VPN Gateway allows you to connect on-premises data centers, corporate networks, individual clients to Alibaba Cloud Virtual Private Cloud (VPC) networks through encrypted tunnels. This topic describes how to connect an on-premises data center to a VPC by using an IPsec-VPN tunnel.

Prerequisites

  • The gateway device that you use to connect to Alibaba Cloud supports the standard IKEv1 and IKEv2 protocols. In this example, IKEv2 must be supported because multiple subnets are configured. Compatible devices include certain models manufactured by Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia.
  • The gateway device has a static public IP address assigned.
  • The IP address ranges of the on-premises network do not overlap the IP address ranges of the VPC.

Background information

You can select User-created database connected over Express Connect, VPN Gateway, or Smart Access Gateway when you create a replication task in data migration, data synchronization, or change tracking mode, and then enter the private IP address of your on-premises database.

Precautions

If you have already connected your on-premises networks to Alibaba Cloud, you can skip the steps of VPN tunnel setup. However, you need to whitelist DTS servers in your VPN settings and create several static routes. To do this, follow these steps:

  1. Add the CIDR blocks of DTS servers to the IPsec-VPN connection. For more information, see Modify an IPsec-VPN connection.
    Note Click + Add CIDR Block and enter the CIDR blocks of DTS servers for the corresponding region. For more information, see Add the CIDR blocks of DTS servers to the security settings of on-premises databases.
  2. Configure static routes on your customer gateway. For more information, see Step 4: Configure an IPsec-VPN connection and a static route on the on-premises gateway.

Billing

VPN Gateway is a paid service. For more information, see Billing.

Step 1: Create a VPN gateway

  1. Log on to the VPC console.
  2. In the upper-left corner of the page, select a region.
  3. In the left-side navigation pane, click VPN > VPN Gateways.
  4. On the VPN Gateways page, click Create VPN Gateway.
  5. Complete the VPN gateway settings as follows:
    Parameter Description
    Region Select the region where the VPN gateway resides.
    Note The VPN gateway must reside in the same region as the VPC that you want to connect to.
    VPC Select the VPC to be connected.
    Assign VSwitch Optional. You can set this option to Yes and select a VSwitch so that the VPN gateway is connected to the specified VSwitch only.
    Peak Bandwidth Select the maximum Internet bandwidth of the VPN gateway.
    IPsec-VPN

    Select Enable.

    Note The IPsec-VPN mode supports site-to-site connections. You can create an IPsec tunnel to connect an on-premises network to a VPC, or connect two VPCs.
    SSL-VPN

    Select Disable.

    Note The SSL-VPN mode supports point-to-site connections. You can create a VPN connection from a VPN client without configuring a gateway for the client.
    Billing Cycle

    This setting is fixed to By Hour.

  6. Click Buy Now and follow the instructions to complete the payment.

Step 2: Create a customer gateway

  1. Log on to the VPC console.
  2. In the upper-left corner of the page, select the region where the VPN gateway resides.
  3. In the left-side navigation pane, click VPN > Customer Gateways.
  4. Click Create Customer Gateway.
  5. Complete the customer gateway settings as follows:
    Parameter Description
    Name Enter a name for the customer gateway.
    IP Address Enter the static public IP address of the gateway device of the on-premises data center.
    Description The description must be 2 to 256 characters in length and cannot start with http:// or https://.
    Create a customer gateway
  6. Click OK.

Step 3: Create an IPsec-VPN connection and configure a route

  1. Log on to the VPC console.
  2. In the upper-left corner of the page, select the region to which the VPN gateway belongs.
  3. In the left-side navigation pane, click VPN > IPsec Connections.
  4. Click Create IPsec Connection.
  5. In the Create IPsec Connection pane, complete the settings as follows:
    Create an IPsec-VPN connection
    Setting Description
    Name Enter a name for the IPsec-VPN connection.
    Note The name must be 2 to 128 characters in length and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter.
    VPN Gateway Select the VPN gateway to be connected through the IPsec-VPN connection. In this procedure, select the VPN gateway that is created in step 1.
    Customer Gateway Select the customer gateway to be connected through the IPsec-VPN connection. In this procedure, select the customer gateway that is created in step 2.
    Local Network Enter the CIDR block of the VPC. This setting is used for phase two negotiations.
    Notice
    • You can enter the CIDR block of the VPC or a VSwitch in the VPC. In this procedure, 172.16.88.0/24 is the CIDR block of a VSwitch in the VPC.
    • The CIDR block of the VPC cannot overlap the CIDR block of the on-premises data center.
    + Add Local Network Enter multiple CIDR blocks of the VPC. In this procedure, enter the CIDR blocks of DTS servers. For more information, see Add the CIDR blocks of DTS servers to the security settings of on-premises databases.
    Note When you add multiple CIDR blocks, set the version to ikev2 in Advanced Configuration.
    Remote Network Enter the CIDR block of the on-premises network. This setting is used for phase two negotiations.
    Note The CIDR block of the on-premises network must not overlap the CIDR block of the VPC.
    + Add Remote Network Enter multiple CIDR blocks of the on-premises network.
    Notice When you add multiple CIDR blocks, set the version to ikev2 in Advanced Configuration.
    Effective Immediately Specify whether the settings take effect immediately.
    • Yes: initiates the negotiation phase immediately after the configuration is applied.
    • No: initiates the negotiation phase the first time that traffic is detected in the IPsec-VPN tunnel.
    Advanced Configuration For more information about the IPsec-VPN configurations, see Create an IPsec-VPN connection.
    Health Check
  6. Click OK.
  7. In the success message, click OK to configure routing for the VPN gateway.
  8. The VPN Gateway page appears. On the Destination-based Routing tab, click Add Route Entry.
  9. In the Add Route Entry pane, complete the settings as follows.
    Setting Description
    Destination CIDR block Enter the private CIDR block of the on-premises network. In this example, enter 192.168.10.0/24.
    Next Hop Type Select IPsec Connection.
    Next Hop Select the IPsec-VPN connection that you create.
    Publish to VPC Specify whether to publish the new route entry to the VPC routing table.
    • Yes(recommended): publish the new route entry to the VPC routing table.
    • No: do not publish the new route entry to the VPC routing table.
      Note If you select No, you must publish the route entry to the destination-based routing table after you add the destination-based route entry.
    Weight Select a weight:
    • 100: The highest weight
    • 0: The lowest weight
    Note If two static routes are based on the same destination CIDR block, you cannot set the weight of both route entries to 100.
    Add a route entry

Step 4: Configure an IPsec-VPN connection and a static route on the on-premises gateway

  1. Log on to the VPC console.
  2. In the upper-left corner of the page, select the region where the VPN gateway resides.
  3. In the left-side navigation pane, click VPN > IPsec Connections.
  4. Find the target IPsec-VPN connection and choose More > Download Configuration in the Actions column.
    Download peer configuration
  5. In the IPsec Connection Configuration pane, the JSON notation of the peer configuration is displayed. Add the peer configuration to the on-premises gateway device. The configurations vary depending on the device manufacturer and model.
    Peer configuration
  6. Add a static route entry to the on-premises gateway device. The destination addresses are the CIDR blocks of DTS servers for the corresponding region. For more information, see Add the CIDR blocks of DTS servers to the security settings of on-premises databases. The next hop is the new IPsec-VPN tunnel interface.