN, Express Connect) and <strong>encrypted tunnels<\/strong> (VPN Gateway)\n&#8211; <strong>Controlled internet access<\/strong> (commonly via EIP + NAT Gateway patterns)\n&#8211; <strong>Network-level policy controls<\/strong> using security mechanisms around instances and subnets (for example, <strong>security groups<\/strong> on ECS; and <strong>Network ACL<\/strong> where applicable\u2014verify regional availability in docs)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (mental model)<\/h3>\n\n\n\n<p>The key pieces you will work with most often:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Component<\/th>\n<th>What it is<\/th>\n<th>Scope<\/th>\n<th>Why you care<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>VPC<\/td>\n<td>The top-level private network container with a CIDR block<\/td>\n<td><strong>Region<\/strong><\/td>\n<td>Isolation boundary and routing domain<\/td>\n<\/tr>\n<tr>\n<td>vSwitch<\/td>\n<td>A subnet inside a VPC, created in a specific zone<\/td>\n<td><strong>Zone<\/strong><\/td>\n<td>Determines IP ranges, AZ placement, HA design<\/td>\n<\/tr>\n<tr>\n<td>Route table<\/td>\n<td>Set of route entries associated with vSwitches<\/td>\n<td>VPC-level object associated to vSwitches<\/td>\n<td>Controls traffic paths between subnets and gateways<\/td>\n<\/tr>\n<tr>\n<td>EIP<\/td>\n<td>Public IP that can be associated to certain resources<\/td>\n<td>Regional (billing\/management)<\/td>\n<td>Enables inbound\/outbound internet connectivity<\/td>\n<\/tr>\n<tr>\n<td>NAT Gateway<\/td>\n<td>Managed SNAT\/DNAT for VPC egress\/ingress<\/td>\n<td>Region\/VPC<\/td>\n<td>Centralized internet access without public IP per host<\/td>\n<\/tr>\n<tr>\n<td>VPN Gateway<\/td>\n<td>Managed IPsec VPN connectivity<\/td>\n<td>Region\/VPC<\/td>\n<td>Encrypted on-prem \u2194 VPC connectivity<\/td>\n<\/tr>\n<tr>\n<td>Express Connect<\/td>\n<td>Dedicated private connectivity (leased line)<\/td>\n<td>Regional access points<\/td>\n<td>Hybrid connectivity with predictable performance<\/td>\n<\/tr>\n<tr>\n<td>CEN<\/td>\n<td>Global network for connecting multiple VPCs<\/td>\n<td>Global service<\/td>\n<td>Multi-region, multi-VPC hub-and-spoke connectivity<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<blockquote>\n<p>Note: Some items above (EIP, NAT Gateway, VPN Gateway, CEN, Express Connect) are separate products that integrate tightly with VPC. The VPC tutorial must treat them as \u201crelated services,\u201d not as part of the VPC control plane itself.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Service type and scope<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Service type:<\/strong> Foundational networking service (control plane + network constructs)<\/li>\n<li><strong>Scope:<\/strong><\/li>\n<li><strong>VPC is regional<\/strong><\/li>\n<li><strong>vSwitch is zonal<\/strong> (created in a specific zone within a region)<\/li>\n<li>Many associated resources are regional and attached to a specific VPC<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n<p>Virtual Private Cloud (VPC) sits at the center of Alibaba Cloud infrastructure:\n&#8211; Compute (ECS), managed Kubernetes (ACK), and many managed data services run <strong>inside a VPC<\/strong>\n&#8211; Load balancing (Server Load Balancer family), WAF, and CDN typically front-end traffic but route to VPC resources\n&#8211; Observability and governance tools (ActionTrail, CloudMonitor, Log Service\/SLS) help audit and operate the network<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Virtual Private Cloud (VPC)?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce risk<\/strong> by isolating workloads and controlling exposure<\/li>\n<li><strong>Support compliance<\/strong> with segmentation, audit trails, and network policy enforcement<\/li>\n<li><strong>Enable hybrid cloud<\/strong> adoption (connect to on-prem via VPN\/Express Connect)<\/li>\n<li><strong>Standardize environments<\/strong> (repeatable patterns for dev\/test\/prod)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need <strong>private IP addressing<\/strong> and predictable network boundaries<\/li>\n<li>You need <strong>multiple subnets<\/strong> across zones for HA<\/li>\n<li>You want <strong>fine control of traffic paths<\/strong> using route tables<\/li>\n<li>You require <strong>private connectivity<\/strong> to managed services (for example, RDS in a VPC, PrivateLink patterns\u2014verify for your region)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Easier to apply consistent <strong>naming\/tagging<\/strong>, change management, and audit<\/li>\n<li>Cleaner <strong>troubleshooting<\/strong>: controlled routes and segmented subnets reduce blast radius<\/li>\n<li>Works naturally with infrastructure-as-code workflows (Terraform, etc.\u2014verify provider support\/version)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforces <strong>network isolation<\/strong> between applications and environments<\/li>\n<li>Supports patterns like <strong>private-only databases<\/strong>, jump hosts, and centralized NAT egress<\/li>\n<li>Integrates with audit logging (ActionTrail) and monitoring (CloudMonitor; VPC Flow Logs where available\u2014verify)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use multiple vSwitches across zones to scale horizontally<\/li>\n<li>Avoid per-instance public IP management by using NAT Gateway patterns<\/li>\n<li>Design network segmentation to support large microservice estates<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose Virtual Private Cloud (VPC) when you need:\n&#8211; Production-grade isolation and subnetting\n&#8211; Multi-tier architecture (web\/app\/db separation)\n&#8211; Hybrid connectivity\n&#8211; Multi-region or multi-VPC network topology (typically with CEN)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>You might avoid custom VPC design (or keep it minimal) if:\n&#8211; You only need quick proof-of-concepts and can accept default networking (still typically a VPC)\n&#8211; Your team cannot operate networking safely (CIDR planning, routing, firewall rules)\n&#8211; You require features that depend on region availability and cannot validate them (always check docs)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Virtual Private Cloud (VPC) used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Finance and fintech (segmentation, compliance, controlled egress)<\/li>\n<li>E-commerce and gaming (scale-out web tiers, DDoS\/WAF front doors into VPC)<\/li>\n<li>SaaS and B2B platforms (multi-environment isolation, tenant segmentation)<\/li>\n<li>Manufacturing\/IoT (hybrid connectivity to plants, OT network bridging via VPN\/Express Connect)<\/li>\n<li>Media and streaming (CDN at edge, origin services in VPC)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud platform teams (landing zone\/network baseline)<\/li>\n<li>DevOps\/SRE (standardized VPC modules, controlled egress)<\/li>\n<li>Security engineering (segmentation and audit)<\/li>\n<li>Application teams (deploy workloads into approved subnets)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Web applications (public entry, private app\/db layers)<\/li>\n<li>APIs and microservices (service mesh\/ACK in private subnets)<\/li>\n<li>Data platforms (ingestion, ETL, analytics with private endpoints)<\/li>\n<li>CI\/CD runners and build farms (controlled outbound access)<\/li>\n<li>Bastion\/jump host designs and private administration<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Two-tier and three-tier apps<\/li>\n<li>Hub-and-spoke multi-VPC networks<\/li>\n<li>Hybrid networks with on-prem routing<\/li>\n<li>Multi-region active\/active or active\/passive networks (often with CEN)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> multi-zone vSwitches, strict routing, least-privilege access, controlled egress, audit logs<\/li>\n<li><strong>Dev\/test:<\/strong> smaller CIDRs, fewer subnets, simplified routes, cost-optimized NAT\/EIP usage, still isolated from prod<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Alibaba Cloud Virtual Private Cloud (VPC) is the correct starting point.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Three-tier web application network<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Separate public web entry from private app and database layers.<\/li>\n<li><strong>Why VPC fits:<\/strong> You can place tiers into separate vSwitches, control routes, and restrict access.<\/li>\n<li><strong>Example:<\/strong> Internet users hit SLB \u2192 ECS web tier \u2192 ECS app tier \u2192 ApsaraDB RDS in private vSwitch.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Private database with zero internet exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Database must never be reachable from the public internet.<\/li>\n<li><strong>Why VPC fits:<\/strong> Put DB in a private vSwitch; only allow app tier private CIDR access.<\/li>\n<li><strong>Example:<\/strong> RDS in VPC + security group rules restricting inbound to app subnet only.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Centralized outbound internet via NAT Gateway<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Many private servers need outbound updates without public IPs.<\/li>\n<li><strong>Why VPC fits:<\/strong> NAT Gateway provides SNAT for private instances.<\/li>\n<li><strong>Example:<\/strong> Private ECS instances download OS updates via NAT Gateway SNAT.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Hybrid connectivity (on-prem to VPC) using VPN Gateway<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Need encrypted connectivity from office\/DC to cloud workloads.