Practical Cloud Networking Architecture and Practices at Bilibili

Cloud networking is the product of IT and CT convergence. It does not replace existing network infrastructure but reconstructs it through network virtualization on top of the current network. In the era of cloud computing, cloud networking is the foundation; enterprises must plan and use cloud network products to build reliable data links for cloud‑based services.

Bilibili (B‑Station) operates a hybrid‑cloud/multi‑cloud architecture that combines multiple public cloud providers with its own data centers. Cloud products such as VPC, load balancer, physical dedicated line, virtual gateway, NAT gateway, and elastic IP are managed through an internal multi‑cloud management platform.

The hybrid‑cloud network infrastructure consists of three parts: IDC network, inter‑region network, and hybrid‑cloud network. Typical network topologies used include linear, ring, mesh, and star structures.

Linear network: Clouds are chained sequentially. Simple but a failure in any intermediate provider affects all downstream traffic.

Ring network: Clouds are connected pair‑wise forming a ring, reducing the impact radius of a single provider failure.

Mesh network: Every cloud pair has a dedicated line, offering the highest fault tolerance at the cost of many physical links.

Star network: All clouds connect to a central POP (dedicated line provider). Only the link to the POP is critical for a given cloud.

Images illustrating each topology are included in the original article.

Key cloud networking terms introduced:

Cloud Interconnect – builds a global private network between VPCs and between VPCs and IDC.

Physical Dedicated Line – carrier‑provided line to public cloud.

Private Network VPC – isolated virtual network in the cloud.

Subnet – subnet within a VPC, default‑connected.

ACL – subnet‑level inbound/outbound access control.

Security Group – instance‑level inbound/outbound access control.

Elastic Public IP – static external IP that can be bound/unbound to instances, load balancers, etc.

Load Balancer – distributes traffic to backend instances.

NAT Gateway – provides SNAT/DNAT for VPC outbound traffic.

Peer Connection – point‑to‑point connection between two VPCs (non‑transitive).

VPN – encrypted tunnel linking IDC or on‑premise networks to VPC.

The article then describes Bilibili’s specific network architecture, which follows a star topology centered on the IDC as the POP. It explains how cross‑region and cross‑VPC connectivity is achieved using Cloud Interconnect, peer connections, and physical dedicated lines.

Project Network Concept

From a business perspective, a “project network” is defined per project and includes VPC, Subnet, Elastic IP, NAT gateway, and Security Group. The process to create a project network includes:

Selecting a VPC (large projects get dedicated VPCs; small projects share a VPC with subnets).

Allocating subnets based on a power‑of‑two size (e.g., 256 → /24 subnet).

Creating security groups (default or custom rules).

Choosing public access options (NAT gateway, load balancer, or Elastic IP).

Once the project network is defined, the platform can automatically provision cloud resources (instances, load balancers, databases) within that network.

The article provides a screenshot of the platform page for binding a cloud account to a project network.

Practical Case – Game Project

Two solution approaches for allowing game servers to access IDC services while maintaining security are presented:

Solution 1 – Access Control: Use security‑group outbound rules to allow specific IDC IP/port ranges and deny all other internal traffic. The article includes a detailed security‑group rule table:

Authorization

Priority

Protocol

Port Range

Target

Remark

Allow

1

TCP

IDC service ports

IDC IP segment

Allow access to specific IDC services

...

...

...

...

...

Deny

97

All

-1/-1

10.0.0.0/8

Deny other internal traffic

Deny

98

All

-1/-1

172.12.0.0/12

Deny other internal traffic

Deny

99

All

-1/-1

192.168.0.0/16

Deny other internal traffic

Allow

100

All

-1/-1

0.0.0.0/0

Allow internet access

While functional, this approach incurs configuration and maintenance overhead.

Solution 2 – Proxy Forwarding: Create a dedicated VPC (SVPC) connected to IDC via a physical line, place a load balancer with IDC service VIP as backend, and use a peer connection to link the game VPC to SVPC. The SVPC is marked with a “game” network environment, and the platform automatically provisions the project network for the game project.

Images of the proxy‑forwarding architecture are included.

Summary

The article shares practical experiences in multi‑cloud network construction and management, covering data‑center, inter‑region, hybrid‑cloud, and security aspects.

Proper network planning before cloud migration reduces future operational costs and risk.

References: Alibaba Cloud Network Whitepaper, Cloud Network and Digital Economy, and other industry links.