By Jonathan Peng, Staff Solutions Architect
“How can I design and build my network on Alibaba Cloud platform?” This is a common question that we have often been asked by many enterprises. It’s also a very fundamental question that needs to be addressed before migrating to any cloud platform. But the answer may not be that straightforward, in many cases the right answer would be, “It depends”. Today, I would like to offer a solution that incorporates best practices for traditional on-premises network practices and Alibaba Cloud VPC design, to fulfill the security and operation policies that most enterprises have.
The Transit VPC Solution is a combination of traditional networking concepts and Alibaba Cloud VPC networking features. By using this Transit VPC, you can connect multiple VPCs all together without the need of managing the complexity of a full mesh network. It simplifies network management and minimizes the connections that need to be managed, and provide the networking consistency of security and operation that as on-premises network.
Before we dive deep into the concept and design of Transit VPC, let’s have a quick look at the typical networking design now. As shown in the following diagram, we often separate front tier, application tier, and data tier into different subnets and use security groups to create the security layer to control the access right for different subnets and ports. With products such as VPN and ExpressConnect, we can connect these groups to an internet data center (IDC) to create a hybrid network for an enterprise.
This is a very neat and simple design for many systems with the following pros and cons:
- Easy to create all resources at once without tons of communication.
- The whole design is very flat and clean without any single point of failure.
- Expandable and fit for microservices system, which put their routing and security policies on application level.
- Fit for different system environments with few applications in the VPC.
- Hard to separate resource roles for system, network and security team members.
- Enterprise networking and security teams are often quite against this distributed approaches.
But in many cases, enterprise’s IT wants the design to have the below capabilities:
- Security Policy Requirements: Need to meet the network and security design standard as on-premises, which needs to be centralized with approval management.
- Multilayer Approach: Have the same approach as on-premises, can divide the network and security segments like DMZ, Application tier and Database tier, etc.
- Consistent Operation: Separate operation roles for different resources, such as Application, Compute, Networking, Database & Security, etc.
- Resilience & Flexible: The network design needs to be resilience with HA and DR capabilities, also able to scale to meeting the complexity of enterprise network design.
Why Do We Need Transit VPC?
So, how to design our VPC network on Alibaba Cloud if we need to deploy many VPCs with different Production/UAT/SIT, etc. environments in it, as the following diagram? Furthermore, how can we meet the requirements from many enterprises as above?
This is where we can apply Transit VPC in this complex situation. As the following diagram, by using VPC-to-VPC ExpressConnect and Transit VPC, we create a hub-and-spoke network on the Cloud platform. This can simplify the network topology and create a centralized point for access control between different VPCs and On-premises, etc.
We can also use Transit VPC with Alibaba Cloud CEN service to connect different regions all together, without the need to connect all VPC in different regions at once, as the following one.
How to Build Transit VPC?
First of all, you need to create a Transit VPC and Transit vSwitch in different VPCs as a transit network. As the route table in green, we create VPC-to-VPC connection from Production/Dev VPC to Transit VPC and connect the Transit vSwitches by associating the route entry to the Transit vSwitches.
After that, we need to build VPN instances on Transit vSwitches and create tunnels between Production/Dev VPC to Transit VPC. So now, we have routing information from production vSwitch to development vSwitch.
Finally, we add one more route entry (in blue line) in the default route table (in gray) and point to the VPN instances. Now, we connect different VPCs by getting through the traffic to the tunnel and Transit VPC.
With this approach, we can add more VPCs into the network topology and each provide different purposes. Such as DMZ, Sharing services, etc. and can isolate or control the access to different environment or services in the Transit VPC firewall instance.
We will be creating a step-by-step guide for this solution soon, stay tuned!