This topic uses an example to describe how to establish a global network by using VPN Gateways and Cloud Enterprise Network (CEN). By doing so, international enterprises can migrate their on-premises business operations to the cloud and build a quality global network in a cost-effective way.

Prerequisites

Before you start, make sure the following conditions are met:
  • Two Virtual Private Cloud (VPC) instances are created and related applications are deployed. For more information, see Create a VPC.
  • A local gateway device and a static public IP address are deployed in each office.
  • A CEN instance is created. For more information, see Create a CEN instance.
  • A CEN bandwidth package is purchased and a cross-region interconnection bandwidth is set. For more information, see Purchase a bandwidth package and Configure a cross-region connection bandwidth.
  • The CIDR blocks of the networks to be connected do not conflict with each other.

Background information

Background informationAn international company has two offices in Silicon Valley and two in Shanghai. It has created VPC 1 in the US (Silicon Valley) region and VPC 2 in the China (Shanghai) region. Each VPC has a separate application deployed. Due to business development, the company now needs to connect the two offices in Silicon Valley, two offices in Shanghai, VPC1, and VPC2. The following table lists the CIDR blocks of the networks.
Network CIDR block
US (Silicon Valley) office 1 10.10.10.0/24
US (Silicon Valley) office 2 10.10.20.0/24
US (Silicon Valley) VPC 1 172.16.0.0/16
China (Shanghai) office 3 10.20.10.0/24
China (Shanghai) office 4 10.20.20.0/24
China (Shanghai) VPC 2 192.168.0.0/16
IPsec

As shown in the preceding figure, you can connect office 1 and 2 in Silicon Valley to VPC 1 through VPN Gateway 1, and connect office 3 and 4 in Shanghai to VPC 2. Then, you can attach VPC 1 and VPC 2 to the same CEN instance to achieve global network interconnection.

Procedure:Configuration flowchart

Step 1: Create IPsec-VPN connections between the offices and the VPC in Silicon Valley

To establish IPsec-VPN connections to connect office 1 and office 2 to VPC 1, follow these steps.

  1. Create a VPN Gateway for the VPC in the US (Silicon Valley) region.
    The VPN Gateway parameters are as follows:
    • Name: VPN Gateway 1.
    • Region: Select US (Silicon Valley).
    • VPC: Select the VPC in the US (Silicon Valley) region.
    • Peak Bandwidth: 5 Mbps.
    • IPsec-VPN: Select Enable.
    • SSL-VPN: Select Disable.

    For more information, see Create a VPN Gateway.

  2. Create two customer gateways and register the public IP addresses of the office 1 and office 2 to the customer gateways.
    The parameters of the customer gateway in office 1 are as follows:
    • Name: Customer gateway 1.
    • IP Address: Enter the static public IP address of the local gateway device in office 1. In this example, enter 1.1.1.1.
    The parameters of the customer gateway in office 2 are as follows:
    • Name: Customer gateway 2.
    • IP Address: Enter the static public IP address of the local gateway device in office 2. In this example, enter 2.2.2.2.

    For more information, see Create a customer gateway.

  3. Create two IPsec-VPN connections to connect the customer gateways of office 1 and office 2 to the VPN Gateway.
    The IPsec-VPN connection between office 1 and the VPN Gateway is configured as follows:
    • Name: IPsec-VPN connection 1.
    • VPN Gateway: Select the VPN Gateway configured for the VPC in the US (Silicon Valley) region. In this example, select VPN Gateway 1.
    • Customer Gateway: Select the customer gateway to be connected. In this example, select customer gateway 1.
    • Local Network: Enter the CIDR block of the VPC to be connected with the office. In this example, enter 172.16.0.0/16.
    • Remote Network: Enter the CIDR block of the office to be connected with the VPC. In this example, enter 10.10.10.0/24.
    • Effective Immediately: Select whether to negotiate immediately. In this example, select Yes.
      • Yes: Start the negotiation immediately once the configuration is complete.
      • No: Start the negotiation only when traffic is detected.
    • Pre-Shared Key: Enter a pre-shared key for identity authentication between the IPsec-VPN Gateway and the customer gateway. In this example, enter 123456.

    Use the default settings for other parameters.

    The IPsec-VPN connection between office 2 and the VPN Gateway is configured as follows:
    • Name: IPsec-VPN connection 2.
    • VPN Gateway: Select the VPN Gateway configured for the VPC in the US (Silicon Valley) region. In this example, select VPN Gateway 1.
    • Customer Gateway: Select the customer gateway to be connected. In this example, select customer gateway 2.
    • Local Network: Enter the CIDR block of the VPC to be connected with the office. In this example, enter 172.16.0.0/16.
    • Remote Network: Enter the CIDR block of the office to be connected with the VPC. In this example, enter 10.10.20.0/24.
    • Effective Immediately: Select whether to negotiate immediately. In this example, select Yes.
      • Yes: Start the negotiation immediately once the configuration is complete.
      • No: Start the negotiation only when traffic is detected.
    • Pre-Shared Key: Enter a pre-shared key for identity authentication between the IPsec-VPN Gateway and the customer gateway. In this example, enter 654321.

