Enable public internet access for Flink, connect across VPCs-Realtime Compute for Apache Flink(Flink)-阿里云帮助中心

This topic describes network solutions for various scenarios, including public internet access, cross-VPC communication, and hybrid cloud connections.

Select a region and zone

Before purchasing and using Realtime Compute for Apache Flink, understand the following basic concepts.

Region

A region is a geographical area where Alibaba Cloud data centers are located, typically named after the city where they reside. For example, the China (Hangzhou) region indicates data centers in the city of Hangzhou. The closer your resources are deployed to your business data, the lower the network latency and the faster the access.
Zone

A zone is a physical data center with independent power and network infrastructure within a single region. A region typically contains multiple zones, and zones in different regions are completely isolated. When you deploy workloads, you can choose to deploy them across zones. Because zones have independent power and network infrastructure, this approach significantly improves service reliability, provides disaster recovery redundancy across data centers in the same city, and ensures high availability.

Note

Select the optimal region and zone for your services based on the location of your business data. This choice ensures high availability and stability for your data while reducing data transfer latency.

Network options

Select a network solution based on your data's network environment.

Data source	Use cases
Public data sources	Choose this option to access external data sources over a public IP address. This is required if the data source does not support private communication or is not in a VPC.
Cross-VPC services	This option enables private communication between two VPCs, which can be in the same or different accounts and regions.
Hybrid cloud scenarios	Choose this option to connect services from other cloud providers or your on-premises data centers, creating a multi-cloud or hybrid environment.

Public data sources

Public internet access has less predictable latency than private networks. If your workload requires low latency and stable connectivity, prioritize private network access.

Alibaba Cloud NAT Gateway connects a VPC to the public internet, allowing Realtime Compute for Apache Flink to access public data sources.

Public internet access

Step 1: Create NAT Gateway and EIP

Log on to the NAT Gateway console.
Click Create Internet NAT Gateway.

On the purchase page, fill in the required information:

For the Region, VPC, and Associate vSwitch options, select the ones that correspond to your Realtime Compute for Apache Flink workspace.

For more information, go to the Realtime Compute for Apache Flink console and click More > Workspace Details for a workspace. The VPC ID is the ID of the VPC to which the workspace belongs, and the names and IDs in the vSwitch section are the details of the associated vSwitches.
Access Mode: SNAT-enabled Mode
Elastic IP Address: New EIP (If your region is outside the Chinese mainland, you can purchase an EIP first and then select an existing one based on the line type.)

Line Type: BGP (Multi-ISP)

If your Realtime Compute for Apache Flink workspace is in a region outside the Chinese mainland, more line types are available. Choose a suitable EIP plan based on your business data's location.

Line types

Create and purchase an EIP in the Elastic IP Address console.

Item	EIP (BGP Multi-ISP)	EIP (BGP Multi-ISP Pro)	Anycast EIP
Core advantage	High-quality BGP public lines for low-cost internet access.	Optimized return traffic to the Chinese mainland, with direct access via premium carrier lines.	Provides a single IP for use across multiple regions worldwide. Traffic enters the Alibaba Cloud network from the nearest access point.
Scenario	Workloads deployed in any region. End users access services from any location over the internet. Traffic passes through standard carrier lines.	Workloads deployed in regions outside the Chinese mainland. End users access services from the Chinese mainland over the internet. Traffic passes through premium carrier lines.	Workloads deployed in regions outside the Chinese mainland. End users access services from overseas locations via an Anycast EIP. Traffic passes through standard carrier lines and Alibaba Cloud's global transmission network.
Quality	Low	High	High
Cost	Low	Medium	High

Click Buy Now and complete the payment. The resource is then provisioned.
(Optional) Configure an SNAT entry.
1. On your Internet NAT Gateway instance, click Configure SNAT.
2. Click Create SNAT Entry.
3. Select VPC as the scope and select the associated Elastic IP Address (EIP).
4. Click OK.

Step 2: Configure upstream and downstream access

At this point, your Realtime Compute for Apache Flink workspace can access public data sources. However, you typically need to add the Elastic IP Address (EIP) to your firewall rules or security group policies to authorize the connection.

For example, to access a MySQL database deployed on an Alibaba Cloud ECS instance, you need to add a corresponding security group rule. This ECS instance must already have an EIP bound to it.

Go to ECS console - Instances.
Click the target instance. On the Security Groups tab, click the name of the target security group.
On the Inbound Rules tab, click Quick Add. For Authorization Object, enter the NAT Gateway's Elastic IP Address (EIP) and select the MySQL port.
Click OK. Realtime Compute for Apache Flink can now access the MySQL database via the ECS instance's public IP address.
You can use the Network detection feature in the upper-right corner of the Realtime Compute for Apache Flink development console to test the network connection.

