Help Center/ Virtual Private Cloud/ FAQs/ VPCs and Subnets/ What Is Virtual Private Cloud?
Updated on 2024-04-23 GMT+08:00

What Is Virtual Private Cloud?

Virtual Private Cloud (VPC) allows you to provision logically isolated virtual private networks for cloud resources, such as cloud servers, containers, and databases. You can create subnets, security groups, network ACLs, route tables, and more to manage cloud resources flexibly. You can also use EIPs to connect cloud resources in VPCs to the Internet, and use Direct Connect and VPN to connect on-premises data centers to VPCs to build a hybrid cloud network.

Product Architecture

The following describes the basics, security, connectivity, and O&M of VPCs.

Figure 1 VPC architecture
Table 1 Architecture description

Item

Brief

Details

VPC basics

A VPC is a logically isolated virtual private network. You can define a CIDR block for each VPC and add one or more subnets. You can also configure route tables to control where the traffic from your subnet is directed.

VPCs are logically isolated from each other, but subnets in a VPC can communicate with each other by default.

  • IPv4 CIDR block: When creating a VPC, you need to specify an IPv4 CIDR block for it. Supported IPv4 CIDR blocks are 10.0.0.0/8-24, 172.16.0.0/12-24, and 192.168.0.0/16-24.
  • Subnet: You can divide a VPC into one or more subnets as required to deploy your instances (such as cloud servers, containers, and databases). Private IP addresses are then assigned to your instances from the subnets where they are running.

    For more information, see Subnet.

  • Route table: Each VPC comes with a default route table that allows communications between subnets in a VPC. You can add routes to the default route table or create a route table to control traffic.

    For details, see Route Tables and Routes.

VPC security

Security groups and network ACLs protect the cloud resources deployed in a VPC.

  • Security groups protect instances. You can add inbound and outbound rule to protect all the resources in a security group.

    For details about security groups, see Security Groups and Security Group Rules.

  • Network ACLs protect associated subnets. You can add inbound and outbound rule to protect all the resources in a subnet.

    For details, see Network ACL Overview.

Network ACLs protect subnets, while security groups protect instances in a subnet. If both security group and network ACL rules are configured, traffic matches network ACL rules first and then security group rules.

For details, see What Is Access Control?

VPC connectivity

You can combine VPC and other networking services to build networks to meet different requirements.

  • Use VPC peering connections or an enterprise router to connect different VPCs in the same region.
  • Use an EIP or NAT gateway to allow the instances in a VPC to the Internet.
  • Use Direct Connect or VPN to connect an on-premises data center to VPCs.
  • Connecting VPCs in the same region

    VPC peering connections are free of charge, while enterprise routers are not free. Compared with VPC peering connections, enterprise routers simplify the network structure and make it easy for scale-out and O&M.

  • Connecting a VPC to the Internet
    • EIPs: enable your cloud resources to communicate with the Internet.

      For details, see

    • Public NAT gateways: enables instances (such as ECSs or BMSs) in a VPC to share an EIP to communicate with the Internet. A public NAT gateway supports up to 20 Gbit/s of bandwidth.

      For details, see

  • Connecting an on-premises data center to a VPC
    • Direct Connect: allows you to establish a stable, high-speed, low-latency, secure, and dedicated network connection that connects your on-premises data center to the cloud. Direct Connect helps you build a flexible, scalable hybrid cloud computing environment.

      For details, see What Is Direct Connect?

    • VPN: establishes a secure, encrypted communication tunnel between your on-premises data center and your VPC.

      For details, see What Is Virtual Private Network?

    Compared with Direct Connect, VPN is cost-effective and can be quickly deployed.