VPC provides layered network isolation and traffic control to help you protect cloud resources from unauthorized access.
Network isolation
A virtual private cloud (VPC) is a logically isolated virtual network on Alibaba Cloud. Within a VPC, a vSwitch is the basic building block — it has its own CIDR block and route table. Resources in the same vSwitch communicate directly. Resources in different vSwitches are isolated from each other; use route tables to control which traffic crosses that boundary.
Use vSwitches to separate the tiers of your application within a single VPC. For example, place web servers, application servers, and database servers in separate vSwitches to enforce a clear security boundary between each tier.
Control network traffic
VPC gives you multiple tools to control traffic at different layers of your network.
Use security groups as the primary mechanism for controlling access to Elastic Compute Service (ECS) instances. A security group acts as a virtual firewall: attach it to one or more ECS instances, then define inbound and outbound rules to control traffic at the instance level. Group instances that share the same security requirements into the same security group to partition security domains.
When necessary, use a network ACL as a secondary control at the vSwitch level. Attach the same network ACL to multiple vSwitches to enforce consistent access policies across them. Network ACLs are effective as a subnet-level guard rail — for example, to deny a specific subset of traffic regardless of instance-level configuration, or as a fallback control when an instance launches without the correct security group.
Additional traffic control tools:
IPv4 gateway — controls public IPv4 traffic at the VPC border. Combine it with route table configuration to route all internet-bound traffic through a single gateway, reducing the security risks of decentralized access.
IPv6 gateway — public IPv6 traffic gateway for a VPC. Configure IPv6 internet bandwidth and egress-only rules to control inbound and outbound IPv6 traffic.
Custom route table — attach a custom route table to a vSwitch and add route entries for flexible, per-vSwitch traffic management.
VPC peering connection — establish private connectivity between two VPCs in the same or different accounts and regions by creating a peering connection and configuring routes for the VPCs at both ends. The CIDR blocks of the two VPCs must not overlap.
Cloud Enterprise Network (CEN) — multi-VPC interconnection for enterprise networks. CEN enables network communication between multiple VPCs within an enterprise.
Express Connect and VPN Gateway — connect your VPC to on-premises data centers, office networks, or other cloud providers.
Gateway endpoint — virtual gateway device for private access to Alibaba Cloud services. When you associate a gateway endpoint with a route table, the system automatically adds a route with the gateway endpoint as the next hop.
Flow log — captures inbound and outbound traffic for elastic network interfaces (ENIs) in your VPC. Use flow logs to audit access control rules, diagnose overly permissive or overly restrictive security group and network ACL configurations, and troubleshoot network faults.
Compare network ACLs and security groups
Security groups and network ACLs work at different layers. Use them together for defense in depth.
| Characteristic | Security groups | Network ACLs |
|---|---|---|
| Illustration |  | |
| Scope | Instance level — attach to one or more ECS instances | vSwitch level — attach to one or more vSwitches |
| Traffic state | Stateful — return traffic is automatically allowed. Adding an inbound rule for port 80 does not require a corresponding outbound rule. | Stateless — return traffic must be explicitly allowed. To allow inbound traffic on port 80, add both an inbound rule for the request and an outbound rule for the response. |
| Intra-group control | Basic security group: allow or deny traffic between instances. Enterprise security group: internal isolation is enabled by default. | Does not control traffic between ECS instances in the same vSwitch |
| Best for | Controlling access between instances and managing public inbound traffic on specific ports | Enforcing subnet-level access policies across vSwitches, and providing a fallback control layer when an instance is launched without the correct security group |