# terraform-network

Part of **TERRAFORM**

<!-- intent-backlink:auto -->

> 💡 **Path Selection**: This skill is one implementation path for [Provision cloud infrastructure (compute, network, storage)](../../intent/terraform-provision-infrastructure/SKILL.md). If you're unsure which path to take, check the routing skill first.

# Terraform Network Security Console Guide

## Operations Overview

| Operation | Console Entry Path | Prerequisites | Description |
|------|-----------|---------|------|
| Configure Load Balancer | Console > SLB > Load Balancers > Create Load Balancer | A VPC has been created, Backend ECS instances are running and accessible, Security group rules allow inbound traffic on required ports | Set up an Application Load Balancer to distribute traffic across backend servers |
| Deploy VPC in Region | Console > Networking > VPC > Create VPC | Valid Alibaba Cloud account with permissions, Understanding of IP addressing, Knowledge of region/zone availability | Create a Virtual Private Cloud with vSwitches, route tables, and security controls |
| Build Hybrid Cloud Network | Console > Express Connect > Create Express Connect Circuit | Alibaba Cloud account access, On-premises data center connectivity, VPC and routing knowledge, Billing setup | Establish dedicated or hosted physical connections between on-premises and cloud |
| Build Cross-Region Network | Console > Networking > Cloud Enterprise Network (CEN) | VPCs in multiple regions, Transit Routers available, Account permissions, VPC/VBR understanding | Connect geographically distributed networks using CEN and transit routers |
| Connect Branch Network to Cloud | Console > Networking > VPN Gateway > Create IPsec-VPN Connection | VPC created, Transit router or CEN instance ready, On-premises gateway configured, Bandwidth available | Securely link branch offices to cloud via encrypted IPsec tunnels or SD-WAN |

## Operation Steps

### Configure Load Balancer

**Navigation**: Console > SLB > Load Balancers > Create Load Balancer

**Prerequisites**:
- A VPC has been created
- Backend ECS instances are running and accessible
- Security group rules allow inbound traffic on required ports

1. Click the **Create Load Balancer** button in the top-right corner
   - Element: **Create Load Balancer** (button) — location: top-right corner of the Load Balancers page

2. Select the network type as 'VPC'
   - Element: **Network Type** (dropdown) — location: main content area
   - Notes: Ensure the selected VPC matches the one where your backend servers reside.

3. Choose the load balancer type as 'Application Load Balancer'
   - Element: **Load Balancer Type** (radio) — location: main content area
   - Notes: Application Load Balancer supports advanced routing based on HTTP headers and paths.

4. Configure the listener port and protocol (e.g., Port 80, Protocol HTTP)
   - Element: **Listener Configuration** (text_input) — location: main content area
   - Notes: You can add multiple listeners for different ports or protocols.

5. Add backend servers by selecting existing ECS instances from the list
   - Element: **Add Backend Servers** (button) — location: backend server section
   - Notes: Ensure the selected instances are in the same VPC and security group as the SLB.

6. Enable health checks to monitor backend server status
   - Element: **Health Check** (toggle) — location: health check section
   - Notes: Health check ensures only healthy servers receive traffic.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Load Balancer Name | text_input | Yes | — | Enter a unique name for your load balancer. |
| VPC | dropdown | Yes | vpc-1234567890abcdef0, vpc-0987654321fedcba0 | Select the virtual private cloud where the load balancer will be deployed. |
| Instance Type | dropdown | Yes | Application Load Balancer, Classic Load Balancer | Choose the type of load balancer based on your use case. |
| Listener Port | number_input | Yes | — | Specify the port on which the load balancer listens for incoming requests. |
| Protocol | dropdown | Yes | HTTP, HTTPS, TCP, UDP | Select the protocol used for communication between clients and the load balancer. |

### Deploy VPC in Region

**Navigation**: Console > Networking > VPC > Create VPC

**Prerequisites**:
- A valid Alibaba Cloud account with appropriate permissions
- Understanding of basic networking concepts such as IP addressing and subnetting
- Knowledge of the target region and zone availability

1. Select a region and zones
   - Element: **Region dropdown** (dropdown) — location: top-right corner of the console
   - Notes: Choose based on user location, latency requirements, and resource availability. Refer to monitoring tools for network latency data.

2. Specify the VPC CIDR block
   - Element: **VPC CIDR Block field** (text_input) — location: main content area
   - Notes: Use standard RFC CIDR blocks like 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. Avoid reserved ranges such as 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, and 169.254.0.0/16.

3. Create vSwitches with proper types and zones
   - Element: **Create vSwitch button** (button) — location: left navigation panel
   - Notes: Create at least two vSwitches of each type (public and private) in different zones for active zone-redundancy. Assign specific roles: SLB vSwitch, NAT gateway vSwitch, Application vSwitch, Transit router vSwitch.

4. Associate vSwitches with appropriate route tables
   - Element: **Route Table Association** (dropdown) — location: main content area
   - Notes: Public vSwitches should be associated with system or custom route tables depending on Internet access needs. Private vSwitches must use custom route tables without default routes to the IPv4 gateway.

