This topic describes how to implement an active/standby configuration by using a VPN Gateway and a physical connection of Express Connect to improve the availability of your applications.

You can connect your on-premises data center to an Alibaba Cloud VPC through both a physical connection and an IPsec-VPN connection.
  • When the physical connection works normally, the traffic between the on-premises data center and the VPC is forwarded through the physical connection.
  • When the physical connection is abnormal, the traffic between the on-premises data center and the VPC is directed to the IPsec-VPN tunnel.

Prerequisites

A physical connection is created to allow intercommunication between your on-premises data center and the VPC.

For more information, see Apply for a physical connection interface.

Step 1: Create a VPN Gateway

To create a VPN Gateway, follow these steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose VPN > VPN Gateways.
  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the purchase page, set the parameters, and then click Buy Now to complete the payment.
    • Name: Enter a name for the VPN Gateway.
    • Region: Select a region for the VPN Gateway.
      Note The VPN Gateway must be in the same region as the VPC.
    • VPC: Select the VPC to be connected.
    • Peak Bandwidth: Select a peak bandwidth. The bandwidth is the Internet bandwidth of the VPN Gateway.
    • IPsec-VPN: Enable the IPsec-VPN function.
    • SSL-VPN: Select whether to enable the SSL-VPN function. The SSL-VPN function allows access to the VPC from a computer anywhere.
    • SSL connections: Select the maximum number of clients to which you want to connect simultaneously.
      Note This parameter is valid only after the SSL-VPN function is enabled.
    • Billing Cycle: Select a billing cycle.
  5. Go back to the VPN Gateways page to check the created VPN Gateway.
    The initial status of the VPN Gateway is Preparing. The status changes to Normal in about two minutes and then the VPN Gateway is ready to use.
    Note It takes one to five minutes to create a VPN Gateway.

Step 2: Create a customer gateway

Create a customer gateway and register the public IP address of the local gateway to the customer gateway. To do so, follow these steps:
  1. In the left-side navigation pane, choose VPN > Cusomer Gateways.
  2. Select the region in which you want to create a customer gateway.
  3. On the Customer Gateways page, click Create Customer Gateway.
  4. On the Create Customer Gateway page, set the parameters, and then click OK.
    • Name: Enter a name for the customer gateway.
    • IP Address: Enter the private IP address of the gateway device in the on-premises data center.
    • Description: Enter a description of the customer gateway.

Step 3: Create an IPsec-VPN connection

To create an IPsec-VPN connection, follow these steps:
  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. Select a region.
  3. On the IPsec Connections page, click Create IPsec Connection.
  4. Configure the IPsec-VPN connection according to the following information and click OK.
    • Name: Enter the name of the IPsec-VPN connection.
    • VPN Gateway: Select the created VPN Gateway.
    • Customer Gateway: Select the created customer gateway.
    • Local Network: Enter the IP address range of the VPC to which the selected VPN Gateway belongs.
    • Destination CIDR Block: Enter the CIDR block of the local data center.
    • Effective Immediately: Select whether to start the negotiation immediately.
      • Yes: Start the negotiation immediately once the configuration is complete.
      • No: Start the negotiation only when traffic is detected in the tunnel.
    • Pre-Shared Key: Enter a pre-shared key. This value must be the same as the one configured in the local gateway.
    • Health Check: Enable health checks and enter the destination IP address, source IP address, retry interval, and number of retries.

      Use the default configurations for other parameters.

Step 4: Load the VPN configuration to the local gateway

To load the VPN configuration to the local gateway, follow these steps:

  1. In the left-side navigation pane, choose VPN > IPsec Connections.
  2. Select the region to which the target IPsec connection belongs.
  3. On the IPsec Connections page, find the target IPsec connection, and then click Download Configuration in the Actions column.
  4. Add the downloaded configuration to the local gateway device. For more information, see Local gateway configuration.

    RemotSubnet and LocalSubnet are opposite to the Local Network and Remote Network that you set when you create an IPsec connection in Step 3. Specifically, for the VPN Gateway, its remote network is the CIDR block of the on-premises data center and its local network is the CIDR block of the VPC. For the local gateway, LocalSubnet is the CIDR block of the on-premises data center and RemoteSubnet is the CIDR block of the VPC.

Step 5: Configure a route for the VPN Gateway

To configure a route for the VPN Gateway, follow these steps:

  1. In the left-side navigation pane, choose VPN > VPN Gateways.
  2. Select the region to which the target VPN gateway belongs.
  3. On the VPN Gateways page, find the target VPN Gateway, and then click the instance ID in the Instance ID/Name column.
  4. On the Destination-based Routing tab, click Add Route Entry.
  5. On the Add Route Entry page, set the parameters, and then click OK.
    • Destination CIDR Block: Enter the private CIDR block of the on-premises data center.
    • Next Hop: Select the IPsec connection instance.
    • Publish to VPC: Select whether to publish the new route to the VPC route table. In this example, select Yes.
    • Weight: Select a weight. In this example, select 100.

Step 6: Configure health checks for the VBR of the physical connection

Configure health checks for the Virtual Border Router (VBR) of the physical connection to make sure that the status of the physical connection can be checked by the VPC and traffic can be directed to the IPsec-VPN connection when the physical connection fails.

For more information, see Configure health checks.

Step 7: Configure the local gateway

Configure an active route and a standby route that point to the VPC on the local gateway device, and enable the health check function for the physical connection. In this way, when the physical connection fails, traffic is forwarded to the IPsec-VPN connection.