Ali cloud server intranet interoperability strategy: cross-account, cross-VPC, cross-regional connection actual combat

When building a cloud architecture, in order to ensure the security of data transmission and save the cost of public network traffic,

Intranet interworking

It is the core task of operation and maintenance. Alibaba Cloud ECS instances can not only connect with another ECS instance, but also connect with RDS, SLB, and OSS.

This article will sort out the technical path and actual combat suggestions for implementing intranet communication for different scenarios.

Why should 1. use intranet connection first?

Speed transmission: The upper limit of the intranet bandwidth is usually higher than the public network, and the latency is extremely low.

High security: The traffic does not pass through the public network, effectively isolating external attacks.

Zero cost: In the same region, data transmission through the intranet is usually free.

Core Influencing Factors of 2. Intranet Interworking

Whether the intranet can be connected depends mainly on the following four dimensions:

Network type: VPC or classic network.

Account Attribution: the same account or different accounts.

Region: Whether it is in the same physical data center area.

Security group (Security group): similar to firewall access control.

Summary of 3. common scenarios and solutions

1. Intranet intercommunication within the same VPC (simplest)

This is the most mainstream scene at the moment. As long as the instances are in the same VPC, regardless of whether they belong to the same account, the interworking logic is as follows:

with security group: default intranet communication.

Different security groups: the default is not valid. Solution: You need to add inbound rules to the two security groups to authorize the access permissions of the other security group (case: the authorization protocol is full agreement or specific port, and the authorization object is the ID of the other security group).

2. Intranet interworking between different VPCs (in the same region)

If you have created multiple VPCs due to business isolation or need to connect across accounts:

Solution: Use VPC interconnection (CEN or VPC peering).

Key points: Add two VPCs to the same network instance through CEN and configure the routing table to communicate as if they are on the same intranet.

3. Intranet interworking across regions (regions)

For example, an ECS instance in the Beijing region needs to connect to a database in the Shanghai region:

Solution: You must use CEN to implement cross-region interoperability.

Note: Interworking across regions involves bandwidth charges, and the delay is affected by the physical distance.

4. Hybrid connection between classic network and VPC

For legacy users who are still using the classic network (legacy):

Solution: Use ClassicLink.

Function: ClassicLink allows the ECS instance of the classic network type to communicate with the cloud resources in the VPC through the intranet, which is convenient for you to smoothly migrate your business.

4. Quick Look-up Table

Network Scenarios

Account/Region

Recommended Plan

Note

Same VPC, same security group

Same account/same region

Default Intercommunication

No Configuration Required

Different security groups in the same VPC

Same account/same region

Security group mutual visit authorization

Add intranet authorization to security group rules

Different VPCs (same or cross-account)

same region

CEN/Peer-to-Peer Connection

Large-scale interworking suitable for VPC level

Cross-regional connectivity

different regions

CEN

Need to purchase cross-region bandwidth package

VPC connected to a classic network

Same account/same region

ClassicLink

Addressing the transition between old and new environments

5. Advanced: How to Check Intranet Failure?

If you still cannot Ping after configuring according to the above scheme, please check:

Security group rules: Whether the corresponding protocol (TCP/ICMP) and port are allowed in the inbound direction.

Internal OS firewall: Check whether the Linux iptables/firewalld or Windows firewall blocks the intranet IP address.

Routing conflicts: When different VPCs are interconnected, ensure that the private network segments (CIDRs) do not overlap. Otherwise, routing conflicts may occur.

Summary

The core idea of intranet interoperability is:

The same VPC is used to adjust the security group, the different VPC is used to adjust the cloud enterprise network, and the old and the new are used ClassicLink.

By mastering these three axes, you can play with Alibaba Cloud's complex network architecture.