Cloud Service Cloud Service Contact Us

Official Alibaba Cloud global account setup Alibaba Cloud VPC and VSwitch Configuration Guide

Alibaba Cloud / 2026-05-21 22:23:48

Setting up networking in the cloud can feel a bit like assembling furniture from a “choose-your-own-adventure” manual. You start with a neat pile of pieces—VPCs, VSwitches, route tables, security rules—and somewhere along the way, a mysterious screwdriver appears in your hand and you can’t remember where it came from. Still, the results are worth it: once your network is cleanly designed, your apps stop behaving like they’re haunted.

This guide walks you through configuring Alibaba Cloud VPC and VSwitches in a clear, practical way. You’ll learn how to plan IP ranges, create a VPC, add one or more VSwitches in the right zones, attach route tables, configure gateways and NAT when needed, and finally lock down traffic with security groups. We’ll also include common troubleshooting steps, because every network engineer eventually has to stare at “connection timed out” and wonder if the problem is cosmic.

1. What Are VPCs and VSwitches, Anyway?

Let’s start with the basics, because naming things incorrectly is a classic human pastime.

VPC (Virtual Private Cloud) is your private network space inside Alibaba Cloud. Think of it as the “country borders” of your network—an isolated IP address range and networking environment for your resources.

VSwitch is a subnet inside your VPC. It belongs to a specific availability zone (or zone). So while your VPC is the whole kingdom, a VSwitch is a specific province. Resources placed in the same VSwitch typically share the subnet’s characteristics and routing context.

When you create a VSwitch, you choose:

  • a zone (because cities in different places don’t share plumbing),
  • a CIDR block (the IP range for that subnet).

Multiple VSwitches can live inside one VPC. For highly available designs, you often create VSwitches across multiple zones.

2. Before You Click Anything: Planning Your IP Address Strategy

Networking mistakes often originate before the first resource is created. You know the moment: you open the console, click “Create,” and your brain goes, “Sure, we’ll figure out the IPs later.” That’s how you end up with overlapping CIDR ranges and a route table that resembles a spaghetti junction designed by an anxious artist.

Here’s a sane approach:

2.1 Choose a VPC CIDR Range

Select a CIDR block for the VPC that is large enough for growth. For example:

  • Small lab: 10.0.0.0/16
  • Medium environment: 10.10.0.0/16
  • Complex enterprise: consider segmentation by department or app tier

Pick something that won’t collide with your on-premises networks (if you’ll connect them). If you plan a future VPN or Direct Connect connection, coordinate CIDR ranges upfront with whoever owns the other side of the tunnel. Otherwise, traffic will arrive at the border and immediately start pretending it doesn’t speak the same language.

2.2 Divide VPC CIDR into VSwitch CIDRs

Your VSwitches will be subranges of the VPC CIDR. For instance, if your VPC is 10.0.0.0/16, you might create:

  • VSwitch A: 10.0.1.0/24
  • VSwitch B: 10.0.2.0/24
  • VSwitch C: 10.0.3.0/24

Use a consistent naming convention too. Future You will thank you. Present You will probably roll their eyes and keep going, but trust: Present You is not the hero of the story. Future You is.

2.3 Decide Which Subnets Need Public Access

Not every subnet should reach the internet directly. A common pattern is:

  • Public subnet: resources can access the internet (via NAT or public gateways depending on design).
  • Private subnet: only internal access; outbound via NAT if required.

You can also create multiple VSwitches within the same tier across zones for availability.

3. Creating a VPC

Now that we have an IP plan and a healthy suspicion for overlapping ranges, let’s create the VPC.

3.1 Go to the VPC Console

In the Alibaba Cloud console, navigate to the networking section and open VPC. Look for “Virtual Private Cloud” (sometimes shown simply as VPC) and choose “Create VPC.”

3.2 Set VPC Name, Region, and CIDR

You’ll typically set:

  • Region: where this VPC lives. You can’t casually mix resources across regions without extra networking work.
  • VPC name: use something like prod-vpc-us-east or dev-vpc-1.
  • VPC CIDR: the base range, like 10.0.0.0/16.

Once you submit, Alibaba Cloud will provision the VPC. After creation, the VPC is “empty-ish,” meaning it provides a container for subnets, routes, and security rules—but it won’t magically make resources reachable until you configure those pieces.

4. Creating VSwitches Inside the VPC

After the VPC exists, you add VSwitches. This is where you choose zones and CIDR blocks. Remember: a VSwitch is zone-specific.

