Networking with Alibaba Cloud VPN Gateway and FlexGW
By Sameer Ahmed, Alibaba Cloud Tech Share Author
Note: Alibaba Cloud VPN Gateway provides services in accordance with the relevant VPN national policies and regulations. It does not provide Internet access.
Despite all the negative connotations attached to VPNs, they are actually essential when it comes to creating secure and private networks. For example, we may be interested in creating a hybrid cloud by connecting our data center with Alibaba Cloud servers, and the connection is established through the Internet. Because the Internet is a public network, it leaves our data exposed and vulnerable to cyberattacks. You can establish a VPN connection to encrypt your data transmitted through the Internet.
In this tutorial, we will look at two scenarios of using a VPN: connecting two Alibaba Cloud ECS instances and connecting an ECS instance with an Azure VM.
Part 1: How to Create a VPN Connection between Two VPCs on Alibaba Cloud
In this section, I will attempt to establish a connection between two VPCs, one in Germany and another in Singapore. I will be using the Alibaba Cloud VPN Gateway product.
|VPC name||CIDR block||VPC ID||Cloud products||VPN gateway||IP address||Customer gateway|
|VPC1 - Singapore||192.168.0.0/16||vpc-xxxxl8||ECS1- ping2germany||vpn-t4newx5ozbu4qv3jvjgbl||126.96.36.199||connect2germany|
|VPC2 - Germany||10.0.0.0/8||vpc-xxxnkf||ECS2 - ping2singapore||vpn-gw8u6ia3djbzkpcnxrs7h||188.8.131.52||connect2singapore|
Login to you console and navigate to Network > Virtual Private Cloud. Then Click on Activate.
Create VPC. I have created VPC 1 in Singapore and VPC 2 in Germany. The one listed in the below image is a system created VPC.
Fill the Basic information for Creating the VPC.
You will receive a prompt once you've successfully created a VPC.
Once you create VPC, next step is to create vSwtich. You can create multiple vSwitches back to back.
Be sure about the CIDR range for your VPC and vSwtiches so that it does not clash with the another VPC with we will connect to over VPN.
Create VPC 2 for Germany region as we did for Singapore.
Create vSwitch in VPC 2(Germany) as we did in VPC 1 (Singapore)
Create VPN Gateways
On the VPC page, navigate to VPN > VPN Gateway. Click on Create VPN Gateway on the top right corner.
Create the VPN Gateway with the below details.
|Region||Select the region where the VPN gateway is created. (Singapore and Germany)|
|VPC||Select a VPC to create the VPN gateway (VPC 1 and VPC 2)|
|Peak Bandwidth||Select a peak bandwidth. Two specifications are available: 10 MB and 100 MB. (10 MB)|
|Billing Method||You are charged based on the actual traffic usage|
|Quantity||Select the number of VPN gateways to be created (2)|
|Billing Cycle||VPN gateways are billed on an hourly basis|
You can only create a VPN Gateway one at a time. Repeat the previous steps to create another VPN gateway for VPC2. You will get one public IP's for each VPN gateway.
Create Customer Gateways
Log on to the VPC console, navigate to VPN > Customer Gateway.
Click Create Customer Gateway. Enter the public IP address assigned to the VPN gateway of the opposite VPC.
Repeat the previous steps to create another customer gateway for the other VPC.
Create VPN connections
Log on to the VPC console, navigate to VPN > VPN Connection. Click Create VPN connection.
In the Create VPN Connection dialog box, configure the following:
I am creating this VPN connection from Germany, so the customer Gateway should be of Singapore.
Local Network is the CIDR block of the selected VPC. (Germany)
Remote Network is the CIDR block of the peer VPC to be connected. (Singapore)
Click on Advanced Configurations to Change the IPsec and IKE configurations as required.
Make sure the Pre-Shared key is same on both the side.
Repeat the above step in the VPC 2 as well (Singapore). Once the information is filled and submit. You can see the connection status will change to succeeded.