<\/li>\n<li><strong>Why VPC fits:<\/strong> VPN Gateway terminates IPsec VPN into the VPC routing domain.<\/li>\n<li><strong>Example:<\/strong> Corporate network accesses private ERP on ECS in VPC over IPsec.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Dedicated hybrid connectivity using Express Connect<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Low-latency, stable bandwidth for critical systems.<\/li>\n<li><strong>Why VPC fits:<\/strong> Express Connect brings private circuits into VPC, avoiding internet variability.<\/li>\n<li><strong>Example:<\/strong> Payment processing system connects to on-prem HSM network via Express Connect.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Multi-VPC, multi-region connectivity with Cloud Enterprise Network (CEN)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Multiple VPCs across regions must communicate with predictable routing.<\/li>\n<li><strong>Why VPC fits:<\/strong> VPC is the basic domain; CEN interconnects them at scale.<\/li>\n<li><strong>Example:<\/strong> Global SaaS: China region VPC \u2194 Singapore region VPC \u2194 EU region VPC via CEN.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Environment isolation: dev\/test\/prod separation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Avoid dev systems accidentally reaching production databases.<\/li>\n<li><strong>Why VPC fits:<\/strong> Separate VPCs and restrict interconnect routes.<\/li>\n<li><strong>Example:<\/strong> Prod VPC not peered with Dev VPC; shared services via controlled hub VPC.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Secure administration using a bastion (jump host) pattern<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Admin access must be centralized and logged.<\/li>\n<li><strong>Why VPC fits:<\/strong> Place private instances without EIP; access only through bastion in a controlled subnet.<\/li>\n<li><strong>Example:<\/strong> Bastion ECS has EIP + strict SSH allowlist; private ECS accessible only from bastion subnet.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Kubernetes (ACK) cluster networking baseline<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Need predictable network segmentation for nodes and services.<\/li>\n<li><strong>Why VPC fits:<\/strong> ACK clusters typically run inside a VPC\/vSwitch design.<\/li>\n<li><strong>Example:<\/strong> Separate vSwitches for worker nodes across zones; private container registry access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Controlled inbound publishing using EIP + SLB<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Expose an API endpoint without giving every backend server a public IP.<\/li>\n<li><strong>Why VPC fits:<\/strong> Front with SLB; backends stay private.<\/li>\n<li><strong>Example:<\/strong> EIP attached to SLB; backend ECS only has private IPs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Multi-tenant SaaS network segmentation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Strong tenant isolation at network layer.<\/li>\n<li><strong>Why VPC fits:<\/strong> Use multiple VPCs (or carefully segmented vSwitches) per tenant and central services via hub.<\/li>\n<li><strong>Example:<\/strong> Per-tenant VPC; shared logging\/monitoring in a shared-services VPC via CEN.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Migration landing zone for data center workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Lift-and-shift requires IP planning, subnet mapping, and routing.<\/li>\n<li><strong>Why VPC fits:<\/strong> VPC CIDR planning mirrors on-prem networks; connectivity via VPN\/Express Connect.<\/li>\n<li><strong>Example:<\/strong> Extend on-prem IP scheme into VPC, gradually cut over services.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<p>This section focuses on <strong>current, commonly used<\/strong> Virtual Private Cloud (VPC) capabilities and tightly related networking functions that you will design with. If a feature is region-limited, <strong>verify in official docs<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6.1 VPC creation with custom CIDR<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you define your private address space (for example, <code>10.0.0.0\/16<\/code>).<\/li>\n<li><strong>Why it matters:<\/strong> CIDR planning drives everything: subnet layout, future expansion, peering\/CEN routing, and overlap avoidance.<\/li>\n<li><strong>Practical benefit:<\/strong> Predictable IP allocation and simpler security rules.<\/li>\n<li><strong>Caveats:<\/strong> In many clouds, the <strong>primary CIDR cannot be changed after creation<\/strong>; some platforms allow adding secondary CIDRs\u2014<strong>verify in Alibaba Cloud VPC docs for your region<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.2 vSwitches (subnets) per zone<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Creates subnets inside the VPC, tied to a specific zone.<\/li>\n<li><strong>Why it matters:<\/strong> Zone placement affects availability and latency; multi-zone subnet design supports HA.<\/li>\n<li><strong>Practical benefit:<\/strong> Place redundant app tiers in different zones.<\/li>\n<li><strong>Caveats:<\/strong> A vSwitch is zonal; you cannot \u201cmove\u201d it between zones\u2014create a new one and migrate resources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.3 Route tables and route entries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Controls how traffic is routed within a VPC and to gateways\/attachments.<\/li>\n<li><strong>Why it matters:<\/strong> Correct routing is essential for hybrid, NAT, and multi-VPC networks.<\/li>\n<li><strong>Practical benefit:<\/strong> Implement hub-and-spoke, private-only tiers, and selective connectivity.<\/li>\n<li><strong>Caveats:<\/strong> Misconfigured routes can blackhole traffic or create asymmetric routing. Always validate route priority and next-hop targets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.4 Internet connectivity patterns (EIP, NAT Gateway)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Enables inbound and\/or outbound internet connectivity for VPC resources.<\/li>\n<li><strong>Why it matters:<\/strong> VPCs are private by default; public exposure must be deliberate.<\/li>\n<li><strong>Practical benefit:<\/strong> Use EIP for controlled inbound, NAT Gateway for shared outbound.<\/li>\n<li><strong>Caveats:<\/strong> Internet egress has cost and security implications (bandwidth billing, data transfer, egress control).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.5 VPC Peering Connection (where available)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Directly connects two VPCs to route private traffic between them.<\/li>\n<li><strong>Why it matters:<\/strong> Useful for simple two-VPC designs or environment separation with controlled sharing.<\/li>\n<li><strong>Practical benefit:<\/strong> Low-latency private routing without transiting the internet.<\/li>\n<li><strong>Caveats:<\/strong> Peering does not automatically provide transitive routing. For many-VPC designs, CEN is often more scalable\u2014verify your topology requirements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.6 Cloud Enterprise Network (CEN) integration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Connects VPCs across regions and accounts with centralized routing.<\/li>\n<li><strong>Why it matters:<\/strong> Enterprises often require multi-region networks and shared services.<\/li>\n<li><strong>Practical benefit:<\/strong> Scales beyond point-to-point peering meshes.<\/li>\n<li><strong>Caveats:<\/strong> CEN introduces its own routing and billing model; plan route propagation and segmentation carefully.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.7 Hybrid connectivity: VPN Gateway and Express Connect integration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Connects on-premises networks to VPC using IPsec VPN (VPN Gateway) or dedicated circuits (Express Connect).<\/li>\n<li><strong>Why it matters:<\/strong> Many organizations need hybrid networks for identity, data, or gradual migration.<\/li>\n<li><strong>Practical benefit:<\/strong> Access private cloud resources from on-prem without exposing them publicly.<\/li>\n<li><strong>Caveats:<\/strong> VPN throughput\/availability depends on gateway SKU and design; Express Connect involves provisioning lead time and operational processes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.8 Security boundaries: security groups (workload-level) and network ACLs (subnet-level)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Enforces allowed inbound\/outbound traffic.<\/li>\n<li><strong>Why it matters:<\/strong> Network access control is one of the top failure points in cloud security.<\/li>\n<li><strong>Practical benefit:<\/strong> Implement least privilege at multiple layers.<\/li>\n<li><strong>Caveats:<\/strong> Security groups are typically attached to compute\/network interfaces (for example ECS ENIs). Network ACL availability and behavior can be region-specific\u2014<strong>verify in VPC docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.9 IPv6 support (where available)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Adds IPv6 addressing alongside IPv4.<\/li>\n<li><strong>Why it matters:<\/strong> IPv6 adoption, large address space, and future-proofing.<\/li>\n<li><strong>Practical benefit:<\/strong> Public-facing services or internal-only IPv6 segments.