4.1 Create One VSwitch per Zone (Usually)

If you’re deploying a typical app that needs redundancy, create VSwitches in at least two zones. For example:

  • VSwitch in zone A: 10.0.1.0/24
  • VSwitch in zone B: 10.0.2.0/24

Even if you only use one zone today, having the second zone ready makes scaling less painful tomorrow. It’s like buying a spare umbrella before the first rainy day. Over-preparing can be annoying, but not as annoying as being drenched while debugging route tables.

4.2 Choose CIDR Subnet Ranges Carefully

Official Alibaba Cloud global account setup Make sure each VSwitch CIDR is within the VPC CIDR and does not overlap with other VSwitches in the same VPC. Overlaps can lead to routing confusion and resource creation errors.

4.3 Assign VSwitch to the Right VPC

During creation, select your VPC, pick the zone, and enter the CIDR. Then save.

When you have multiple VSwitches, you’re essentially saying: “These networks are separate subnets with their own IP ranges.” Resources in different VSwitches may communicate depending on routing and security rules.

5. Route Tables: The “How Traffic Behaves” Control Panel

If security groups are bouncers, route tables are traffic cops. They decide where packets should go next.

5.1 Understand the Default Routing Behavior

Many cloud setups include default routes for local VPC traffic. That means resources inside the same VPC can often reach each other (subject to security rules). But reaching external networks (like the public internet or on-premises networks) requires additional routes and gateways.

Common needs:

  • Outbound internet access from private subnets
  • Access between VPC and on-premises networks
  • Traffic between subnets via internal routing

5.2 Attach Route Tables to VSwitches or Use a VSwitch-Based Model

Depending on the Alibaba Cloud networking model, route tables are often associated with VSwitches. That means when you create a VSwitch, it’s linked to a route table (either default or custom). Custom route tables let you define specific routes for specific next hops.

Official Alibaba Cloud global account setup If you ever wondered why changing a firewall rule didn’t fix connectivity, it’s often because packets couldn’t even find the correct next hop. That’s a route table problem, not a bouncer problem.

6. Gateways, NAT, and Internet Access (Without Summoning Chaos)

Now we talk about getting traffic in and out of your VPC. Whether you need internet access depends on your workload.

6.1 Public vs Private Subnet Outbound Design

Two common designs:

Design A: Use NAT for private subnets

  • Private instances in private VSwitches send outbound traffic to a NAT gateway.
  • The NAT gateway forwards traffic to the internet.
  • Inbound connections from the internet typically aren’t allowed directly (unless you set up additional inbound mappings).

Design B: Use a gateway for public subnets

  • Public instances can directly route to external networks using an internet gateway or a similar construct.
  • This makes them reachable from the internet (again depending on security rules and any load balancers).

Most security-conscious teams prefer private instances with NAT for outbound. Public exposure should be controlled and minimized.

6.2 Configure NAT for Outbound Connectivity

If your instances are in private VSwitches and you need them to reach package registries, APIs, or external services, configure NAT.

High-level steps:

  • Create or identify a NAT gateway.
  • Ensure route tables send internet-bound traffic (typically 0.0.0.0/0) to the NAT gateway.
  • Make sure security group rules allow egress traffic from instances to the internet destinations.

If you don’t set the 0.0.0.0/0 route to NAT (for private subnets), instances may only reach internal VPC addresses. They’ll behave like they forgot the internet exists.

6.3 If You Need Inbound Internet Traffic

Official Alibaba Cloud global account setup Inbound traffic typically goes like this:

  • Internet user calls your service.
  • A load balancer receives the traffic (common approach).
  • The load balancer forwards traffic to instances in your VPC.
  • Security groups and instance firewall rules permit the traffic.

Even if you set up an internet gateway, you still need the right security rules. Cloud networks are polite but firm: they won’t let random strangers in just because you drew a door.

7. Security Groups: The “Who Can Talk to Whom” Rules

Security groups are fundamental. They control inbound and outbound traffic at the instance level (or sometimes at interface level depending on setup).

7.1 Define Inbound Rules Carefully

Typical inbound rules might include:

  • Allow SSH (port 22) only from your office IP or a bastion host
  • Allow HTTP (port 80) or HTTPS (port 443) only from load balancer security group or known sources
  • Allow application-specific ports (like 8080, 8443, etc.) as needed

Beware of “Allow 0.0.0.0/0 to everything” rules. They’re tempting because they make problems go away quickly. But they also invite visitors you didn’t order, like unsolicited chaos gremlins and accidental scanning robots.

7.2 Define Outbound/Egress Rules

Egress rules control whether instances can reach external addresses. If you lock down egress too aggressively, your app might not be able to call an external API, download updates, or reach DNS.

For example, if you want full outbound access from private instances, you might allow outbound to 0.0.0.0/0. If your environment requires strict policies, allow only specific destination ranges and ports.