5. Configure security groups and ACLs
   - Element: **Security Group Configuration** (tab) — location: main content area
   - Notes: Apply security groups to ECS instances and ACLs to vSwitches. Ensure inbound rules are mirrored in outbound rules for stateful security groups.

6. Enable advanced security features
   - Element: **Cloud Firewall** (checkbox) — location: security settings panel
   - Notes: Enable Internet firewall, NAT firewall, and VPC firewall for enhanced protection against threats and unauthorized traffic.

7. Set up O&M tools
   - Element: **Network Intelligence Service (NIS)** (link) — location: monitoring section
   - Notes: Integrate NIS with flow logs and traffic mirroring for real-time network visibility, diagnostics, and troubleshooting.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| VPC CIDR Block | text_input | Yes | — | The private IP address range for the VPC in CIDR notation. Must not conflict with existing networks. |
| Region | dropdown | Yes | China (Shanghai), China (Beijing), International (Singapore), International (Silicon Valley) | The geographical region where the VPC will be deployed. |
| Zone | dropdown | Yes | Zone A, Zone B, Zone C, Zone D, Zone E, Zone F | The availability zone within the selected region for high availability. |
| vSwitch Type | radio | Yes | Public vSwitch (with Internet access), Private vSwitch (without Internet access) | Determines whether the vSwitch can access the Internet and its intended use case. |
| Route Table | dropdown | Yes | System Route Table, Custom Route Table 1, Custom Route Table 2 | Specifies which route table is associated with the vSwitch for traffic forwarding rules. |

### Build Hybrid Cloud Network

**Navigation**: Console > Express Connect > Create Express Connect Circuit

**Prerequisites**:
- Access to Alibaba Cloud account with appropriate permissions
- On-premises data center with network connectivity
- Understanding of VPC and routing concepts
- Billing setup for cloud resources

1. Click **Create Express Connect Circuit** in the Express Connect console
   - Element: **Create Express Connect Circuit** (button) — location: top-right corner

2. Select connection type: Dedicated or Hosted
   - Element: **Connection Type** (dropdown) — location: main content area
   - Notes: Dedicated offers exclusive bandwidth; Hosted uses shared infrastructure

3. Choose access point region and specify bandwidth
   - Element: **Region** (dropdown) — location: main content area
   - Notes: Maximum 10 Gbps for dedicated circuits via console; higher requires ticket

4. Configure BGP and BFD settings for high availability
   - Element: **BGP Configuration** (checkbox) — location: advanced settings
   - Notes: Enable BFD for sub-second failover detection

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Connection Type | radio | Yes | Dedicated Express Connect circuit, Hosted connection over Express Connect circuit | Choose between dedicated (exclusive) or hosted (shared) physical connection |
| Region | dropdown | Yes | China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), Singapore | Select the region where the access point is located |
| Bandwidth | dropdown | Yes | 50 Mbps, 100 Mbps, 200 Mbps, 300 Mbps, 400 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 8 Gbps, 10 Gbps, 20 Gbps, 40 Gbps, 50 Gbps, 60 Gbps, 80 Gbps, 100 Gbps | Specify the required bandwidth for the connection |
| BGP Routing | checkbox | No | — | Enable dynamic routing for automatic failover and route convergence |
| BFD Detection | checkbox | No | — | Enable Bidirectional Forwarding Detection for fast failure detection |

### Build Cross-Region Network

**Navigation**: Console > Networking > Cloud Enterprise Network (CEN)

**Prerequisites**:
- VPCs created in multiple regions
- Transit Routers (TRs) available in target regions
- Access to Alibaba Cloud account with appropriate permissions
- Understanding of VPC and VBR concepts

1. Navigate to the CEN console
   - Element: **Cloud Enterprise Network (CEN)** (link) — location: left navigation panel

2. Create a new CEN instance
   - Element: **Create CEN Instance** (button) — location: main content area
   - Notes: Select the desired region for the CEN instance.

3. Connect VPCs and VBRs to the TR
   - Element: **Attach VPC/VBR** (button) — location: TR details page
   - Notes: Ensure each VPC is connected via at least two vSwitch ENIs in different zones for high availability.

4. Create a cross-region connection between TRs
   - Element: **Create Cross-Region Connection** (button) — location: TR connection tab
   - Notes: Choose between pay-by-bandwidth or pay-by-data-transfer billing method based on traffic patterns.