<\/li>\n<li><strong>Caveats:<\/strong> IPv6 behavior depends on region and integrated services (SLB, NAT, etc.). <strong>Verify compatibility<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.10 Observability: VPC Flow Logs (where available), CloudMonitor, ActionTrail<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Provides network telemetry and audit trails.<\/li>\n<li><strong>Why it matters:<\/strong> You can\u2019t secure or troubleshoot what you can\u2019t see.<\/li>\n<li><strong>Practical benefit:<\/strong> Detect unexpected egress, diagnose reachability issues, and support incident response.<\/li>\n<li><strong>Caveats:<\/strong> Flow log availability, fields, and destinations (for example Log Service\/SLS) depend on the product implementation\u2014<strong>verify in docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">7.1 High-level architecture<\/h3>\n\n\n\n<p>Virtual Private Cloud (VPC) is primarily a <strong>control-plane service<\/strong> where you define:\n&#8211; IP addressing (CIDR)\n&#8211; Subnets (vSwitches)\n&#8211; Routing (route tables)\n&#8211; Attachments\/connectivity (EIP\/NAT\/VPN\/CEN\/Express Connect integrations)<\/p>\n\n\n\n<p>Resources (ECS, RDS, SLB, ACK nodes, etc.) are deployed into vSwitches. Traffic then follows route tables and policy enforcement points (security groups, ACLs, gateway rules).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7.2 Control flow vs data flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control flow:<\/strong> You create\/modify VPCs, vSwitches, route tables, and gateway attachments via Alibaba Cloud console, API, or CLI. These changes are logged in <strong>ActionTrail<\/strong> (audit) if enabled.<\/li>\n<li><strong>Data flow:<\/strong> Actual packets traverse Alibaba Cloud\u2019s internal network fabric according to your route entries and network policy. Data-plane troubleshooting uses reachability testing, security group review, and flow logs (if enabled).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.3 Integrations with related services<\/h3>\n\n\n\n<p>Common integrations for VPC designs:\n&#8211; <strong>ECS (Elastic Compute Service):<\/strong> Instances get private IPs in a vSwitch; security groups govern traffic.\n&#8211; <strong>Server Load Balancer (SLB family):<\/strong> Public or private load balancers distribute traffic to backend ECS\/ENIs in a VPC.\n&#8211; <strong>ApsaraDB RDS \/ other managed data services:<\/strong> Usually deployed inside VPC and reachable via private IP endpoints.\n&#8211; <strong>NAT Gateway:<\/strong> Provides SNAT\/DNAT for private subnets.\n&#8211; <strong>VPN Gateway \/ Express Connect:<\/strong> Hybrid connectivity into VPC routing.\n&#8211; <strong>CEN:<\/strong> Multi-region\/multi-VPC connectivity.\n&#8211; <strong>CloudMonitor \/ Log Service (SLS) \/ ActionTrail:<\/strong> Monitoring, logging, and audit.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7.4 Dependency services<\/h3>\n\n\n\n<p>VPC itself is foundational and doesn\u2019t require many dependencies, but your design will depend on:\n&#8211; <strong>Zones and regions<\/strong> (availability and placement)\n&#8211; <strong>EIP bandwidth billing model<\/strong>\n&#8211; <strong>Gateways<\/strong> (NAT\/VPN\/Express Connect) depending on internet\/hybrid needs<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7.5 Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identity management uses <strong>RAM (Resource Access Management)<\/strong> users\/roles and policies.<\/li>\n<li>API\/console operations should be performed with least privilege (VPC-specific permissions).<\/li>\n<li>Use <strong>ActionTrail<\/strong> for audit logs of network changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.6 Networking model (practical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VPC provides private addressing and internal routing.<\/li>\n<li>vSwitch defines subnet boundaries and zone placement.<\/li>\n<li>Route tables determine next hops for specific destination CIDRs (for example to NAT gateway, peering, VPN).<\/li>\n<li>Internet connectivity is usually achieved via <strong>EIP association<\/strong> (directly to a resource) and\/or <strong>NAT gateway<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.7 Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Turn on <strong>ActionTrail<\/strong> early for auditing who changed routes, security groups, or gateways.<\/li>\n<li>Use <strong>CloudMonitor<\/strong> for resource health and alarms.<\/li>\n<li>Use <strong>flow logging<\/strong> (where available) to investigate denied\/allowed traffic patterns.<\/li>\n<li>Adopt tags and naming standards; enforce them with governance processes (Resource Directory\/permissions if used).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (learning view)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[User on Internet] --&gt;|HTTPS| SLB[Server Load Balancer (Public)]\n  SLB --&gt; ECS1[ECS Web\/App]\n  ECS1 --&gt; RDS[(RDS in VPC)]\n  ECS1 --&gt;|Outbound| NAT[NAT Gateway]\n  NAT --&gt;|SNAT| NET[Internet]\n\n  subgraph VPC[Virtual Private Cloud (VPC) - Region]\n    subgraph Z1[Zone A]\n      VS1[vSwitch A]\n      ECS1\n    end\n    subgraph Z2[Zone B]\n      VS2[vSwitch B]\n      RDS\n    end\n    RT[Route Table]\n  end\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (enterprise view)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  Internet((Internet)) --&gt; WAF[WAF \/ Edge Security (optional)]\n  WAF --&gt; SLBpub[Public SLB (ALB\/CLB\/NLB)]\n  SLBpub --&gt;|Private traffic| WebASG[Web Tier (ECS\/ACK nodes)\\nMulti-zone]\n  WebASG --&gt; AppTier[App Tier (ECS\/ACK)\\nPrivate subnets]\n  AppTier --&gt; DB[(RDS\/PolarDB)\\nPrivate subnet]\n  AppTier --&gt; Cache[(Cache Service)\\nPrivate subnet]\n  AppTier --&gt; SLS[(Log Service \/ SLS)]\n  AppTier --&gt; OSS[(OSS via private access pattern\\nverify availability)]\n  WebASG --&gt; NATGW[NAT Gateway (central egress)]\n  NATGW --&gt; Internet\n\n  OnPrem[On-Prem DC] --&gt;|IPsec| VPNGW[VPN Gateway]\n  OnPrem --&gt;|Dedicated| EC[Express Connect]\n  VPNGW --&gt; HubVPC\n  EC --&gt; HubVPC\n\n  subgraph CEN[Cloud Enterprise Network (optional)]\n    HubVPC[Hub VPC\\n(shared services)]\n    Spoke1[Spoke VPC - Prod]\n    Spoke2[Spoke VPC - Dev]\n  end\n\n  HubVPC --&gt; Spoke1\n  HubVPC --&gt; Spoke2\n\n  subgraph Spoke1VPC[Prod VPC (Region)]\n    WebASG\n    AppTier\n    DB\n    Cache\n    NATGW\n    SLBpub\n  end\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account and billing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Alibaba Cloud account<\/strong> with billing enabled (Pay-As-You-Go is fine for labs).<\/li>\n<li>If you are in an organization, confirm you can create networking resources in the target account.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM (RAM)<\/h3>\n\n\n\n<p>You need permissions to create and manage:\n&#8211; VPC, vSwitch, route tables\/routes\n&#8211; EIP (if used)\n&#8211; ECS instances and security groups (for the lab)\n&#8211; NAT Gateway (optional, not required for the minimal lab)\n&#8211; ActionTrail\/CloudMonitor permissions if you enable auditing\/alarms<\/p>\n\n\n\n<p>If your organization uses RAM best practices:\n&#8211; Use a <strong>RAM user<\/strong> or role with least privilege.\n&#8211; Avoid using the root account for daily operations.<\/p>\n\n\n\n<p>RAM overview (official):<br\/>\nhttps:\/\/www.alibabacloud.com\/help\/en\/ram<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud console access (web UI)<\/li>\n<li>Optional: <strong>Alibaba Cloud CLI<\/strong> (<code>aliyun<\/code>) for automation<br\/>\n  CLI docs entry point: https:\/\/www.alibabacloud.com\/help\/en\/alibaba-cloud-cli<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Choose a region that supports ECS and EIP. Most regions do.<\/li>\n<li>Some features (flow logs, IPv6, certain gateway SKUs) can be region-specific\u2014<strong>verify in official VPC docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VPC-related quotas exist (number of VPCs per region, vSwitches per VPC, route entries, EIPs, etc.).<\/li>\n<li>Check <strong>Quota Center<\/strong> in the console and request increases if needed.<br\/>\n  Quota Center docs: https:\/\/www.alibabacloud.com\/help\/en\/quota-center<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services for the hands-on lab<\/h3>\n\n\n\n<p>This tutorial\u2019s lab will use:\n&#8211; Virtual Private Cloud (VPC)\n&#8211; ECS (for test instances)\n&#8211; EIP (for controlled internet access to one instance)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<blockquote>\n<p>Pricing is region-dependent and product\/SKU-dependent. Do not rely on fixed numbers from blogs. Always confirm in the official pricing pages and calculator.