    Use the default settings for other parameters.

    For more information, see Create an IPsec-VPN connection.

  4. Load the VPN configurations to the gateway devices of office 1 and office 2.
    For more information, see Local gateway configuration.
  5. Configure the routes for the VPN Gateway.
    Configure the route entry pointing from VPN Gateway 1 to office 1 as follows:
    • Destination CIDR Block: Enter the private CIDR block of the office customer gateway. In this example, enter 10.10.10.0/24.
    • Next Hop Type: Select IPsec Connection.
    • Next Hop: Select the target IPsec-VPN connection instance. In this example, select IPsec-VPN connection 1.
    • Publish to VPC: Select whether to publish the new route to the VPC route table. In this example, select Yes.
      • Yes (recommended): Publish the new route entry to the VPC route table.
      • No: Do not publish the new route entry to the VPC route table.
    • Weight: Select a weight. In this example, select 0.
    Configure the route entry pointing from VPN Gateway 1 to office 2 as follows:
    • Destination CIDR Block: Enter the private CIDR block of the office customer gateway. In this example, enter 10.10.20.0/24.
    • Next Hop Type: Select IPsec Connection.
    • Next Hop: Select the target IPsec-VPN connection instance. In this example, select IPsec-VPN connection 2.
    • Publish to VPC: Select whether to publish the new route to the VPC route table. In this example, select Yes.
      • Yes (recommended): Publish the new route entry to the VPC route table.
      • No: Do not publish the new route entry to the VPC route table.
    • Weight: Select a weight. In this example, select 0.
    The following figure shows the route tables of office 1, office 2, VPN Gateway 1, and VPC 1.US Route tables

Step 2: Create IPsec-VPN connections between the offices and the VPC in Shanghai

To establish IPsec-VPN connections to connect office 3 and office 4 to VPC 2, follow these steps.

  1. Create a VPN Gateway for the VPC in the China (Shanghai) region.
    The VPN Gateway parameters are as follows:
    • Name: VPN Gateway 2.
    • Region: China (Shanghai ).
    • VPC: Select the VPC in the China (Shanghai ) region.
    • Peak Bandwidth: 5 Mbps.
    • IPsec-VPN: Select Enable.
    • SSL-VPN: Select Disable.

    For more information, see Create a VPN Gateway.

  2. Create two customer gateways and register the public IP addresses of the office 3 and office 4 to the customer gateways.
    The parameters of the customer gateway in office 3 are as follows:
    • Name: Customer gateway 3.
    • IP Address: Enter the static public IP address of the local gateway in office 3. In this example, enter 3.3.3.3.
    The parameters of the customer gateway in office 4 are as follows:
    • Name: Customer gateway 4.
    • IP Address: Enter the static public IP address of the local gateway in office 4. In this example, enter 4.4.4.4.

    For more information, see Create a customer gateway.

  3. Create two IPsec-VPN connections to connect the customer gateways of office 3 and office 4 to the VPN Gateway.
    The IPsec-VPN connection between office 3 and the VPN Gateway is configured as follows:
    • Name: IPsec-VPN connection 3.
    • VPN Gateway: Select the VPN Gateway configured for the VPC in the China (Shanghai) region. In this example, select VPN Gateway 2.
    • Customer Gateway: Select the customer gateway to be connected. In this example, select customer gateway 3.
    • Local Network: Enter the CIDR block of the VPC to be connected with the office. In this example, enter 192.168.0.0/16.
    • Remote Network: Enter the CIDR block of the office to be connected with the VPC. In this example, enter 10.20.10.0/24.
    • Effective Immediately: Select whether to negotiate immediately. In this example, select Yes.
      • Yes: Start the negotiation immediately once the configuration is complete.
      • No: Start the negotiation only when traffic is detected.
    • Pre-Shared Key: Enter a pre-shared key for identity authentication between the IPsec-VPN Gateway and the customer gateway. In this example, enter 123456.

    Use the default settings for other parameters.

    The IPsec-VPN connection between office 4 and the VPN Gateway is configured as follows:
    • Name: IPsec-VPN connection 4.
    • VPN Gateway: Select the VPN Gateway configured for the VPC in the China (Shanghai) region. In this example, select VPN Gateway 2.
    • Customer Gateway: Select the customer gateway to be connected. In this example, select customer gateway 4.
    • Local Network: Enter the CIDR block of the VPC to be connected with the office. In this example, enter 192.168.0.0/16.
    • Remote Network: Enter the CIDR block of the office to be connected with the VPC. In this example, enter 10.20.20.0/24.
    • Effective Immediately: Select whether to negotiate immediately. In this example, select Yes.
      • Yes: Start the negotiation immediately once the configuration is complete.
      • No: Start the negotiation only when traffic is detected.
    • Pre-Shared Key: Enter a pre-shared key for identity authentication between the IPsec-VPN Gateway and the customer gateway. In this example, enter 654321.

