All Products
Search
Document Center

VPN Gateway:What is VPN Gateway?

Last Updated:Jan 23, 2024

VPN Gateway provides network connection services that securely and reliably connect enterprise data centers, office networks, and Internet clients to Virtual Private Cloud (VPC) of Alibaba Cloud through encrypted and private tunnels.

Note

Alibaba Cloud VPN Gateway provides services in compliance with state policies and regulations. You can use VPN Gateway to establish only intra-border connections. For more information, see What are cross-border connections and non-cross-border connections?

产品简介-202209-1

Features

VPN Gateway supports IPsec-VPN and SSL-VPN connections. These types of connections are ideal for different scenarios.

IPsec-VPN

IPsec-VPN is a network connection technology based on routes. IPsec-VPN provides flexible traffic routing methods and allows you to configure and maintain VPN policies in an efficient manner. You can use IPsec-VPN to establish connections between VPCs and data centers or office networks.

The method used to establish an IPsec-VPN connection varies based on the resource associated with the IPsec-VPN connection. For more information, see the following figures.

Associate an IPsec-VPN connection with a VPN gateway

Figure 1. Dual-tunnel mode 产品简介-202306-5

Figure 2. Single-tunnel mode 单隧道模式

Important

In scenarios where IPsec-VPN connections are associated with VPN gateways, the current single-tunnel mode is upgraded to the dual-tunnel mode. The dual-tunnel mode improves the high availability of IPsec-VPN connections. For more information about the dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

Associate an IPsec-VPN connection with a transit router

产品简介-202209-3

Comparison

The following table describes the differences between IPsec-VPN connections associated with VPN gateways and IPsec-VPN connections associated with transit routers.

Item

Associated with a VPN gateway

Associated with a transit router

Associated resource

To create an IPsec-VPN connection, you must purchase a VPN gateway and associate the VPN gateway with a VPC.

Your data center or office network can communicate with the associated VPC or with other networks through the associated VPC.

You do not need to purchase a VPN gateway or associate the VPN gateway with a VPC to create an IPsec-VPN connection. You must create a Cloud Enterprise Network (CEN) instance and create a transit router on the CEN instance.

Your data center or office network can communicate with all VPCs connected to the transit router or with other networks through the transit router.

Supported encryption algorithm

Commercial cryptographic algorithms that comply with international standards

Commercial cryptographic algorithms that comply with international standards

Tunnel mode supported by IPsec-VPN connections

  • Dual-tunnel mode

  • Single-tunnel mode

Single-tunnel mode

Maximum bandwidth supported by each IPsec-VPN connection

1,000 Mbit/s.

Note

The maximum bandwidth supported by VPN gateways in some regions is 200 Mbit/s. For more information about the regions, see Limits on VPN gateways.

1 Gbit/s by default.

You can increase the bandwidth of an IPsec-VPN connection by using other methods. For more information, see the How do I increase the maximum bandwidth of IPsec-VPN connections? section of the "FAQ about VPN gateways" topic.

Maximum number of packets that can be transmitted through each IPsec-VPN connection per second

120,000 (256 bytes per packet)

120,000 (256 bytes per packet)

Supported network type

  • Public

    Indicates an encrypted connection over the Internet.

  • Private

    Indicates an encrypted connection over an Express Connect circuit.

    Note

    If you want to establish an encrypted tunnel by using a private network connection based on an Express Connect circuit, we recommend that you create an IPsec-VPN connection and associate the IPsec-VPN connection with a transit router.

  • Public

    Indicates an encrypted connection over the Internet.

  • Private

    Indicates an encrypted connection over an Express Connect circuit.

Method used to implement high availability

Active/standby connections

Equal-cost multi-path (ECMP) routing

Typical scenarios

  • Connect a data center to a VPC

  • Connect a VPC to another VPC

  • Connect a data center to a VPC by using high availability active/standby connections

  • Connect multiple office networks

  • Encrypt private connections over Express Connect circuits

For more information, see Associate IPsec-VPN connections with VPN gateways.

  • Connect a data center to a VPC

  • Connect a data center to a VPC by using high-availability ECMP connections

  • Connect multiple office networks

  • Encrypt private connections over Express Connect circuits

For more information, see Associate IPsec-VPN connections with transit routers.

SSL-VPN

SSL-VPN is a network connection technology based on the OpenVPN architecture. SSL-VPN is ideal for establishing network connections between Internet clients and VPCs. After you deploy the required resources, you need to only load an SSL client certificate on an Internet client and initiate a connection to a VPC.

SSL-VPN supports only public VPN gateways that use internationally accepted commercial cryptographic algorithms. For more information about SSL-VPN scenarios, see Common scenarios of SSL-VPN.

产品简介-202209-2

Benefits

  • Secure

    VPN Gateway uses the Internet Key Exchange (IKE) and Internet Protocol Security (IPsec) protocols to encrypt and secure data transmission.

  • Stable

    VPN Gateway adopts the hot-standby architecture to implement failover within a few seconds, enable session persistence, and ensure zero service downtime.

  • Easy-to-use

    A VPN gateway is ready-to-use and its configurations immediately take effect. You can deploy VPN gateways in a fast manner.

  • Cost-effective

    VPN Gateway provides encrypted and Internet-based connections that are more cost-effective than Express Connect circuits.