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">9.1 Pricing model (what you pay for)<\/h3>\n\n\n\n<p><strong>Virtual Private Cloud (VPC)<\/strong> itself is commonly a foundational service and may not have a standalone hourly fee, but your total network cost is usually driven by <strong>attached services and traffic<\/strong>:<\/p>\n\n\n\n<p><strong>Common billable dimensions in VPC-based designs:<\/strong>\n&#8211; <strong>EIP<\/strong>\n  &#8211; Public IP allocation\/association\n  &#8211; Bandwidth billing model (bandwidth-based or data transfer-based, depending on region and configuration)\n&#8211; <strong>Internet data transfer<\/strong>\n  &#8211; Outbound traffic is typically the primary driver\n&#8211; <strong>NAT Gateway<\/strong>\n  &#8211; Gateway instance\/spec charges\n  &#8211; Data processing charges (varies by product model\u2014verify pricing)\n&#8211; <strong>VPN Gateway<\/strong>\n  &#8211; Gateway SKU\/hourly charges\n  &#8211; Traffic charges (model varies\u2014verify)\n&#8211; <strong>Express Connect<\/strong>\n  &#8211; Port fees, bandwidth, and cross-connect\/line costs\n&#8211; <strong>CEN<\/strong>\n  &#8211; Inter-region bandwidth packages and\/or data transfer charges (verify current model)\n&#8211; <strong>Load balancers<\/strong>\n  &#8211; SLB instance\/spec and LCU-like metrics (varies by load balancer type\u2014verify)\n&#8211; <strong>Logging\/monitoring<\/strong>\n  &#8211; Log Service (SLS) ingestion\/storage if you enable flow logs or detailed telemetry<\/p>\n\n\n\n<p>Official starting points:\n&#8211; VPC product page: https:\/\/www.alibabacloud.com\/product\/vpc\n&#8211; Alibaba Cloud Pricing Calculator: https:\/\/www.alibabacloud.com\/pricing\/calculator<\/p>\n\n\n\n<p>For EIP\/NAT\/VPN\/CEN pricing, use the relevant product pricing pages from Alibaba Cloud and confirm per-region pricing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9.2 Free tier<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud sometimes offers free trials or credits depending on account type and region.<\/li>\n<li><strong>Do not assume a VPC free tier covers EIP bandwidth or NAT gateways.<\/strong> Always check your account\u2019s offers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9.3 Top cost drivers (practical)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Outbound internet traffic<\/strong> (especially high-throughput applications)<\/li>\n<li><strong>Always-on public endpoints<\/strong> (EIP, public SLB)<\/li>\n<li><strong>Central NAT gateways<\/strong> for large fleets<\/li>\n<li><strong>Inter-region connectivity<\/strong> (CEN bandwidth\/data transfer)<\/li>\n<li><strong>Logging<\/strong> (flow logs to SLS at high volume)<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">9.4 Hidden\/indirect costs to watch<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>NAT Gateway as a \u201csmall\u201d dependency<\/strong>: teams create it \u201cjust for updates\u201d and forget it runs 24\/7.<\/li>\n<li><strong>Public bandwidth sizing<\/strong>: overprovisioning EIP\/SLB bandwidth can cost more than expected.<\/li>\n<li><strong>Cross-zone or cross-region traffic<\/strong>: patterns that look \u201cinternal\u201d might still incur charges depending on product\/region policy\u2014verify.<\/li>\n<li><strong>Log ingestion<\/strong>: flow logs at scale can be expensive without sampling\/filters.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9.5 How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer <strong>private-only backends<\/strong>; expose only load balancers or API gateways publicly.<\/li>\n<li>Use <strong>NAT Gateway<\/strong> strategically:<\/li>\n<li>If you only need a single admin host public, consider a single EIP on bastion rather than public IPs everywhere.<\/li>\n<li>Right-size public bandwidth; use CDN where appropriate to reduce origin egress.<\/li>\n<li>Use flow logs selectively (only critical subnets or during investigations).<\/li>\n<li>For multi-region, consider whether you truly need always-on inter-region bandwidth.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9.6 Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n<p>A minimal learning environment typically includes:\n&#8211; 1 small ECS instance (pay-as-you-go)\n&#8211; 1 EIP with low bandwidth cap\n&#8211; 1 VPC + 1 vSwitch (generally not a direct billed line item)<\/p>\n\n\n\n<p>Your main costs are usually the <strong>ECS instance<\/strong> and <strong>EIP bandwidth\/egress<\/strong>. Use the calculator to estimate, then set a budget alert.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9.7 Example production cost considerations<\/h3>\n\n\n\n<p>For a production VPC architecture, expect:\n&#8211; At least one public entry (public SLB + WAF) and multiple private subnets\n&#8211; NAT gateways for private fleets (patching, external APIs)\n&#8211; Hybrid connectivity (VPN\/Express Connect) and possibly CEN for multi-region\n&#8211; Logging (ActionTrail, SLS, flow logs) and monitoring alarms<\/p>\n\n\n\n<p>In production, network egress and always-on gateway services often become a meaningful part of the bill\u2014measure and optimize early.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Build a secure, minimal Alibaba Cloud Virtual Private Cloud (VPC) environment with:\n&#8211; One VPC and one vSwitch\n&#8211; One ECS instance in the VPC\n&#8211; One EIP for controlled admin access\n&#8211; Security group rules that minimize exposure\n&#8211; Basic connectivity validation and safe cleanup<\/p>\n\n\n\n<p>This lab is designed to be <strong>beginner-friendly<\/strong>, <strong>low-cost<\/strong>, and <strong>practical<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create a VPC and vSwitch in a chosen region\/zone\n2. Create a security group with least-privilege inbound rules\n3. Launch an ECS instance into the vSwitch\n4. Allocate and associate an EIP to the ECS instance\n5. Validate SSH access and outbound connectivity\n6. Clean up all resources to stop billing<\/p>\n\n\n\n<blockquote>\n<p>Notes:\n&#8211; Screens and exact menu labels in the console can change. Follow the closest matching options.\n&#8211; If any option differs in your region\/account, <strong>verify in official docs<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Choose a region and plan CIDR<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Pick a region and define a non-overlapping RFC1918 CIDR range.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Decide a region (for example, one close to your users).<\/li>\n<li>Choose a VPC CIDR. Example:\n   &#8211; VPC CIDR: <code>10.10.0.0\/16<\/code>\n   &#8211; vSwitch CIDR: <code>10.10.1.0\/24<\/code><\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> You have a CIDR plan that won\u2019t conflict with on-prem or other VPCs you might connect later.<\/p>\n\n\n\n<p><strong>Common mistakes:<\/strong>\n&#8211; Picking a CIDR that overlaps with corporate networks (<code>10.0.0.0\/8<\/code> is often used internally). Overlap complicates VPN\/CEN routing.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create the VPC<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Create the Virtual Private Cloud (VPC) container.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the Alibaba Cloud console, search for <strong>VPC<\/strong> and open <strong>Virtual Private Cloud<\/strong>.<\/li>\n<li>Select the correct <strong>region<\/strong>.<\/li>\n<li>Click <strong>Create VPC<\/strong>.<\/li>\n<li>Set:\n   &#8211; <strong>VPC Name:<\/strong> <code>lab-vpc<\/code>\n   &#8211; <strong>IPv4 CIDR Block:<\/strong> <code>10.10.0.0\/16<\/code>\n   &#8211; (Optional) <strong>Resource Group \/ Tags:<\/strong> add <code>env=lab<\/code><\/li>\n<\/ol>\n\n\n\n<p>Create the VPC.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> A new VPC named <code>lab-vpc<\/code> exists in your chosen region.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; In the VPC list, confirm <code>lab-vpc<\/code> shows the CIDR <code>10.10.0.0\/16<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create a vSwitch (subnet)<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Create a zonal subnet in the VPC.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the VPC console, open <code>lab-vpc<\/code>.<\/li>\n<li>Go to <strong>vSwitch<\/strong> (or <strong>Subnets<\/strong>) and click <strong>Create vSwitch<\/strong>.<\/li>\n<li>Set:\n   &#8211; <strong>Name:<\/strong> <code>lab-vsw-a<\/code>\n   &#8211; <strong>Zone:<\/strong> choose one zone (for example, Zone A)\n   &#8211; <strong>CIDR block:<\/strong> <code>10.10.1.0\/24<\/code><\/li>\n<\/ol>\n\n\n\n<p>Create the vSwitch.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> A vSwitch exists with addresses <code>10.10.1.0\/24<\/code>.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Confirm the vSwitch is in the intended <strong>zone<\/strong> and associated with <code>lab-vpc<\/code>.<\/p>\n\n\n\n<p><strong>Common mistakes:<\/strong>\n&#8211; Creating the vSwitch in a different zone than planned for your ECS instance, then being unable to select it during ECS creation.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create a security group (least privilege)<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Allow SSH only from your IP, and allow outbound access.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open <strong>ECS<\/strong> console \u2192 <strong>Security Groups<\/strong>.<\/li>\n<li>Create a security group in the same <strong>region<\/strong> and <strong>VPC<\/strong>.<\/li>\n<li>Name it: <code>lab-sg<\/code><\/li>\n<li>Configure inbound rules:\n   &#8211; Allow <strong>SSH (TCP 22)<\/strong> from <strong>your public IP<\/strong> only (example: <code>203.0.113.10\/32<\/code>)\n   &#8211; (Optional) Allow <strong>HTTP (TCP 80)<\/strong> from your IP if you plan to test a web server<\/li>\n<li>Configure outbound rules:\n   &#8211; Default outbound allow is common; if you restrict outbound, ensure DNS\/HTTP\/HTTPS are allowed for updates.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> Security group exists and is attached later to ECS.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Confirm inbound rules do <strong>not<\/strong> include <code>0.0.0.0\/0<\/code> for SSH.<\/p>\n\n\n\n<p><strong>Common mistakes and fixes:<\/strong>\n&#8211; <strong>Mistake:<\/strong> SSH allowed from <code>0.0.0.0\/0<\/code>.<br\/>\n<strong>Fix:<\/strong> Restrict to your IP or a corporate NAT range.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Launch an ECS instance into the VPC\/vSwitch<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Create a small VM inside your VPC subnet.