This topic describes how to configure active/standby connections between a data center and a virtual private cloud (VPC) by using IPsec-VPN and an Express Connect circuit.

Scenario

This topic uses the following scenario to show how to use both IPsec-VPN and an Express Connect circuit to connect a data center to a VPC. A company has a data center in Hangzhou, and has deployed VPC 1 in the China (Hangzhou) region. In VPC 1, cloud services such as Elastic Compute Service (ESC) are deployed for interaction and data analytics. The company wants to establish active/standby connections between the data center and VPC 1. The following section describes the connections:

  • A VPN gateway is associated with an independent VPC (VPC 2). In this example, no service is deployed in VPC 2. VPC 2 serves as a transit VPC to establish IPsec-VPN connections between the data center and VPC 1.
  • When the Express Connect circuit and IPsec-VPN connection are working as expected, all traffic between the data center and VPC 1 is forwarded through the Express Connect circuit. When the Express Connect circuit is not working as expected, the IPsec-VPN connection takes over.
Architecture

Prerequisites

  • You must plan routing protocols for the data center and network instances. In this topic, the following routing protocols are used:
    • Static routing is used between the gateway device of the data center and the VPN gateway.
    • Border Gateway Protocol (BGP) dynamic routing is used between the gateway device of the data center and the virtual border router (VBR).
      Note In scenarios where the VPN gateway serves as the standby connection and the Express Connect circuit serves as the active connection:
      • If the VPN gateway is associated with an independent VPC (for example, VPC 2 in this topic), the VBR must use BGP dynamic routing. The VPN gateway can use static routing or BGP dynamic routing.
      • If the VPN gateway is associated with a VPC where services are deployed (for example, VPC 1 in this topic), both the VBR and VPN gateway must use BGP dynamic routing.
  • You must plan networks for the data center and network instances. Make sure that the CIDR block of the data center does not overlap with those of the network instances. In this topic, the following CIDR blocks are used.
    Item CIDR block Public IP address
    VPC1 192.168.0.0/16 IP address of the ECS instance: 192.168.20.161
    VPC2 10.0.0.0/16 N/A
    VBR 10.1.0.0/30
    • VLAN ID: 0
    • Peer IPv4 address on the Alibaba Cloud side: 10.1.0.1/30
    • Peer IPv4 address on the customer side: 10.1.0.2/30

      In this topic, the device on the customer side refers to the gateway device in the data center.

    Data center 172.16.0.0/16 IP address of the client: 172.16.1.188
    Gateway device in the data center 10.1.0.0/30
    • Public IP address: 211.XX.XX.68
    • IP address of the interface connected to the Express Connect circuit: 10.1.0.2/30
    • The BGP autonomous system number (ASN): 65530
  • VPC 1 and VPC 2 are created in the China (Hangzhou) region. The cloud services that are used for business interaction and data analytics are deployed in VPC 1. No service is deployed in VPC 2. VPC 2 is associated with a VPN gateway and serves as a transit VPC between the data center and VPC 1. For more information, see Work with VPCs.
  • Check the gateway device in the data center. Make sure that it supports standard IKEv1 and IKEv2 protocols. For information about whether the gateway device supports the IKEv1 and IKEv2 protocols, consult the gateway device manufacturer.
  • A static IP address is assigned to the gateway device in the data center.
  • You understand the security group rules of the ECS instances in VPC 1. Make sure that the rules allow the data center to access the ECS instances in VPC 1. For more information, see Query security group rules and Add security group rules.

Procedure

Procedure

Step 1: Deploy an Express Connect circuit

  1. Deploy an Express Connect circuit.
    You must apply for an Express Connect circuit in the China (Hangzhou) region. For more information, see Create a dedicated connection over an Express Connect circuit or Overview.
  2. Create a VBR.
    1. Log on to the Express Connect console.
    2. In the left-side navigation pane, click Virtual Border Routers (VBRs).
    3. In the top navigation bar, select the region where you want to create a VBR.
      In this example, the China (Hangzhou) region is selected.
    4. On the Virtual Border Routers (VBRs) page, click Create VBR.
    5. In the Create VBR panel, set the following parameters and click OK.
      • Account: Select Current account.
      • Name: VBR is used in this example.
      • Physical Connection Interface: Select the Express Connect circuit you have applied for.
      • VLAN ID: Set this parameter to 0.
      • IPv4 Address of Gateway at Alibaba Cloud: Set this parameter to 10.1.0.1.
      • IPv4 Address of Gateway at Customer Side: Set this parameter to 10.1.0.2.
      • Subnet Mask: Set this parameter to 255.255.255.252.
  3. Create a BGP group.
    1. On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
    2. On the details page of the VBR, click the BGP Groups tab and click Create BGP Group.
    3. In the Create BGP Group panel, set the following parameters and click OK.
      • Name: Enter a name for the BGP group. In this example, test is used.
      • Peer ASN: Enter the ASN of the gateway device in the data center. In this example, 65530 is used.
      • BGP Key: Enter the key of the BGP group. This parameter is not set in this example.
      • Description: Enter the description of the BGP group. In this example, test is used.
  4. Create a BGP peer.
    1. On the details page of the VBR, click the BGP Peers tab and click Create BGP Peer.
    2. In the Create BGP Peer panel, set the following parameters and click OK.
      • BGP Group: Select a BGP group. The BGP group test is used in this example.
      • BGP peer IP address: Enter the IP address of the BGP peer. In this example, 10.1.0.2 is used, which is the port IP address of the gateway device in the data center.

