ECS Networking


Alibaba Elastic Compute Service
ECS Concepts
ECS Instances
PREVIEW17m 58s

The course is part of this learning path

Start course
1h 40m

This course explores Alibaba's Elastic Compute Service and the features it offers to manage your Alibaba instances. We'll look at the main applications of the ECS service before moving on to a couple of guided demos from the platform to show you how to use the ECS service.

Learning Objectives

  • Get a foundational understanding of the main concepts of Alibaba ECS
  • Learn about the different instances available in Alibaba Cloud, including their features and use cases
  • Learn the capabilities and limitations of ECS storage
  • Learn how to connect instances together through ECS networking, specifically through the use of VPCs
  • Learn how to create an ECS instance and attach a data disk to it

Intended Audience

This course is intended for anyone looking to use Alibaba ECS to manage their Alibaba Cloud workloads, as well as anyone studying for the ACP Cloud Computing certification exam.


To get the most out of this course, you should have a basic understanding of the Alibaba Cloud platform.


All right, now we come to ECS networking. How do you connect ECS instances together? How do you connect them to the internet? Well, the key component in ECS networking is what we call the virtual private cloud or VPC. A VPC group is a private network IP address range that hosts one or more ECS instances. VPC groups are completely isolated from one another, both within a single user's account, and between different users accounts. So each VPC is its own little island.

The instances within the VPC can talk to each other and can also potentially talk to the internet, but they are disconnected from other VPCs unless you explicitly peer those VPCs together. So unless you make changes to your VPC to connect it to other VPCs, then it remains completely private. Within each VPC, there is a VRouter or virtual router, which is used to route traffic around inside the VPC and also to route traffic to and from the internet. And then there will be one or more VSwitches.

You can think of each VSwitch as representing a sub-net. So within the VPCs IP address range, each VSwitch will have its own sub-net range. So for instance, if your VPC network is the IP address range, then maybe your VSwitches could each be a /26 within that /24 network block. Also within the VPC, there's the concept of a security group. This is basically a set-up state for firewall rules that apply to your ECS instances within the VPC. You can have multiple security groups within a VPC, and these security groups are used to enable the ECS instances to safely talk to other networks, say the public internet.

Then there's also what we call elastic IPs. You can attach these to your ECS instances to grant them access to the public internet, an elastic IP is just an IPv4, public internet-facing address. And the nice thing about EIPs is that they can move between different ECS instances. So you can flexibly move between different instances, even instances that are not in the same zone. And that's another core concept of the VPC, ECS instances and ECS disks live in a particular zone. So maybe Singapore zone A. So if your instances in Singapore zone A, you cannot move it to another zone. It can't be migrated to another zone, same thing for disks, but the elastic IP, he can move between zones. So the elastic IP can move between zones, and a VPC group can include ECS instances that live in different zones. So it's totally fine for a VPC in the Singapore region to include ECS instances from zones, A, B and C. That would be all right.

How does security groups work? Well, it's just a firewall, essentially, security group rules either allow or deny traffic to an ECS instance. So a security group rule would include the following information: the action or rule type. So is this an accept rule or a block rule? The port range that the rule applies to maybe port 80 up to port 90, or maybe just a single port like port 443. The protocol, so what type of traffic does the rule apply to? TCP UDP or ICMP are all supported. And then the authorization objects, So what is it that I'm trying to accept or block? From which IP address range do I want to accept or block this traffic? You can either specify a single IP address and IP address range in the form of a CIDR block or a security group ID of another Alibaba Cloud Security Group. So you can specify an ID for another security group and then allow or deny traffic from that group into your security group.

Security groups are a regional concept, just like a VPC. The security group can span multiple zones within a region. Each security group can contain multiple ECS instances, either in the same zone or in different zones. Each ECS instance you create has to belong to at least one security group. It can belong to more than one if you want, but it has to belong to at least one. And by default, ECS instances in the same security group can communicate freely with one another.

By default, instances in different security groups can not communicate with each other, keep that in mind. So if two ECS instances are in the same security group, they can communicate freely with one another, no matter what the security group rules are. But if they're in different security groups, and they want to communicate, you have to create rules to allow cross security group traffic between these two groups. And at the bottom of the slide here, there's an example of the rules that are applied when an incoming connection tries to reach an ECS instance.