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>ECS Instances<\/strong> \u2192 <strong>Create Instance<\/strong>.<\/li>\n<li>Choose:\n   &#8211; Billing: <strong>Pay-As-You-Go<\/strong> (for the lab)\n   &#8211; Region: same as VPC\n   &#8211; Network: select <strong>VPC<\/strong> = <code>lab-vpc<\/code>\n   &#8211; vSwitch: <code>lab-vsw-a<\/code>\n   &#8211; Security group: <code>lab-sg<\/code><\/li>\n<li>Select an OS image (for example, <strong>Alibaba Cloud Linux<\/strong> or <strong>Ubuntu<\/strong>).<\/li>\n<li>Choose an instance type appropriate for a lab (smallest that meets your needs).<\/li>\n<li>Authentication:\n   &#8211; Prefer <strong>SSH key pair<\/strong> for Linux\n   &#8211; Or use a strong password if required<\/li>\n<li>Create the instance.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> ECS instance is running with a <strong>private IP<\/strong> in <code>10.10.1.0\/24<\/code>.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; In ECS instance details, confirm:\n  &#8211; VPC = <code>lab-vpc<\/code>\n  &#8211; vSwitch = <code>lab-vsw-a<\/code>\n  &#8211; Private IP = <code>10.10.1.x<\/code><\/p>\n\n\n\n<p><strong>Common errors:<\/strong>\n&#8211; \u201cInsufficient quota\u201d \u2192 check Quota Center; reduce instance type\/quantity.\n&#8211; \u201cZone capacity\u201d \u2192 try another zone within the region.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Allocate an EIP and associate it to the ECS instance<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Provide controlled public access for administration.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In console, open <strong>Elastic IP Address<\/strong> (EIP) management.<\/li>\n<li>Allocate a new EIP:\n   &#8211; Billing model and bandwidth options vary\u2014choose the most cost-effective for a lab.\n   &#8211; Keep bandwidth low (enough for SSH).<\/li>\n<li>Associate the EIP to your ECS instance.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> ECS instance now has a reachable <strong>public IP (EIP)<\/strong>.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; In ECS details, confirm EIP is shown.\n&#8211; From your local machine, test SSH (Linux\/macOS):<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh -i \/path\/to\/key.pem root@&lt;your-eip&gt;\n# or for Ubuntu images:\nssh -i \/path\/to\/key.pem ubuntu@&lt;your-eip&gt;\n<\/code><\/pre>\n\n\n\n<p>If using a password:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh root@&lt;your-eip&gt;\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can log in via SSH.<\/p>\n\n\n\n<p><strong>Common errors and fixes:<\/strong>\n&#8211; <strong>Timeout \/ no route to host<\/strong>\n  &#8211; Check security group inbound SSH rule (your current public IP may have changed).\n  &#8211; Confirm EIP is correctly associated to the ECS instance.\n&#8211; <strong>Permission denied (publickey)<\/strong>\n  &#8211; Confirm username (<code>root<\/code> vs <code>ubuntu<\/code>) and correct key pair.\n  &#8211; Confirm you selected the correct key at instance creation.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Validate outbound internet and DNS from inside the VPC<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Confirm the instance can reach the internet (useful for patching and API calls).<\/p>\n\n\n\n<p>From the ECS instance:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># DNS check (uses configured resolvers)\nnslookup alibabacloud.com\n\n# Basic outbound connectivity\ncurl -I https:\/\/www.alibabacloud.com\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> DNS resolves and HTTP headers return.<\/p>\n\n\n\n<p>If <code>curl<\/code> is not installed, install it (commands depend on the OS image). For example:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># Ubuntu\/Debian\nsudo apt-get update &amp;&amp; sudo apt-get install -y curl dnsutils\n\n# RHEL\/CentOS\/Alibaba Cloud Linux (varies by version)\nsudo yum install -y curl bind-utils\n<\/code><\/pre>\n\n\n\n<p><strong>Common issues:<\/strong>\n&#8211; If outbound is blocked, check:\n  &#8211; Security group outbound rules\n  &#8211; Any network ACLs (if configured)\n  &#8211; Whether your organization applied egress restrictions<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8 (Optional): Review route tables to understand traffic flow<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Build intuition: where does traffic go?<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the VPC console, open <code>lab-vpc<\/code> \u2192 <strong>Route Tables<\/strong>.<\/li>\n<li>Identify the route table associated with <code>lab-vsw-a<\/code>.<\/li>\n<li>Review routes:\n   &#8211; Local VPC CIDR route (for internal traffic)\n   &#8211; Any default route behavior and next hops (implementation details vary)<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can see how Alibaba Cloud represents routing for the VPC.<\/p>\n\n\n\n<blockquote>\n<p>If the UI shows system-managed routes you cannot edit, that\u2019s normal. For custom next hops (NAT, VPN, peering), routes become more explicit.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>You have successfully completed the lab if:\n&#8211; <code>lab-vpc<\/code> exists with CIDR <code>10.10.0.0\/16<\/code>\n&#8211; <code>lab-vsw-a<\/code> exists with CIDR <code>10.10.1.0\/24<\/code>\n&#8211; ECS instance has a private IP <code>10.10.1.x<\/code>\n&#8211; EIP is associated and SSH works\n&#8211; From the instance, DNS and outbound HTTPS work<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p><strong>Issue: SSH timeout<\/strong>\n&#8211; Confirm your <strong>current<\/strong> public IP is allowed in <code>lab-sg<\/code> inbound rules.\n&#8211; Confirm EIP association is correct.\n&#8211; Confirm instance is running and has no OS firewall blocking SSH.<\/p>\n\n\n\n<p><strong>Issue: DNS fails inside ECS<\/strong>\n&#8211; Confirm outbound UDP\/TCP 53 is allowed (if you tightened outbound rules).\n&#8211; Try another resolver temporarily to diagnose:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># Test connectivity to a public DNS (diagnostic only)\nnslookup alibabacloud.com 8.8.8.8\n<\/code><\/pre>\n\n\n\n<p>If this works but default doesn\u2019t, review resolver configuration and VPC DNS settings (verify in docs).<\/p>\n\n\n\n<p><strong>Issue: You accidentally allowed 0.0.0.0\/0 on SSH<\/strong>\n&#8211; Immediately narrow the rule to your IP (<code>x.x.x.x\/32<\/code>) or corporate range.\n&#8211; Consider using a bastion plus private-only instances in real environments.<\/p>\n\n\n\n<p><strong>Issue: Unexpected costs<\/strong>\n&#8211; Check whether you left:\n  &#8211; EIP allocated\n  &#8211; Pay-as-you-go ECS running\n  &#8211; NAT Gateway (if you created one)\n&#8211; Use the billing console to confirm active billable resources.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges, delete resources in the correct order:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Disassociate and release EIP<\/strong>\n   &#8211; EIP console \u2192 disassociate from ECS\n   &#8211; Release the EIP allocation<\/li>\n<li><strong>Stop and release ECS instance<\/strong>\n   &#8211; ECS console \u2192 stop instance\n   &#8211; Release\/delete instance (pay-as-you-go must be released)<\/li>\n<li><strong>Delete security group<\/strong> (if not used elsewhere)<\/li>\n<li><strong>Delete vSwitch<\/strong><\/li>\n<li><strong>Delete VPC<\/strong><\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> No billable network\/compute resources remain for this lab.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Plan CIDR ranges early<\/strong>:<\/li>\n<li>Avoid overlaps with on-prem and other VPCs.<\/li>\n<li>Reserve space for future subnets (don\u2019t carve too tight).<\/li>\n<li><strong>Multi-zone by default for production<\/strong>:<\/li>\n<li>Place redundant tiers across zones.<\/li>\n<li>Keep subnet layouts consistent across zones (for example, <code>10.10.1.0\/24<\/code> in Zone A, <code>10.10.2.0\/24<\/code> in Zone B).<\/li>\n<li><strong>Use tiered subnet design<\/strong>:<\/li>\n<li>Web\/ingress subnet(s)<\/li>\n<li>App subnet(s)<\/li>\n<li>Data subnet(s) (most restricted)<\/li>\n<li><strong>Prefer load balancers for inbound<\/strong> rather than exposing instances directly.<\/li>\n<li><strong>Centralize egress<\/strong> using NAT Gateway for fleets; minimize public IPs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>RAM roles<\/strong> and least privilege policies for network admins vs app operators.<\/li>\n<li>Require multi-factor authentication for privileged accounts.<\/li>\n<li>Turn on <strong>ActionTrail<\/strong> for auditing and send logs to a secured log destination.<\/li>\n<li>Use security group rules with:<\/li>\n<li>Tight sources (<code>\/32<\/code> for admin IPs)<\/li>\n<li>Only required ports<\/li>\n<li>Explicit egress control for sensitive workloads<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treat <strong>EIP<\/strong> and gateways as \u201calways-on meters.\u201d<\/li>\n<li>Reduce egress using CDN (when appropriate) and caching.<\/li>\n<li>Log selectively: collect what you need, retain appropriately, and archive older logs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep latency-sensitive components in the same region; use CEN\/Express Connect for cross-region if needed.<\/li>\n<li>Avoid unnecessary hairpin routing (for example, forcing same-VPC traffic through NAT).<\/li>\n<li>For high throughput hybrid needs, prefer Express Connect over VPN.