VPC internal access

更新时间:
复制 MD 格式

Compared to public internet access, internal network access provides complete isolation from external networks, which helps prevent network attacks and unauthorized access. This type of access is ideal for internal communications that require high security and fast data transfer speeds. Internal network access uses private IP addresses and private domain names. You can use features like network ACLs and security groups to control access between different ECS instances within a VPC. For cross-VPC access, such as connecting VPCs in different accounts or regions, Alibaba Cloud provides solutions like Cloud Enterprise Network and VPC Peering Connection.

Internal access methods

Private IP addresses

Private IP addresses, which are typically IPv4 addresses, cannot be accessed from the internet. You can use private IPv4 addresses to communicate between ECS instances and other internal resources. Alibaba Cloud assigns private IPv4 addresses to ECS instances using the Dynamic Host Configuration Protocol (DHCP).

If you need to use IPv6 for internal network access in your VPC, you can create ECS instances with IPv6 addresses. These instances must be created in a VPC and a vSwitch with IPv6 CIDR blocks enabled.

For more information, see IP addresses.

Private domain names

Assign private domain names to ECS instances in a VPC for IP-free access with automatic DNS record management.

After you enable the DNS hostname feature for your VPC, you can configure private DNS resolution for ECS instances to allow internal access via private domain names. For more information, see Private DNS resolution for ECS instances.

Internal access control

Network ACLs

A network ACL is an access control feature in a VPC. You can create custom network ACL rules and associate the network ACL with a vSwitch to control traffic to and from the ECS instances in that vSwitch. For more information, see Network ACLs and Create and manage a network ACL.

You can also use network ACLs to restrict internal communication between ECS instances in different vSwitches. For more information, see Restrict communication between ECS instances in different vSwitches.

Security group rules

Properly configured security groups can significantly enhance the security of your instances. A security group acts as a virtual firewall that controls inbound and outbound traffic for your ECS instances at the network interface level. Within the same VPC, you can use security group rules to control internal access between ECS instances.

  • Same security group: To enable this communication, you can place ECS instances that require internal access into the same basic security group. By default, a basic security group allows communication between instances within the group. In contrast, an advanced security group isolates all instances within it. For more information, see Modify the internal access control policy of a basic security group.

  • Across security groups: To allow communication between ECS instances in different security groups, or to use an advanced security group for granular access control, strict compliance, or complex network environments, you can authorize one security group to access another. By default, an advanced security group isolates instances within it, and this policy cannot be modified. For more information, see Security group guidelines and use cases.

Host system firewall

A firewall creates a protective barrier between internal and external networks. If a firewall is enabled on your server with rules that block external access, you might be unable to connect to the server remotely. For more information, see the following topics:

Cross-VPC internal connectivity

By default, virtual private clouds (VPCs) are isolated from each other. To enable communication between instances in different VPCs, you can use either VPC Peering Connection or Cloud Enterprise Network (CEN). Choosing the right method depends on your network scale, performance requirements, and cost consideration.

These connection methods differ in implementation, supported regions, configuration complexity, the number of VPCs that can be connected, and pricing. For more information, see Connect VPCs.

Related documentation

  • To modify the default primary private IP address assigned to an instance, see Primary private IP addresses.

  • If you have scenarios that require multiple private IP addresses, such as for multi-application hosting or failover, you can assign one or more secondary private IP addresses to an ECS instance. For more information, see Secondary private IP addresses.

  • For best practices on using security groups, see Security group best practices.

  • A VPC firewall helps you inspect and control traffic between Virtual Private Cloud (VPC) instances, and between VPCs and on-premises data centers. If your VPCs are attached to a Cloud Enterprise Network (CEN) instance or connected by using Express Connect, you can create a VPC firewall to control traffic across these connections.

    For more information, see VPC Firewall.