So let's say on my machine, I'm running XShell or another terminal. I tried to SSH into my machine on port 22. What will happen is the security group will intercept that connection. It will see that there is an inbound TCP connection request on port 22. To my instance, it will check the rule table and it will see, okay, I have a rule that allows traffic on port 22 from any public IP address, great. I will now connect you or it will find a deny rule and it will drop the traffic without sending any response. So those are the two things that can happen. Either it looks at the protocol, a source IP and port number and determines that the traffic is allowed and passes it through, or it determines that the traffic is not allowed and drops it.

How does the VPC communicate with the internet? There's actually multiple ways that this can happen before we mentioned the elastic IP, but that is not the only way. You can also assign a public IP address directly to the ECS instance. This is different than the elastic IP because the public IP that's bound to the instance cannot be removed. So a generic Alibaba Cloud public IP, that's attached to an ECS lives and dies with that ECS instance. There's no way to take that IP and assign it to another instance later. Only elastic IP allows that, a standard public IP does not. Elastic IP is the other way to give ECS instances inside your VPC access to the public internet.

Unlike the traditional Alibaba Cloud public IP, the elastic IP can be moved between different ECS instances. You can move it later if you want. And, of course, it's billed separately and purchased separately from ECS in order to enable you to move it around. And you can also create and configure a NAT Gateway. VPC groups support creating a Nat gateway, and you can configure both SNAT and DNAT rules for the net gateway to allow traffic in and out of your VPC group without giving your ECS instances their own public IPS. And then for inbound traffic only, you can use a server load balancer. So if the ECS instances in your VPC are maybe serving a web application, then you can put a server load balancer into the VPC, give the server load balancer a public IP, and then all the incoming traffic will go to the SLB first, and will then be distributed out to your ECS instances over the VPC private network. This way, the ECS instances do not need to have their own public IP. They can rely on the server load balancers, public IP instead.

So an elastic IP again is just a public IP address resource that is independent from ECS and can be moved around. In fact, it's not limited to ECS. You can also take an EIP and bind it to a Nat gateway or to a server load balancer. This is great because it means that even if your application starts small with a single ECS instance, later, if you want to scale up and start using a load balancer, you can do that without needing to get a new public IP. You can just take your existing EIP, remove it from your cold ECS instance, and then put it on your server load balancer.

EIPs are also great if you've later on need to upgrade your backend ECS instance, because you can leave your current instance in place, serving requests through the EIP. Then you can set up a newer, higher specification ECS on the side, in the same VPC, but to the side and not serving traffic. And then once that instance is set up, you can move the IP from your old instance to the new one, and then delete the old one. So this is a EIP gives you a lot of extra flexibility. If you compare EIP versus standard public IP, you'll find that this is the major advantage.

So EIPs are purchased separately from ECS, and they can be reattached to not gateways, load balancers or other ECS instances whenever you want. So the advantages is flexibility, public IP doesn't offer that flexibility, but it is slightly cheaper. So public IPS attached permanently to an ECS are cheaper than elastic IP addresses, but lack the same level of flexibility. Then there is the concept of an ENI. This is a virtual network interface that can be attached to an ECS instance.

All Alibaba Cloud ECS instances have at least one ENI that's used to attach to the VPC private network. So if you want, you can attach multiple ENIs to a single ECS instance to achieve low cost fail over or deploy high availability applications or maybe set up your own firewall or do other fine-grained network management. Different instance types support different numbers of ENIs, but the larger instance types will support sometimes up to 32 network interfaces on a single ECS instance, but most instance types will support at least two ENIs. An account can have no more than 100 elastic network interfaces in a single region. So keep that in mind. And an ECS instance must be in the same zone and region as the ENI you're binding to it. So the ENI, you can think of it as being a flexible private network interface. The EIP is a flexible public network interface.

About the Author
Learning Paths

Alibaba Cloud, founded in 2009, is a global leader in cloud computing and artificial intelligence, providing services to thousands of enterprises, developers, and governments organizations in more than 200 countries and regions. Committed to the success of its customers, Alibaba Cloud provides reliable and secure cloud computing and data processing capabilities as a part of its online solutions.