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Redundant subnets across zones<\/li>\n<li>Stateless app tiers for scale and failure recovery<\/li>\n<li>Health-checked load balancers and autoscaling (ECS\/ACK dependent)<\/li>\n<li>Clear dependency mapping (NAT, VPN, CEN) and failure mode understanding<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardize:<\/li>\n<li>Naming: <code>env-region-app-tier-zone<\/code><\/li>\n<li>Tagging: <code>env<\/code>, <code>owner<\/code>, <code>cost-center<\/code>, <code>data-classification<\/code><\/li>\n<li>Create runbooks for:<\/li>\n<li>\u201cNo SSH access\u201d<\/li>\n<li>\u201cNo outbound internet\u201d<\/li>\n<li>\u201cVPN down\u201d<\/li>\n<li>\u201cRoute change rollback\u201d<\/li>\n<li>Use infrastructure as code for repeatability (Terraform\/ROS)\u2014verify module maturity and provider versions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use resource groups for separation (teams, environments).<\/li>\n<li>Apply policy-as-code where possible.<\/li>\n<li>Review security group rules periodically (stale rules are common).<\/li>\n<li>Maintain an IPAM-like record (even a spreadsheet) for CIDR allocations if you don\u2019t have a dedicated IPAM tool.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model (RAM)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VPC resources are managed through Alibaba Cloud APIs controlled by <strong>RAM<\/strong>.<\/li>\n<li>Create separate roles for:<\/li>\n<li>Network admins (VPC, route tables, gateways)<\/li>\n<li>Security engineers (audit\/logging, policy review)<\/li>\n<li>App operators (view-only network, manage compute within approved subnets)<\/li>\n<\/ul>\n\n\n\n<p>ActionTrail (audit) helps detect:\n&#8211; Route changes\n&#8211; Security group modifications\n&#8211; EIP associations\n&#8211; Gateway creation\/deletion<\/p>\n\n\n\n<p>ActionTrail docs entry:<br\/>\nhttps:\/\/www.alibabacloud.com\/help\/en\/actiontrail<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VPC networking is private addressing and routing; encryption is typically implemented at higher layers:<\/li>\n<li><strong>TLS<\/strong> for application traffic<\/li>\n<li><strong>IPsec<\/strong> for VPN Gateway tunnels<\/li>\n<li>For hybrid connectivity, use strong IPsec parameters as recommended by Alibaba Cloud and your security policy (verify current recommendations).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Minimize public exposure:<\/li>\n<li>Prefer SLB + WAF for inbound web traffic<\/li>\n<li>Avoid direct EIP on backend instances<\/li>\n<li>Restrict admin access:<\/li>\n<li>Bastion\/jump host pattern<\/li>\n<li>Short-lived access rules (time-bound) if your process supports it<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Do not store keys\/passwords in user-data scripts or images.<\/li>\n<li>Use Alibaba Cloud secret management options where available (verify your chosen service) and OS-level hardening.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable <strong>ActionTrail<\/strong> and export logs to a secure destination.<\/li>\n<li>Enable <strong>flow logs<\/strong> where available for investigation and compliance (verify feature availability and costs).<\/li>\n<li>Centralize logs in SLS and apply retention policies aligned to compliance requirements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<p>Typical controls supported by good VPC designs:\n&#8211; Network segmentation and least privilege\n&#8211; Controlled egress and ingress points\n&#8211; Audit trail of configuration changes\n&#8211; Hybrid encryption (VPN) and private connectivity (Express Connect)<\/p>\n\n\n\n<p>Your compliance success depends on implementation:\n&#8211; Segmentation must be real (separate VPCs\/subnets, restricted routes)\n&#8211; Rules must be reviewed\n&#8211; Logs must be retained and monitored<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSH open to the world (<code>0.0.0.0\/0<\/code>)<\/li>\n<li>Databases placed in subnets reachable from the internet<\/li>\n<li>Flat networks with overly broad security groups<\/li>\n<li>Untracked routing changes that open paths between environments<\/li>\n<li>Uncontrolled egress enabling data exfiltration<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use a \u201cdefault deny inbound\u201d posture.<\/li>\n<li>Separate duties (RAM roles).<\/li>\n<li>Use change control for route table modifications.<\/li>\n<li>Implement egress controls and monitor outbound traffic patterns.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>Because availability and quotas vary, treat the list below as practical \u201cwatch-outs\u201d and confirm exact limits in your region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations \/ common constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VPC is regional; vSwitch is zonal:<\/strong> plan HA with multiple vSwitches across zones.<\/li>\n<li><strong>CIDR planning is hard to change later:<\/strong> primary CIDR may not be editable after creation; secondary CIDRs may be possible in some cases\u2014verify.<\/li>\n<li><strong>Non-transitive peering behavior:<\/strong> peering typically doesn\u2019t provide transitive routing; CEN is often used for larger topologies.<\/li>\n<li><strong>Overlapping CIDRs block connectivity:<\/strong> hybrid\/VPC interconnect requires non-overlapping CIDRs (or NAT-based workarounds).<\/li>\n<li><strong>Security group complexity grows fast:<\/strong> without standards, rule sprawl becomes an operational risk.<\/li>\n<li><strong>Flow logs and deep observability can add cost:<\/strong> great for investigations, expensive at scale without filters\/retention controls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<p>Typical quota categories include:\n&#8211; VPCs per region\n&#8211; vSwitches per VPC\n&#8211; Route entries per route table\n&#8211; EIPs per account\/region\n&#8211; NAT\/VPN gateway quotas<\/p>\n\n\n\n<p>Use Quota Center to check\/request increases:<br\/>\nhttps:\/\/www.alibabacloud.com\/help\/en\/quota-center<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some networking features and SKUs are not in all regions.<\/li>\n<li>Some integration behaviors differ depending on the SLB type (ALB\/CLB\/NLB) and region.<\/li>\n<li>Always verify in regional documentation and console availability.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Egress traffic is often the biggest surprise.<\/li>\n<li>NAT Gateway and VPN Gateway can be \u201csmall per-hour\u201d but become significant when always on.<\/li>\n<li>Logging ingestion\/storage costs accumulate quietly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Not every managed service supports every VPC feature (IPv6, private endpoints, etc.). Verify service-specific networking documentation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Route changes can instantly break connectivity\u2014use change management and rollback plans.<\/li>\n<li>Troubleshooting requires systematic checks:\n  1) Route tables<br\/>\n  2) Security groups<br\/>\n  3) Network ACLs (if used)<br\/>\n  4) Instance OS firewall<br\/>\n  5) DNS\/resolver behavior<br\/>\n  6) Hybrid tunnel status (VPN\/Express Connect)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CIDR overlap with on-prem is the #1 migration blocker.<\/li>\n<li>Legacy apps may assume flat networks and broad connectivity; VPC segmentation reveals hidden dependencies.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Nearest services in the same cloud<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cloud Enterprise Network (CEN):<\/strong> interconnects multiple VPCs\/regions; not a replacement for VPC.<\/li>\n<li><strong>Express Connect \/ VPN Gateway:<\/strong> connectivity products; they attach to a VPC.<\/li>\n<li><strong>PrivateLink (if available):<\/strong> private service exposure\/consumption pattern; complements VPC (verify product availability\/region).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Nearest services in other clouds<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AWS VPC<\/strong>, <strong>Azure Virtual Network (VNet)<\/strong>, <strong>Google Cloud VPC<\/strong> are conceptual equivalents (private network containers), but names and implementation details differ.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Open-source\/self-managed alternatives<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In self-managed environments, equivalents are VLAN\/VRF-based segmentation, firewall appliances, and routers. In cloud, you typically don\u2019t \u201cself-manage\u201d the underlay network; you configure VPC constructs and optionally deploy virtual appliances.