Official Alibaba Cloud global account setup 7.3 Use Security Group References Where Possible

Instead of allowing inbound traffic “from everywhere,” prefer allowing “from another security group.” That gives you cleaner intent and reduces accidental exposure.

8. Putting It Together: A Common Reference Architecture

Let’s outline a practical setup many teams use. The exact names of services may differ, but the network principles are consistent.

8.1 Example Scenario

Official Alibaba Cloud global account setup You want:

  • Web servers (private instances) in two zones
  • A load balancer in front
  • Outbound internet access for patching and API calls

8.2 Suggested Network Layout

VPC CIDR: 10.0.0.0/16

VSwitches:

  • zone-a: 10.0.1.0/24 (public tier or LB tier depending on design)
  • zone-b: 10.0.2.0/24 (public tier or LB tier depending on design)
  • zone-a-private: 10.0.11.0/24
  • zone-b-private: 10.0.12.0/24

Routing:

  • Private subnets: default route 0.0.0.0/0 to NAT gateway
  • Load balancer tier: internet-facing access if required
  • Local VPC routes: allow inter-subnet traffic within VPC

Security:

  • Allow inbound to web servers from LB security group only
  • Restrict SSH to your admin IP/bastion
  • Allow egress required for outbound internet via NAT

This keeps your web servers from being directly reachable from the internet. They become guests at a party where security guards only let in traffic that passed through the official door (the load balancer).

9. Step-by-Step Checklist (So You Don’t Miss the Important Stuff)

Here’s a checklist you can use during setup. You can read it like a movie credit roll, but one where the plot doesn’t end with the network failing to connect.

9.1 VPC and VSwitch

  • Decide VPC region
  • Choose VPC CIDR that won’t overlap with other networks
  • Official Alibaba Cloud global account setup Create VPC
  • Create VSwitches in the appropriate zones
  • Assign correct CIDRs for each VSwitch

9.2 Routing

  • Check route table association for each VSwitch
  • Confirm local VPC routes exist for internal communication
  • For outbound internet from private subnets, add default route to NAT gateway
  • If you connect to on-prem, add routes to the VPN/Direct Connect next hop

9.3 Security Groups

  • Create security groups per role (web, app, db, bastion)
  • Official Alibaba Cloud global account setup Set inbound rules based on allowed sources (prefer security group references)
  • Set egress rules to permit required outbound destinations/ports
  • Attach the correct security groups to instances/network interfaces

9.4 Instance-Level Checks (Because It’s Always Something)

  • Verify OS firewall rules (iptables, ufw, security policies)
  • Verify services are listening on the correct interfaces and ports
  • Verify DNS settings if external name resolution is required

10. Troubleshooting: “Why Can’t I Reach Anything?”

Let’s cover the most common connectivity problems. These are the equivalent of checking whether you used the right light switch, except the switch is a route and the room is your packet’s journey.

10.1 Confirm IP Ranges and No Overlaps

If you have overlapping CIDR ranges, routing can become unpredictable or outright break. Verify:

  • Your VSwitch CIDRs are within the VPC CIDR
  • No VSwitch CIDRs overlap within the VPC
  • Any on-prem or connected network ranges don’t overlap

10.2 Check Route Tables for the Destination

Ask yourself: “Where is the packet supposed to go next?”

  • If connecting to another instance in the same VPC: route should allow local traffic.
  • Official Alibaba Cloud global account setup If connecting to the internet: private subnets need NAT and a default route to NAT.
  • If connecting across networks: ensure there is a route to the correct next hop (VPN/DX).

A common mistake is assuming that because instances are in the same VPC, they’ll automatically have internet access. They might not. VPC isolation is a feature, not a bug.

10.3 Verify Security Group Rules Match the Traffic Direction

Security group rules can be directional: inbound and outbound are not always the same. Typical pitfalls:

  • Inbound rule missing (instance blocks incoming traffic)
  • Outbound rule missing (instance can’t send response traffic)
  • Source IP mismatch (using 0.0.0.0/0 when you expected a specific subnet, or vice versa)

10.4 Validate OS Firewall and Application Ports

Even if the cloud network allows traffic, the instance OS might still block it. Common checks:

  • Is the service actually running?
  • Is it listening on the correct port?
  • Is it bound to the right network interface (0.0.0.0 vs localhost)?
  • Do firewall rules allow the port?

10.5 Test with the Right Tools

From an instance, try:

  • Ping (if ICMP is allowed)
  • Curl/wget to the target service
  • nslookup/dig for DNS
  • Traceroute to identify where the packet stops

If DNS fails, you’ll often see issues that look like “network is broken,” when really it’s “DNS is confused and refusing to answer.” Networks love drama.

