A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may, therefore, benefit from the functionality, security, and management of the private network.
This guide walks you through the process of configuring a VPN Gateway in Alibaba Cloud for integration with the Google Cloud VPN service.
This information is only provided as an example. If utilizing this guidance to configure your Alibaba Cloud VPN Gateway implementation, be sure to substitute the correct IP information for your environment.
This guide will describe the VPN topology - A site-to-site route based IPsec VPN tunnel configuration
The configuration samples in this tutorial include numerous value substitutions provided for the purposes of example only. Any references to IP addresses, device IDs, shared secrets or keys, account information or project names should be replaced with the appropriate values for your environment when following this guide.
This guide is intended to assist in the creation of IPsec connectivity to the Google Cloud. The following is a high-level overview of the configuration process which will be covered:
The IPsec connectivity will utilize the pre-shared key set generated by you at Alibaba Cloud and GCP for authentication. We will be using ESP in Tunnel mode with authentication.
The first step is to establish the base networking environment in Alibaba Cloud. The basis of networking in Alibaba Cloud is the Virtual Private Cloud (VPC). Alibaba Cloud provides various documentation and guides for getting started with our networking products. The basic concepts to understand are:
For the IPsec configuration, the following details will be used to setup the VPN. Other parameters are assumed to take the default values.
Purchase a new VPN Gateway. Click on Create VPN Gateway under the VPN Gateway. Select the bandwidth that makes sense for the use case. If you are not sure about the bandwidth, start with a smaller one so that I can be upgraded later. The VPC that will be used need to be selected at this point.
Once the VPN Gateway is setup, the next step is to set up the customer gateway that defines the public endpoint on the customer side. The GCP public IP will be used to set up the customer gateway.
Once the VPN gateway and Customer gateway is done, set up the VPN connection with the parameters mentioned in IPSec Parameters. This setup will require the GCP side network details and set a Pre-Shared Key (PSK). Make sure the same settings are used when setting the VPN gateway at GCP side.
In the Google Cloud Platform Developers Console, select the project into which the VPN will be deployed, or create a new project. To view the current network configuration for the project, select Networking from the main services menu in the Developer Console:
In GCP all projects start with a single network named default at the time of creation. The default network is configured with a private IP space and a set of base firewall rules. The default network provides a sufficient starting point for creating a site-to-site IPsec VPN.
This section will configure the VPN endpoint on the Google Cloud side.
Select VPN from the Networking option
The VPN has several user configurable properties:
A Public IP is required for the VPN end from Alibaba Cloud to connect to GCP. This can be created by allocating a static IP at GCP side.
The VPN gateway will launch a 99.9% available gateway that will be used to connect to the VPN gateway at Alibaba Cloud side. The Cloud VPN can be launched from the Networking section. This section will require us to input the public IP and the CIDR range of the network configured at Alibaba Cloud end. Also, ensure that the same PSK is input while configuring the gateway.
Once the VPN is setup, make sure that the VPN connects (ensuring that the strongswan endpoint at Alibaba Cloud is already started). Click on View under Logs to troubleshoot incase the VP status turns red.
Setup the Firewall rules to allow network traffic if this was not prompted to be changed while the VPN was set. Ensure the CIDR range from the Alibaba Cloud VPC is mentioned here to be enabled.
With the site-to-site VPN online the tunnel is now ready for testing. To test, create virtual machines in both Alibaba Cloud and Google Compute Engine. Instructions for creating ECS virtual machines can be found on this guide. To learn how to create virtual machines in Google Compute Engine, visit GCP's Getting Started Guide.
A compute engine at GCP side is required us to test the end to end networking. Make sure the launched instance does not have a public IP.
Make sure the ComputeEngine is up and running and correctly displays the internal IP.
At the Alibaba Cloud side, create the SSH keys that can be used to login to the GCP Compute Engine. Note the username needs to be changed to fit the current setup. Do note that GCP doesn't support using root login unless configured manually to do so.
Create the Keys
ssh-keygen -t rsa -f ~/.ssh/ssh-gcp-venkitas -C venkitas
chmod 400 ~/.ssh/ssh-gcp-venkitas
Output the Key Contents
Set the above SSH keys under the earlier created Compute Engine.
Once the key is set Ensure you can ping the Compute Engine at GCP Side.
ping https://www.linkedin.com/redir/invalid-link-page?url=10%2e148%2e0%2e2 #Private IP of GCP
Connect to the GCP Compute Engine via the VPN Tunnel
ssh -i ~/.ssh/ssh-gcp-venkitas email@example.com
Setting up a VPN between the two major cloud providers allow the end user to have the best of both worlds. It is also one of the simplest ways for you to adopt a multi cloud strategy for your enterprise.
With this set up, users can leverage the stronger China presence enjoyed by Alibaba Cloud while tapping into the big data functionalities provided by Google Cloud.
Alibaba Clouder - January 23, 2018
Alibaba Clouder - March 8, 2019
Alibaba Clouder - December 27, 2018
Alibaba Clouder - August 20, 2018
Alibaba Clouder - August 17, 2018
Alibaba Clouder - February 3, 2019
Identify vulnerabilities and improve security management of Alibaba Cloud WAF and Anti-DDoS and with a fully managed security serviceLearn More
VPN Gateway is an Internet-based service that establishes a connection between a VPC and your on-premise data center.Learn More
By leveraging Anycast to redirect malicious traffic to globally distributed scrubbing centers close to the source of the internet traffic, Anti-DDos Premium protects servers against volumetric DDoS attacks.Learn More
More Posts by Sabith