Step 2: Deploy a VPN gateway

  1. Create a VPN gateway.
    1. Log on to the VPN Gateway console.
    2. In the top navigation bar, select the China (Hangzhou) region.
    3. On the VPN Gateways page, click Create VPN Gateway.
    4. On the buy page, set the following parameters, click Buy Now, and then complete the payment.
      • Name: Enter a name for the VPN gateway.
      • Region:Select the region where you want to deploy the VPN gateway.

        In this example, the VPN gateway is to be associated with VPC 2. Make sure that VPC 2 and the VPN gateway are deployed in the same region. In this example, the China (Hangzhou) region is selected.

      • VPC:Select the VPC to be associated with the VPN gateway. VPC 2 is selected in this example.
      • Specify VSwitch: Specify whether to create the VPN gateway in a vSwitch of the VPC. No is selected in this example.

        If you select Yes, you must also specify a vSwitch.

      • Peak Bandwidth: Specify the maximum bandwidth for the VPN gateway. The bandwidth is used for data transfer over the Internet.
      • Traffic: By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Pay-as-you-go.
      • IPsec-VPN: You can enable or disable the IPsec-VPN feature. After you enable this feature, you can establish connections between a data center and a VPC or between two VPCs. Enable is selected in this example.
      • SSL-VPN: You can enable or disable the SSL-VPN feature. After you enable this feature, you can connect to the VPC from a client regardless of the location. Disable is selected in this example.
      • Duration: By default, the VPN gateway is billed on an hourly basis.
    5. Return to the VPN Gateways page, check and record the public IP address of the VPN gateway that you created. This address is used in configuring the router in the data center.
      A newly created VPN gateway is in the Preparing state. After about 1 to 5 minutes, its status changes to Normal. The Normal state indicates that the VPN gateway is initialized and ready for use.
  2. Creates a customer gateway.
    1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
    2. On the Customer Gateway page, click Create Customer Gateway.
    3. On the Create Customer Gateway page, set the following parameters and click OK.
      • Name: Enter a name for the customer gateway.
      • IP Address: Enter the public IP address of the gateway device in the data center that you want to connect to VPC2. In this example,211.XX.XX.68 is entered.
      • ASN: Enter the ASN of the gateway device in the data center. This parameter is not set in this example.
      • Description: Enter a description for the customer gateway.
  3. Create an IPsec-VPN connection.
    1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
    2. On the IPsec Connection page, click Create IPsec Connection.
    3. On the Create IPsec Connection page, set the following parameters and click OK.
      • Name: Enter a name for the IPsec-VPN connection.
      • VPN Gateway: Select the VPN gateway that you created.
      • Customer Gateway: Select the customer gateway you created.
      • Routing Mode: Select a routing mode. In this example, Destination Routing Mode is selected.
      • Effective Immediately: Select whether to immediately start connection negotiations. No is selected in this example.
        • Yes: immediately starts negotiations after you complete the configurations.
        • No: starts negotiations when data transfer is detected.
      • Pre-Shared Key: Enter the pre-shared key. The pre-shared key of the gateway device in the data center must be the same as this value. In this example, a random value is used by default.

        Use the default settings for other parameters.

      For more information, see Create an IPsec-VPN connection.
  4. Configure routes on the VPN gateway.
    You must use the VPN gateway to advertise the routes of the data center to VPC2.
    1. After an IPsec-VPN connection is created, click OK in the Established dialog box to advertise the routes in the VPN gateway.
    2. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.
    3. On the VPN Gateways page, find the VPN gateway you created and click the ID.
    4. On the Destination-based Routing tab, click Add Route Entry.
    5. In the Add Route Entry panel, set the following parameters, and click OK.
      • Destination CIDR Block: Enter the CIDR block of the data center. In this example, 172.16.0.0/16 is entered.
      • Next Hop Type: Select IPsec Connection.
      • Next Hop: Select the IPsec-VPN connection you created.
      • Publish to VPC: Specify whether to automatically advertise new routes to the route table of VPC 2. In this example, Yes is selected.
      • Weight: Select a weight for the route. In this example, 100 is used, which indicates the highest priority.
        Note If the VPN gateway contains routes that have the same destination CIDR block, you cannot specify the weights of these routes to 100 at the same time.
  5. Load the VPN configuration to the gateway device in the data center.
    1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
    2. On the IPsec Connections page, find the IPsec-VPN connection you created. In the Actions column, select More > Download Configuration.
    3. Load the configuration of the IPsec-VPN connection to the gateway device in the data center. For more information, see Configure a gateway device in a data center.