11. Common Gotchas (The “You’ll Hit These Eventually” Section)

Here’s a list of classic blunders. Reading this section won’t summon them, but it might help you recognize them when they show up wearing a trench coat.

11.1 CIDR Overlap Between VPC and Connected Networks

Overlapping address spaces are the #1 villain when connecting VPCs or connecting VPC to on-prem. Fix by redesigning IP plan. Renumbering later can be painful; designing early is cheaper and less emotionally damaging.

11.2 Assuming VPC Equals Internet Access

VPC provides isolation. Internet access is a separate decision involving gateways, routes, and security rules.

11.3 Forgetting NAT and Default Routes for Private Subnets

If instances are in private VSwitches, you usually need NAT for outbound internet. Ensure your route table sends 0.0.0.0/0 to NAT.

11.4 Using Inconsistent Security Group References

If you allow inbound from “a security group,” ensure your load balancer or source instances actually attach to that security group. A typo or wrong attachment can silently block traffic. Cloud consoles are excellent at letting you look certain while being wrong.

11.5 Creating Resources in the Wrong Zone

Since VSwitches are zone-specific, placing an instance into a VSwitch in zone A means the instance is effectively in zone A. If your load balancer is expected to be in zone B, you might get a partial connectivity problem that feels like a mystery novel with missing pages.

12. Best Practices: Make It Boring (In a Good Way)

Boring networks are reliable networks. Try these best practices:

  • Use consistent naming: VPC-prod, vsw-zone-a-public, rt-private-a, etc.
  • Segment by tier: web/app/db subnets, each with appropriate routing and security rules.
  • Restrict inbound access: only allow required ports and sources.
  • Official Alibaba Cloud global account setup Lock down egress if possible: allow only what you need, especially for sensitive environments.
  • Document your routing: write down which route tables are attached to which VSwitches.
  • Plan for scale: leave room in CIDR blocks if you expect growth.

13. Example Configuration Walkthrough (A Friendly Fictional Case)

Let’s pretend you’re setting up a small app called “TeaTime” (because why not) with:

  • a web tier running on instances
  • a database tier in private subnets
  • a NAT gateway for outbound patching

Step 1: Create VPC

You choose region “east” and CIDR 10.0.0.0/16. You name it tea-time-vpc.

Step 2: Create VSwitches

  • zone A public-ish: 10.0.1.0/24
  • zone B public-ish: 10.0.2.0/24
  • zone A private: 10.0.11.0/24
  • zone B private: 10.0.12.0/24

Step 3: Create route tables

  • public route table: default route to internet gateway (if your setup uses that)
  • private route table: default route 0.0.0.0/0 to NAT gateway

Step 4: Attach route tables to VSwitches

  • Attach public route table to the public-ish VSwitches
  • Attach private route table to private VSwitches

Step 5: Security groups

  • web-sg: allow inbound 80/443 from load balancer’s security group; allow outbound to needed services
  • db-sg: allow inbound 3306 (or your DB port) from web-sg; restrict everything else
  • admin-sg: allow SSH only from your admin IP

Step 6: Launch instances

Launch web instances into private VSwitches if you’re using a load balancer that reaches private subnets, or into public-ish subnets if the design requires it. Launch db instances into private subnets only.

Step 7: Validate connectivity

  • From a web instance, attempt to connect to the DB instance on the DB port.
  • From web instances, verify outbound internet access works for updates (if NAT configured).
  • From load balancer, verify inbound web traffic reaches web instances.

When you get it right, TeaTime works. When you don’t, you’ll find out quickly—usually with a timeout, a DNS error, or a very quiet database port that absolutely refuses to be reached.

14. Summary: Your Network Should Behave Like a System, Not a Surprise

Configuring Alibaba Cloud VPC and VSwitches becomes straightforward when you approach it like a plan rather than a treasure hunt. Start with a sensible IP design, create a VPC in the correct region, add zone-aware VSwitches without CIDR overlap, attach the right route tables, and then layer security groups to permit only necessary traffic. For outbound connectivity from private subnets, ensure NAT and default routes are configured. Finally, troubleshoot systematically: route tables first, then security groups, then instance OS and application settings.

Do that, and your cloud networking will stop feeling like improvisational theater. It’ll become more like a well-rehearsed orchestra: still complex, but at least everyone knows their part.

If you want, tell me your intended architecture (for example: number of zones, public vs private subnets, whether you need VPN/Direct Connect, and which ports you need), and I can suggest a concrete VPC CIDR/VSwitch CIDR and routing/security layout tailored to your scenario.

TelegramContact Us
CS ID
@cloudcup
Contact
TelegramSupport
CS ID
@yanhuacloud
Contact