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Comparison table<\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Alibaba Cloud Virtual Private Cloud (VPC)<\/strong><\/td>\n<td>Any Alibaba Cloud workload needing isolation and routing control<\/td>\n<td>Foundational construct; integrates with ECS\/RDS\/SLB; flexible subnet\/routing design<\/td>\n<td>Requires CIDR planning; misconfig can cause outages<\/td>\n<td>Always, as the baseline network for production workloads<\/td>\n<\/tr>\n<tr>\n<td><strong>Alibaba Cloud CEN<\/strong><\/td>\n<td>Many VPCs \/ multi-region connectivity<\/td>\n<td>Scales better than peering meshes; centralized interconnect<\/td>\n<td>Added cost and routing complexity<\/td>\n<td>When you have multiple VPCs\/regions and need managed interconnect<\/td>\n<\/tr>\n<tr>\n<td><strong>Alibaba Cloud VPC Peering<\/strong><\/td>\n<td>Simple 1-to-1 VPC connectivity<\/td>\n<td>Direct and straightforward for small topologies<\/td>\n<td>Usually non-transitive; management overhead grows with many peers<\/td>\n<td>When connecting a small number of VPCs without needing a hub<\/td>\n<\/tr>\n<tr>\n<td><strong>VPN Gateway + VPC<\/strong><\/td>\n<td>Hybrid connectivity quickly<\/td>\n<td>Encrypted tunnel over internet; relatively fast to deploy<\/td>\n<td>Throughput\/latency variability; tunnel ops overhead<\/td>\n<td>When you need hybrid connectivity without dedicated circuits<\/td>\n<\/tr>\n<tr>\n<td><strong>Express Connect + VPC<\/strong><\/td>\n<td>Mission-critical hybrid<\/td>\n<td>Dedicated connectivity; predictable performance<\/td>\n<td>Provisioning lead time; higher cost<\/td>\n<td>When you need stable low-latency hybrid connectivity<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS VPC \/ Azure VNet \/ GCP VPC<\/strong><\/td>\n<td>Multi-cloud or platform comparison<\/td>\n<td>Mature ecosystems; similar primitives<\/td>\n<td>Different terminology and feature gaps; migration effort<\/td>\n<td>When your organization standardizes on another cloud or runs multi-cloud<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed networking (on-prem routers\/firewalls)<\/strong><\/td>\n<td>Legacy DC environments<\/td>\n<td>Full control of appliances<\/td>\n<td>Less agility; capacity planning; hardware lifecycle<\/td>\n<td>When regulatory\/legacy constraints prevent cloud-first designs<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated financial services hybrid platform<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A financial services company must run customer-facing apps in Alibaba Cloud while keeping sensitive data and identity systems on-premises. Requirements include segmentation, auditability, and controlled egress.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Separate <strong>Prod VPC<\/strong> and <strong>Shared Services VPC<\/strong><\/li>\n<li><strong>CEN<\/strong> to connect multiple VPCs across regions (if multi-region)<\/li>\n<li><strong>Express Connect<\/strong> for primary hybrid connectivity; <strong>VPN Gateway<\/strong> as backup (design-dependent\u2014verify HA options)<\/li>\n<li>Public entry through <strong>WAF + SLB<\/strong>, backends private<\/li>\n<li>Centralized <strong>NAT Gateway<\/strong> egress with strict outbound rules<\/li>\n<li><strong>ActionTrail<\/strong> enabled and exported; optional flow logs to SLS for investigations<\/li>\n<li><strong>Why Virtual Private Cloud (VPC) was chosen:<\/strong> It provides the necessary isolation boundary and subnet\/routing control to satisfy compliance segmentation and hybrid connectivity requirements.<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Reduced exposure (private-only databases)<\/li>\n<li>Auditable network changes<\/li>\n<li>Predictable connectivity between on-prem and cloud<\/li>\n<li>Clear separation of duties between platform, app, and security teams<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: SaaS MVP with secure defaults<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A startup needs to deploy an MVP API quickly, but wants safe networking defaults and a path to scale.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>One VPC with two vSwitches across two zones<\/li>\n<li>Public SLB for API ingress; backend services private<\/li>\n<li>Minimal EIP usage (admin access via bastion only)<\/li>\n<li>Simple tagging and naming scheme from day one<\/li>\n<li><strong>Why Virtual Private Cloud (VPC) was chosen:<\/strong> It\u2019s the standard way to run ECS\/managed services securely and makes future growth (multi-zone, NAT egress, peering\/CEN) straightforward.<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>MVP shipped quickly without exposing databases publicly<\/li>\n<li>Clear network boundaries that won\u2019t require a re-architecture at first scale milestone<\/li>\n<li>Lower risk of accidental exposure through public IP sprawl<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is Virtual Private Cloud (VPC) the same as a subnet?<\/strong><br\/>\nNo. A VPC is the top-level private network container (regional). A subnet in Alibaba Cloud is a <strong>vSwitch<\/strong> (zonal) inside the VPC.<\/p>\n\n\n\n<p>2) <strong>Is a VPC global or regional in Alibaba Cloud?<\/strong><br\/>\nA VPC is <strong>regional<\/strong>. You create separate VPCs per region.<\/p>\n\n\n\n<p>3) <strong>What is a vSwitch in Alibaba Cloud?<\/strong><br\/>\nA vSwitch is a <strong>zonal subnet<\/strong> within a VPC. Resources in that vSwitch are placed in that zone.<\/p>\n\n\n\n<p>4) <strong>How do instances in a VPC reach the internet?<\/strong><br\/>\nCommon patterns are:\n&#8211; Associate an <strong>EIP<\/strong> to a resource (direct public access), or\n&#8211; Use a <strong>NAT Gateway<\/strong> for shared outbound internet (SNAT), keeping instances private.<\/p>\n\n\n\n<p>5) <strong>Should I assign a public IP to every server?<\/strong><br\/>\nUsually no. Prefer a load balancer for inbound traffic and NAT Gateway for outbound, with only a bastion\/jump host (if needed) having an EIP.<\/p>\n\n\n\n<p>6) <strong>How do I connect two VPCs?<\/strong><br\/>\nOptions include <strong>VPC peering<\/strong> (simple) or <strong>CEN<\/strong> (scales to many VPCs and regions). Choose based on size and routing requirements.<\/p>\n\n\n\n<p>7) <strong>Can I connect my data center to a VPC?<\/strong><br\/>\nYes, typically using <strong>VPN Gateway<\/strong> (IPsec) or <strong>Express Connect<\/strong> (dedicated line). Many enterprises use both (primary\/backup) depending on requirements\u2014verify supported HA patterns.<\/p>\n\n\n\n<p>8) <strong>Can two vSwitches in the same VPC communicate by default?<\/strong><br\/>\nTypically yes, via the VPC\u2019s local routing, but security controls (security groups\/NACLs) can block it.<\/p>\n\n\n\n<p>9) <strong>What\u2019s the difference between security groups and network ACLs?<\/strong><br\/>\nSecurity groups are commonly applied at the instance\/ENI level (stateful behavior is typical in many clouds). Network ACLs are subnet-level controls. Exact behavior and availability can vary\u2014verify in Alibaba Cloud docs.<\/p>\n\n\n\n<p>10) <strong>Do route tables automatically update when I attach a VPN or NAT gateway?<\/strong><br\/>\nSome routes may be system-managed; others require explicit route entries. Always check the route table after attaching gateways.<\/p>\n\n\n\n<p>11) <strong>What is the biggest design mistake with VPC?<\/strong><br\/>\nPoor CIDR planning\u2014especially overlapping CIDRs with on-prem or other VPCs\u2014which complicates hybrid connectivity and future expansion.<\/p>\n\n\n\n<p>12) <strong>How can I audit who changed networking settings?<\/strong><br\/>\nEnable <strong>ActionTrail<\/strong> and review events for VPC, route tables, EIP, and gateway modifications.<\/p>\n\n\n\n<p>13) <strong>Can I run Kubernetes in a VPC?<\/strong><br\/>\nYes. Alibaba Cloud ACK typically runs inside a VPC and uses vSwitches for node placement. Follow ACK networking docs for the exact model.<\/p>\n\n\n\n<p>14) <strong>How do I troubleshoot \u201ccan\u2019t connect\u201d issues inside a VPC?<\/strong><br\/>\nCheck in order:\n&#8211; Route table entries (destination\/next hop)\n&#8211; Security group inbound\/outbound rules\n&#8211; Network ACLs (if used)\n&#8211; OS firewall\n&#8211; DNS resolution\n&#8211; For hybrid: VPN\/Express Connect status and BGP\/route propagation (if applicable)<\/p>\n\n\n\n<p>15) <strong>Is VPC Flow Logs available and should I enable it?<\/strong><br\/>\nFlow logs are valuable for security and troubleshooting, but availability and cost vary. Enable selectively, and confirm supported fields\/destinations in official docs.<\/p>\n\n\n\n<p>16) <strong>Can I expose a private service to another VPC\/account without opening it to the internet?<\/strong><br\/>\nOften this is done with private connectivity patterns such as PrivateLink or internal SLB + controlled routing, depending on Alibaba Cloud capabilities in your region\u2014verify.<\/p>\n\n\n\n<p>17) <strong>What\u2019s a good \u201cstarter\u201d VPC layout?<\/strong><br\/>\nFor production: at least two zones, with separate vSwitches per tier (web\/app\/data), centralized NAT egress, and minimal public endpoints.