    Use the default settings for other parameters.

    For more information, see Create an IPsec-VPN connection.

  4. Load the VPN configurations to the gateway devices of office 3 and office 4.
    For more information, see Local gateway configuration.
  5. Configure the routes for the VPN Gateway.
    Configure the route entry pointing from VPN Gateway 2 to office 3 as follows:
    • Destination CIDR Block: Enter the private CIDR block of the office customer gateway. In this example, enter 10.20.10.0/24.
    • Next Hop Type: Select IPsec Connection.
    • Next Hop: Select the target IPsec-VPN connection instance. In this example, select IPsec-VPN connection 3.
    • Publish to VPC: Select whether to publish the new route to the VPC route table. In this example, select Yes.
      • Yes (recommended): Publish the new route entry to the VPC route table.
      • No: Do not publish the new route entry to the VPC route table.
    • Weight: Select a weight. In this example, select 0.
    Configure the route entry pointing from VPN Gateway 2 to office 4 as follows:
    • Destination CIDR Block: Enter the private CIDR block of the office customer gateway. In this example, enter 10.20.20.0/24.
    • Next Hop Type: Select IPsec Connection.
    • Next Hop: Select the target IPsec-VPN connection instance. In this example, select IPsec-VPN connection 4.
    • Publish to VPC: Select whether to publish the new route to the VPC route table. In this example, select Yes.
      • Yes (recommended): Publish the new route entry to the VPC route table.
      • No: Do not publish the new route entry to the VPC route table.
    • Weight: Select a weight. In this example, select 0.
    The following figure shows the route tables of office 3, office 4, VPN Gateway 2, and VPC 2.Shanghai route tables

Step 3: Add the VPCs to a CEN instance

After you connect the local offices to Alibaba Cloud, you must add VPC1 and VPC2 to the same CEN instance for interconnection.

  1. Log on to the CEN console.
  2. On the Instances page, find the target CEN instance and click the instance ID.
  3. Click the Networks tab and then click Attach Network.
  4. Click the Your account tab.
  5. Add the VPC according to the following information, and then click OK.
    • Network Type: Select VPC.
    • Region: Select US (Silicon Valley).
    • Networks: Select VPC 1.
  6. Repeat the preceding steps to add VPC 2 to the same CEN instance.

Step 4: Advertise the routes to the CEN instance

To enable the other VPC in the CEN instance to learn routes pointing to the local offices, you need to publish the routes of the VPCs in the US (Silicon Valley) and the China (Shanghai) regions that point to the VPN Gateways to the CEN instance. For more information, see Publish a route to CEN.

After the routes are published, the route table of CEN is shown in the following figure:CEN route table

Step 5: Configure routes on the local gateway devices

After the routes are published to the CEN, you need to configure routes pointing to the Shanghai offices on the gateway devices of the Silicon Valley offices. Similarly, you also need to configure routes pointing to the Silicon Valley offices on the gateway devices of the Shanghai offices.

The following route entries are for reference only. Configurations for devices of different manufacturers are different.
Office Routes
Office 1
ip route 192.168.0.0/16 5.5.5.5
ip route 10.20.10.0/24 5.5.5.5
ip route 10.20.20.0/24 5.5.5.5
ip route 10.10.20.0/24 5.5.5.5   #5.5.5 is the public IP address of VPN Gateway 1.
Office 2
ip route 192.168.0.0/16 5.5.5.5
ip route 10.20.10.0/24 5.5.5.5
ip route 10.20.20.0/24 5.5.5.5
ip route 10.10.10.0/24 5.5.5.5   #5.5.5 is the public IP address of VPN Gateway 1.
Office 3
ip route 172.16.0.0/16 6.6.6.6
ip route 10.10.10.0/24 6.6.6.6
ip route 10.10.20.0/24 6.6.6.6
ip route 10.20.20.0/24 6.6.6.6   #6.6.6 is the public IP address of VPN Gateway 2.
Office 4
ip route 172.16.0.0/16 6.6.6.6
ip route 10.10.10.0/24 6.6.6.6
ip route 10.10.20.0/24 6.6.6.6
ip route 10.20.10.0/24 6.6.6.6   #6.6.6 is the public IP address of VPN Gateway 2.
The route tables of the local offices are shown in the following figure.Route tables of the local offices

Step 6: Test connectivity

The following example demonstrates how to test the connectivity between local offices by accessing the PCs in office 2, office 3, and office 4 using the PC from office 1.

  1. Open the command prompt of the PC at office 1.
  2. Run ping command to ping the PCs in office 2, office 3, and office 4. If the ping command runs successfully, the connection is established.