Step 3: Create and configure a CEN instance

After you configure the Express Connect circuit and VPN gateway, you must attach VPC 1, VPC 2 and the VBR to a Cloud Enterprise Network (CEN) instance. The CEN instance can connect the data center to VPC 1.

  1. Create a CEN instance.
    1. Log on to the CEN console.
    2. On the Instances page, click Create CEN Instance.
    3. In the Create CEN Instance panel, set the following parameters and click OK.
      • Name: Enter a name for the CEN instance.
      • Description: Enter a description for the CEN instance.
      • Network Type: Select the type of network instance to attach. In this example, VPC is selected.
      • Region: Select the region where the network instance is created. In this example, China (Hangzhou) is selected.
      • Networks: Select the network instance that you want to attach. VPC 2 is selected in this example.
  2. Attach VPC 1 and the VBR to the CEN instance.
    1. On the Instances page, find the CEN instance that you want to manage and click its ID.
    2. Click the Networks tab and then click Attach Network.
    3. In the Attach Network panel, click the Your Account tab.
    4. Set the following parameters and click OK:
      • Network Type: Select the type of network instance to attach. In this example, VPC is selected.
      • Region: Select the region where the network instance is created. In this example, China (Hangzhou) is selected.
      • Networks: Select the network instance that you want to attach. In this example, VPC 1 is selected.
    5. Repeat the preceding steps to attach the VBR to the CEN instance.
  3. Advertise the routes of the data center from VPC 2 to CEN.
    After you use the VPN gateway to advertise the routes of the data center to VPC 2, the routes in VPC 2 are in the NonPublished state by default. You must manually advertise the routes of the data center from VPC 2 to CEN. This way, VPC 1 can learn the routes of the data center from VPC 2.
    1. Log on to the CEN console.
    2. On the Instances page, find the CEN instance that you want to manage and click its ID.
    3. On the details page of the CEN instance, click the Routes tab.
    4. On the Routes tab, view the routes of VPC 2, find the routes of the data center, and then click Publish in the Publishing Progress column.
    5. In the PublishRoute message, click OK.
  4. Configure health checks for the Express Connect circuit.
    You must configure health checks for the Express Connect circuit. A health check sends probe packets based on the time interval and number of probe packets that you specify. If probe packets are consecutively lost, the CEN instance routes traffic to the IPsec-VPN connection.
    1. Log on to the CEN console.
    2. In the left-side navigation pane, click Health Check.
    3. Select the region to which the VBR belongs and click Set Health Check.
    4. In the Set Health Check panel, set the following parameters and click OK.
      • Instances: Select the CEN instance to which the VBR is attached.
      • Virtual Border Router (VBR): Select the VBR that you want to monitor.
      • Source IP: In this example, Automatic IP Address is selected.

        If you select Automatic IP Address, the system automatically allocates IP addresses in the 100.96.0.0/16 CIDR block to probe the connectivity of the Express Connect circuit.

      • Destination IP: Enter the IP address on the customer side of the VBR.
      • Probe Interval (Seconds): Specify the time interval at which probe packets are sent for health checks. Unit: seconds. The default value is used in this example.
      • Probe Packets: Specify the number of probe packets that are sent at each interval. Unit: packets. The default value is used in this example.

Step 4: Configure the gateway device in the data center

The following sample code is for reference only. The commands may vary from vendor to vendor. Consult the vendor for specific commands.


#Configure BGP dynamic routing, establish a BGP peering connection to the VBR, and advertise the routes of the data center to Alibaba Cloud.
interface GigabitEthernet 0/12          #The port is used to connect the gateway device of the data center to the Express Connect circuit.
no switchport
ip address 10.1.0.2 255.255.255.252     #The IP address of the port. The IP address must be the same as the IPv4 address of the VBR on the customer side.

router bgp 65530
bgp router-id 10.1.0.2                  
network 172.16.0.0 mask 255.255.0.0     #Advertise the routes of the data center to Alibaba Cloud.
neighbor 10.1.0.1 remote-as 45104       #Establish a peering connection to the VBR.
exit

#Set the priority of the route that points to VPC 1 through the VPN gateway. The priority must be lower than that of the BGP route.
ip route 192.168.0.0 255.255.0.0 <The public IP address of the VPN gateway> preference 255
      
#Configure the return route of the probe packets.
ip route <The source IP address for the health check> 255.255.255.255 10.1.0.1  
            

Step 5: Test the connectivity

  1. Open the command-line interface (CLI) on a computer in the data center.
  2. On the CLI, run the ping command to ping the IP address of an ECS instance in VPC1. The IP address of the ECS instance falls within the 192.168.0.0/16 CIDR block. If the client receives a response packet, it indicates that the data center is connected to VPC 1.
  3. On the gateway device in the data center, disable the Express Connect circuit port to close the connection. Run the ping command on the CLI again to test the connectivity between the data center and VPC 1. If you receive a response packet, it indicates that the standby IPsec-VPN connection is working as expected.