Virtual Private Cloud And Its Isolation In Alibaba Cloud

In this article, we will be talking about Virtual Private Cloud (VPC). VPCs are logically isolated private networks from other virtual networks provided by Alibaba Cloud. We can have full control as an administrator on our VPC. We can specify the IP address range in Class-less Inter-Domain Routing (CIDR) IP addressing scheme (No Classful IP Addressing Scheme supported). We can provision ECS Instance, RDS (Relational Database Services), and Software Load Balancer in our own Virtual Private Networks. Also, in Alibaba Cloud, we have Hybrid Connectivity Options to connect two or more Virtual Private Networks or Connection between VPC to On-Premises Network.

We have two more important components in VPC.

  1. VRouter
  2. VSwitch 

When we create VPC in Alibaba Cloud, it automatically creates VRouter with Route Table. VRouter is working like a Hub to connect our zones of VPC and it also works as a Gateway to connect our VPC with other networks as well. Another VPC component is VSwitch, by which we can create subnets (Small Address Range Groups of VPC Address Space, Segmentation of VPC is Subnets). So, if you want to create two separate subnets of your VPC, then you need to create two VSwitches and these VSwitches are internally connected. That means you can deploy your Application Web Servers in one Subnet and your Data Server Instances in another Subnet. VRouter will redirect the requests to VSwitches - either you want to access Application Web Server Zone or Data Server Instance zones. So, both VSwitches are connected with VRouter.

As I mentioned in the above paragraphs, VPC follows CIDR Addressing Scheme so full Class 4 IP Address Space is available for you to define your VPC Address Range. But when we specify CIDR IP Address for our VPC, e.g., 192.168.0.0/16; so in this IP Address Range of our own VPC, out of 32 Bit IP Addresses mean 192 - 8 Bits, 168 - 8 bits, 0 - 8 bits, 0 - 8 bits (total 32 Bits). After that, /16 is a CIDR Value. That means the initial 16 Bits (192.168) are Network Address and last 16 Bits out of 32 bits are Host Address. So, in this 192.168.0.0/16, VPC can have 2 raise to 16 = 65536 instances we can accommodate.

Now, if we want to further segment our VPC into subnet using VSwitches we can give CIDR IP Address to first VSwitch 192.168.0.0/24. That means initial 24 bits are for Network Address and last 8 bits out of 32 bits of VSwitch1 are for the host address. So, approx. 2 raise to 8 = 256 instances we can accommodate in the first subnet. And if we want another subnet for data server instances, we can create VSwitch2 where we can specify 192.168.1.0/24 that means again approx. 256 Data Server Instance we can accommodate in another subnet of the same VPC.

Another important concept in Alibaba Cloud VPC is mainstream tunneling technology. In that, here in Alibaba Cloud, we have unique tunnel Id per VPC. So, each data packet travels across VPC Instances to instances having unique tunnel Id encapsulated with each data packet header. So, ECS instances of two separate VPCs cannot communicate with each other until hybrid connectivity between two communicating VPCs.

Another Logical component of VPC is Controller. The Controller basically uses the self-developed protocol to forward the forwarding table to the VPC Gateway and VSwitches, completing the key configuration path. So here, in VPC, Data Path and Configuration Paths are different and have redundant Disaster Recovery that improves high availability of the VPCs in Alibaba Cloud.

Here, Alibaba Cloud provides you with very good Security Isolation, because Cloud Servers of different users belong to different Virtual Private Cloud and different VPCs having unique tunnel IDs. Different Cloud Servers use VSwitches to communicate with each other and different Cloud Servers of different subnets of the same Virtual Private Cloud use VRouter to communicate with each other. Also, intranet connectivity of VPCs are completely isolated and can only be connected by external mapping of IPs. And the third layer of isolation in each instance of Alibaba Cloud has Security Group Firewall to control the inbound and outbound control network access. One more advantage of Alibaba Cloud VPCs is software VPNs and Lease Line Connection are supported as a connectivity option.