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Virtual Private Cloud (VPC)<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>VPC documentation (Alibaba Cloud Help Center) \u2014 https:\/\/www.alibabacloud.com\/help\/en\/vpc<\/td>\n<td>Primary source for current features, limits, and step-by-step configuration<\/td>\n<\/tr>\n<tr>\n<td>Official product page<\/td>\n<td>VPC product overview \u2014 https:\/\/www.alibabacloud.com\/product\/vpc<\/td>\n<td>High-level capabilities and positioning within Alibaba Cloud<\/td>\n<\/tr>\n<tr>\n<td>Official pricing \/ calculator<\/td>\n<td>Alibaba Cloud Pricing Calculator \u2014 https:\/\/www.alibabacloud.com\/pricing\/calculator<\/td>\n<td>Build region-specific estimates without guessing<\/td>\n<\/tr>\n<tr>\n<td>Official IAM docs<\/td>\n<td>Resource Access Management (RAM) \u2014 https:\/\/www.alibabacloud.com\/help\/en\/ram<\/td>\n<td>Required for least-privilege network administration<\/td>\n<\/tr>\n<tr>\n<td>Official audit logging<\/td>\n<td>ActionTrail \u2014 https:\/\/www.alibabacloud.com\/help\/en\/actiontrail<\/td>\n<td>Audit who changed network configurations<\/td>\n<\/tr>\n<tr>\n<td>Official monitoring<\/td>\n<td>CloudMonitor (CMS) \u2014 https:\/\/www.alibabacloud.com\/help\/en\/cloudmonitor<\/td>\n<td>Metrics, alarms, and operational monitoring patterns<\/td>\n<\/tr>\n<tr>\n<td>Official CLI docs<\/td>\n<td>Alibaba Cloud CLI \u2014 https:\/\/www.alibabacloud.com\/help\/en\/alibaba-cloud-cli<\/td>\n<td>Automation and scripting of VPC operations<\/td>\n<\/tr>\n<tr>\n<td>Official quota docs<\/td>\n<td>Quota Center \u2014 https:\/\/www.alibabacloud.com\/help\/en\/quota-center<\/td>\n<td>Check\/request VPC\/EIP\/gateway quotas<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>Alibaba Cloud Architecture Center \u2014 https:\/\/www.alibabacloud.com\/architecture<\/td>\n<td>Reference architectures that often include VPC design patterns (verify specific articles)<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>Alibaba Cloud Tech Community \u2014 https:\/\/www.alibabacloud.com\/blog<\/td>\n<td>Practical posts; validate against official docs before production use<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, cloud engineers<\/td>\n<td>Cloud networking fundamentals, DevOps practices, implementation labs<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate IT professionals<\/td>\n<td>DevOps\/SCM foundations, automation concepts<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud ops and platform teams<\/td>\n<td>Operations, monitoring, cloud administration practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, reliability engineers<\/td>\n<td>Reliability engineering, operations, incident response<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams exploring AIOps<\/td>\n<td>Monitoring, automation, AIOps concepts<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify offerings)<\/td>\n<td>Students, engineers seeking guided learning<\/td>\n<td>https:\/\/www.rajeshkumar.xyz<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training programs (verify course list)<\/td>\n<td>Beginners to intermediate DevOps engineers<\/td>\n<td>https:\/\/www.devopstrainer.in<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps help\/training (verify services)<\/td>\n<td>Teams needing short-term expertise<\/td>\n<td>https:\/\/www.devopsfreelancer.com<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and enablement (verify scope)<\/td>\n<td>Ops teams and engineers needing practical support<\/td>\n<td>https:\/\/www.devopssupport.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify exact catalog)<\/td>\n<td>Architecture, automation, operations maturity<\/td>\n<td>VPC baseline design, migration planning, operational runbooks<\/td>\n<td>https:\/\/www.cotocus.com<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps consulting and training (verify offerings)<\/td>\n<td>Platform enablement, training, process improvement<\/td>\n<td>Network\/IAM best practices workshops, Terraform\/automation enablement<\/td>\n<td>https:\/\/www.devopsschool.com<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify exact services)<\/td>\n<td>Implementation support and advisory<\/td>\n<td>Landing zone planning, CI\/CD integration with cloud environments<\/td>\n<td>https:\/\/www.devopsconsulting.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Virtual Private Cloud (VPC)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IP addressing and subnetting (CIDR)<\/li>\n<li>Basic routing concepts (route tables, next hop)<\/li>\n<li>TCP\/UDP fundamentals, common ports<\/li>\n<li>DNS basics<\/li>\n<li>Linux networking basics (<code>ip<\/code>, <code>ss<\/code>, <code>iptables<\/code>\/<code>nftables<\/code>)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Virtual Private Cloud (VPC)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NAT patterns at scale (central egress, egress filtering)<\/li>\n<li>Hybrid networking: IPsec VPN design, BGP concepts (if used), Express Connect operations<\/li>\n<li>Multi-VPC architectures: hub-and-spoke with CEN, segmentation strategies<\/li>\n<li>Kubernetes networking (ACK CNI model, service exposure)<\/li>\n<li>Observability: flow logs, centralized logging (SLS), SIEM integration<\/li>\n<li>Zero trust patterns and workload identity (where applicable)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Engineer \/ Cloud Network Engineer<\/li>\n<li>Solutions Architect<\/li>\n<li>DevOps Engineer \/ Platform Engineer<\/li>\n<li>SRE<\/li>\n<li>Security Engineer (cloud security \/ network security)<\/li>\n<li>Cloud Operations Engineer<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Alibaba Cloud certifications change over time and vary by region. Check the official Alibaba Cloud certification portal for the latest tracks and whether they include VPC\/networking objectives:<br\/>\nhttps:\/\/edu.alibabacloud.com\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build a two-tier app (web + private DB) with strict security group rules.<\/li>\n<li>Create a hub-and-spoke design (3 VPCs) and connect using peering or CEN (depending on learning goals).<\/li>\n<li>Implement a bastion-only admin model and remove all public IPs from backends.<\/li>\n<li>Create a hybrid lab with VPN Gateway to a simulated on-prem router (if you have equipment).<\/li>\n<li>Turn on ActionTrail and practice auditing route\/security group changes.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Alibaba Cloud:<\/strong> Cloud provider offering compute, storage, networking, security, and managed services.<\/li>\n<li><strong>Virtual Private Cloud (VPC):<\/strong> A regional, logically isolated private network in Alibaba Cloud where you define IP ranges, subnets, and routing.<\/li>\n<li><strong>Region:<\/strong> Geographic location where cloud resources are deployed (e.g., Singapore, Frankfurt).<\/li>\n<li><strong>Zone:<\/strong> An isolated location within a region (used for high availability).<\/li>\n<li><strong>CIDR:<\/strong> Classless Inter-Domain Routing notation for defining IP ranges (e.g., <code>10.10.0.0\/16<\/code>).<\/li>\n<li><strong>vSwitch:<\/strong> Alibaba Cloud term for a <strong>subnet<\/strong> within a VPC, created in a specific zone.<\/li>\n<li><strong>Route table:<\/strong> A set of rules (routes) that determine where network traffic is sent.<\/li>\n<li><strong>Next hop:<\/strong> The target gateway\/device\/service that receives traffic for a route (e.g., NAT gateway, VPN).<\/li>\n<li><strong>EIP (Elastic IP Address):<\/strong> A public IP that can be associated with certain resources to enable internet access.<\/li>\n<li><strong>NAT Gateway:<\/strong> Managed service providing SNAT (outbound) and DNAT (inbound) translation for private resources.<\/li>\n<li><strong>SNAT\/DNAT:<\/strong> Source\/Destination Network Address Translation.<\/li>\n<li><strong>VPN Gateway:<\/strong> Managed IPsec VPN endpoint for encrypted hybrid connectivity.<\/li>\n<li><strong>Express Connect:<\/strong> Dedicated private connectivity service between on-prem and Alibaba Cloud.<\/li>\n<li><strong>CEN (Cloud Enterprise Network):<\/strong> Service for connecting VPCs across regions (and sometimes across accounts) with centralized routing.<\/li>\n<li><strong>Security group:<\/strong> Virtual firewall policy typically applied to instances\/ENIs controlling inbound\/outbound traffic.<\/li>\n<li><strong>Network ACL:<\/strong> Subnet-level access control list (availability\/behavior may vary\u2014verify).<\/li>\n<li><strong>ActionTrail:<\/strong> Alibaba Cloud service for auditing API actions and console operations.<\/li>\n<li><strong>CloudMonitor (CMS):<\/strong> Alibaba Cloud monitoring and alerting service.<\/li>\n<li><strong>SLS (Log Service):<\/strong> Managed log ingestion, storage, and analysis platform.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Virtual Private Cloud (VPC)<\/strong> is the core Networking and CDN foundation for building isolated, secure, and controllable private networks in Alibaba Cloud. It provides regional network isolation, zonal subnetting via <strong>vSwitches<\/strong>, and traffic control via <strong>route tables<\/strong>, while integrating with EIP, NAT Gateway, VPN Gateway, Express Connect, and CEN for real-world connectivity needs.<\/p>\n\n\n\n<p>It matters because most production incidents and security exposures trace back to networking: overly broad access, poor CIDR planning, unclear routing, and unmonitored egress. VPC gives you the tools to design networks that are segmented, auditable, and scalable\u2014if you apply best practices.<\/p>\n\n\n\n<p>Cost-wise, VPC designs are rarely \u201cfree\u201d in total: <strong>internet egress, EIPs, NAT\/VPN gateways, inter-region connectivity (CEN), and logging<\/strong> are the real cost drivers. Security-wise, least-privilege RAM permissions, strict security group rules, careful route management, and audit logging (ActionTrail) are essential.<\/p>\n\n\n\n<p>Use Virtual Private Cloud (VPC) for essentially all serious Alibaba Cloud deployments\u2014especially multi-tier apps, private data layers, hybrid connectivity, and multi-VPC architectures. Next, deepen your skills by practicing multi-zone layouts, centralized egress with NAT Gateway, and multi-VPC connectivity using CEN\u2014always validating specifics in the official Alibaba Cloud documentation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Networking and CDN<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,8],"tags":[],"class_list":["post-31","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-networking-and-cdn"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/31","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=31"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/31\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=31"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=31"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=31"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}