Log on to the VPC console,Navigate VPC > click the ID of the target VPC > VRouter
and then click Add Route Entry.
In the Add Route Entry dialog box,
Enter the CIDR block of the VPC in the other region.
Select VPN Gateway as the next hop and Select the VPN gateway for the current VPC.
Repeat the above step for 2nd VPC.
Once the network configuration is done. Create one ECS instance on each region to test the connectivity. Make sure it is in proper VPC and vSwitch.
Here's my test from one ECS on Singapore region to the ECS on Germany region.
Part 2: How to Create a VPN Connection with a VM from a Different Cloud Provider
In this tutorial, I will be setting up a site-to-site VPN between Alibaba Cloud and Microsoft Azure. I will show you how to use the Azure portal to create a site-to-site VPN gateway connection and deploy a VPN gateway appliance from your Alibaba Cloud portal and connect it to the Azure VNet.
Configuration On Azure
1.Create a virtual network
To create a VNet in the Resource Manager deployment model by using the Azure portal, follow the steps below.
a.From a browser, navigate to the Azure portal and sign in with your Azure account.
b.Click New. In the Search the marketplace field, type 'virtual network'. Locate Virtual network from the returned list and click to open the Virtual Network page.
c.Near the bottom of the Virtual Network page, from the Select a deployment model list, select Resource Manager, and then click Create. This opens the 'Create virtual network' page.
2.Create the gateway subnet
a.In the portal, navigate to the virtual network for which you want to create a virtual network gateway.
b.In the Settings section of your VNet page, click Subnets to expand the Subnets page.
c.On the Subnets page, click +Gateway subnet at the top to open the Add subnet page.
d.The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. The GatewaySubnet value is required in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range values to match your configuration requirements.
e.To create the subnet, click OK at the bottom of the page.
3.Create the VPN gateway
a.On the left side of the portal page, click + and type 'Virtual Network Gateway' in search. In Results, locate and click Virtual network gateway.
b.At the bottom of the 'Virtual network gateway' page, click Create. This opens the Create virtual network gateway page.
c.On the Create virtual network gateway page, specify the values for your virtual network gateway.
4.Create the local network gateway
The local network gateway typically refers to your on-premises location. But here we are connecting to Alibaba Cloud VPN gateway appliance. So You give the site a name by which Azure can refer to it, then specify the IP address of the Alibaba cloud VPN device to which you will create a connection.
5.Create the VPN connection
a.Create the Site-to-Site VPN connection between your virtual network gateway and your Alibaba cloud VPN device.
b.Navigate to and open the blade for your virtual network gateway. There are multiple ways to navigate. In our example, we navigated to the gateway 'VNet1GW' by going to TestVNet1 -> Overview -> Connected devices -> VNet1GW.
c.On the blade for VNet1GW, click Connections. At the top of the Connections blade, click +Add to open the Add connection blade.
Configuration on the Alibaba Cloud Portal
Deploy the appliance as an instance in the default VPC. Once deployed, reset the password and restart the VM.
Open you browser and paste the Public IP of the instance as https://publicip/
Navigate to IPSEC VPN and click on create a tunnel.
Make sure the PSK (Shared Key) is same on both the sides.
Click on Save and it should start connecting to the Azure VPN gateway and you should be able to see the status as below.
To test it further, you can deploy a virtual machine on both side and do a ping test. I deployed a Ubuntu VM on Azure and on Alibaba. The below images shows the virtual machine on Azure with its private IP:
Virtual Machine on Alibaba with its private IP:
Note: The catch is, since on Alibaba Cloud we have deployed VPN GW as an instance, we have to make sure the "Route Entry" is added to use the ECS instance to reach a particular CIDR.
Finally, we can ping from our Alibaba Cloud to Azure VM to check for connectivity.
For more information on using FlexGW with Alibaba Cloud ECS, please refer to the official how-to guide.