5. Configure QoS policy and traffic marking
   - Element: **QoS Policy** (menu) — location: traffic management section
   - Notes: Set bandwidth limits per DSCP mark to prioritize critical traffic types like video conferencing.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Region | dropdown | Yes | China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), Singapore, Other Regions | Select the region where the CEN instance will be deployed. |
| Billing Method | radio | Yes | Pay-by-bandwidth, Pay-by-data-transfer | Choose how cross-region bandwidth is billed. Pay-by-data-transfer is recommended for variable traffic. |
| Peak Bandwidth | number_input | No | — | Set the maximum speed limit for cross-region communication. Can be adjusted later in Quota Center. |

### Connect Branch Network to Cloud

**Navigation**: Console > Networking > VPN Gateway > Create IPsec-VPN Connection

**Prerequisites**:
- VPC already created
- Transit router or CEN instance created
- On-premises gateway device configured
- Sufficient bandwidth and network resources available
- Billing method selected (pay-as-you-go or subscription)

1. Click **Create IPsec-VPN Connection**
   - Element: **Create IPsec-VPN Connection** (button) — location: top-right corner of the IPsec-VPN Connections page

2. Select the associated resource type (VPN Gateway or Transit Router)
   - Element: **Associated Resource Type** (dropdown) — location: main content area
   - Notes: Choose 'VPN Gateway' for direct VPC association or 'Transit Router' for multi-VPC connectivity via CEN.

3. Configure tunnel settings including IKE version, encryption algorithm, and authentication method
   - Element: **Tunnel Configuration** (text_input) — location: main content area
   - Notes: For enhanced security, select IKEv2 and AES-256 encryption. SM4 is default for SM VPN gateways.

4. Set up route tables and enable ECMP routing if using multiple tunnels
   - Element: **Route Table Settings** (text_input) — location: main content area
   - Notes: Enable ECMP routing in transit router to balance traffic across multiple IPsec connections.

5. Review and confirm all configurations before deploying
   - Element: **Confirm and Deploy** (button) — location: bottom of the form
   - Notes: Deployment may interrupt existing connections during upgrade; schedule during maintenance window if upgrading from single-tunnel to dual-tunnel.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Associated Resource Type | dropdown | Yes | VPN Gateway, Transit Router | Specifies whether the IPsec-VPN connection is associated with a standalone VPN Gateway or a Transit Router within a CEN instance. |
| Tunnel Mode | radio | Yes | Dual-tunnel mode, Single-tunnel mode | Determines redundancy and failover behavior. Dual-tunnel mode supports active/standby failover and higher availability. |
| IKE Version | dropdown | Yes | IKEv1, IKEv2 | Sets the Internet Key Exchange protocol version used for key negotiation. IKEv2 is recommended for better performance and support. |
| Encryption Algorithm | dropdown | Yes | AES-128, AES-192, AES-256, DES, Triple DES, SM4 | Defines the cryptographic algorithm used to encrypt data packets. SM4 is default for SM VPN gateways. |
| Authentication Algorithm | dropdown | Yes | SHA-1, MD5, SHA-256, SHA-384, SHA-512, SM3 | Specifies the hash function used for message authentication. SM3 is default for SM VPN gateways. |

## FAQ

Q: Where do I find the option to create a VPC with both public and private vSwitches?
A: After creating the VPC, go to the vSwitch section in the VPC console and create separate vSwitches. Use the **vSwitch Type** radio option to designate each as public or private.

Q: What happens if I leave the Health Check toggle disabled when configuring a load balancer?
A: Without health checks, the load balancer will continue sending traffic to unhealthy backend servers, potentially causing service disruptions or errors for end users.

Q: Can I modify the bandwidth of an Express Connect circuit after creation?
A: Yes, but bandwidth increases beyond 10 Gbps require submitting a support ticket. Decreases can typically be done via the console.

Q: Is it possible to switch from single-tunnel to dual-tunnel IPsec-VPN mode without downtime?
A: No—upgrading from single-tunnel to dual-tunnel mode causes a brief service interruption. Schedule this change during a maintenance window.

Q: Do I need to manually configure route tables when attaching VPCs to a Transit Router in CEN?
A: The system creates default routes automatically, but for advanced traffic control (e.g., QoS, isolation), you must configure custom route tables and policies in the TR settings.

## Pricing & Billing

### Billing Model
Multiple billing models apply depending on the service:
- Load Balancer: billed per request
- VPC/vSwitch: billed per instance-hour
- Express Connect: billed per Mbps/hour
- CEN cross-region: billed per data transfer volume
- IPsec-VPN: billed per minute of usage

### Price Reference

| Service | Unit Price |
|--------|------------|
| Application Load Balancer | 0.001 / |
| VPC | 0.001 / |
| vSwitch | 0.0005 / |
| NAT Gateway | 0.01 / + 0.005 /GB |
| Dedicated Express Connect circuit | 0.0005 /Mbps/hour |
| Hosted connection | 0.0003 /Mbps/hour |
| Cross-region data transfer | 0.002 / |
| Standard VPN Gateway | 0.002 / |
| Transit Router (for IPsec) | 0.003 / |

### Free Tier
- Load Balancer: 100 
- VPC and vSwitch: 100 
- Express Connect, CEN cross-region, and IPsec-VPN: no free tier

### Billing Notes
- Load balancer health check requests count toward total request volume.
- NAT gateway costs include both hourly instance fee and data transfer charges.
- Express Connect outbound traffic fees are billed separately from circuit fees.
- Pay-by-data-transfer for CEN allows flexible bandwidth scaling to reduce unit costs.
- IPsec-VPN billing starts upon deployment; dual-tunnel connections incur higher costs due to redundant resources.