Enter the target Host and Port (for example, 3306), and click Detect. A "Network detection successful" message indicates that the connection is working correctly.

Cross-VPC services

If the other services are still in the early planning stage or can be replaced, deploy them in the same VPC as Realtime Compute for Apache Flink. Alternatively, recreate your Flink workspace in the same VPC as the other services.

The following methods are commonly used for cross-VPC network connections:

VPC Peering Connection: A VPC Peering Connection connects two VPCs, which can be in different accounts or regions. This enables them to communicate directly by using private IP addresses as if they were in the same network.
Transit Router: A Transit Router connects and forwards traffic among network instances in the same region or across regions. When you attach network instances like VPCs to it, routes synchronize automatically. It supports both intra-region and cross-region connections.
PrivateLink: PrivateLink enables service access across VPCs through a secure, private channel. This avoids exposure to the public internet (for example, from data leakage and DDoS attacks), simplifies the network architecture, and improves access efficiency and reliability.

Item	VPC Peering Connection	Transit Router	PrivateLink
Connection method	Point-to-point connection between two VPCs	VPCs connect to a Transit Router via network connections	Directional connection between VPCs based on an endpoint service
Route propagation	Not supported	Supported	Not supported
Access direction	Bidirectional	Bidirectional	Unidirectional
Cross-account	Supported	Supported	Supported
Cross-region	Supported	Supported	Not supported
Best for	Connecting a small number of VPCs	Connecting a large number of VPCs	Directional access to a service in another VPC
Configuration complexity	High. Requires establishing a peering connection and configuring routes in both VPCs for each pair.	Low. Each VPC only needs to be attached to the Transit Router and have a route pointing to the attachment.	Low. PrivateLink simplifies network configuration by eliminating the need to manage address conflicts or route configurations.
Network latency	Low	Medium. Traffic passing through the Transit Router adds an extra hop, which increases latency.	Low
Cost	No charge for intra-region connections. For cross-region connections, Cloud Data Transfer (CDT) charges for outbound traffic transfer.	Fees apply for connections and data processing. Cross-region connections also incur bandwidth plan fees.	Billing is based on the actual usage of the PrivateLink service, which includes instance fees and data processing fees.
Overlapping CIDR blocks	Not allowed	Not allowed	Allowed

Example scenario

An enterprise creates VPC1 in the China (Hangzhou) region and VPC2 in the China (Beijing) region. Realtime Compute for Apache Flink is deployed in the China (Hangzhou) region, while an ECS instance for data storage and development is provisioned in the China (Beijing) region.

A VPC Peering Connection is the best solution for this scenario, which requires network communication between different VPCs (potentially across regions) under the same or different Alibaba Cloud accounts.

Note

The CIDR blocks of the VPCs and vSwitches at both ends of a peering connection cannot overlap.

For example, two VPCs with CIDR blocks 192.168.0.0/16 and 192.168.0.0/24 cannot communicate even if a VPC Peering Connection is established, because their CIDR blocks overlap.
To create a cross-account VPC Peering Connection, ensure that both the requester and acceptor accounts have created VPCs.
For detailed instructions, see Use a VPC Peering Connection to enable private communication between VPCs.

Hybrid cloud scenarios

The following products support connecting on-premises data centers and other networks to a VPC, allowing you to quickly build a hybrid cloud.

Express Connect: Express Connect uses dedicated physical circuits to connect on-premises data centers, other cloud platforms, and other networks to Alibaba Cloud. Even over long distances, Express Connect provides communication quality comparable to a private network, featuring low latency, low packet loss, and high bandwidth.
VPN Gateway: VPN Gateway establishes an encrypted, secure, and reliable connection between your Alibaba Cloud VPC and various other networks, including on-premises data centers, office networks, internet clients, and other cloud platforms.

Item	Express Connect	VPN Gateway
Quality	High (dedicated circuit)	Low (public internet)
Provisioning time	Long (2 to 3 months)	Short (available immediately after activation and authentication)
Cost	High	Low
Bandwidth	A single link supports up to 100 Gbps. You can aggregate multiple circuits to achieve Tbps-level bandwidth.	Limited by the bandwidth of the public IP address.
Use cases	Cloud migration for enterprises with high network security requirements, such as those in the finance and government sectors.	Cloud migration for basic services such as enterprise office networks and data storage.