After you establish a private connection between a data center and a virtual private cloud (VPC) through an Express Connect circuit and Cloud Enterprise Network (CEN), the private connection is not encrypted. This causes security risks. To improve network security, you can use a private VPN gateway to encrypt the private connection over the Express Connect circuit (hereafter referred to as the private connection). This topic describes how to encrypt private connections and the configuration methods.

Note Private VPN gateways are in invitational preview. To use a private VPN gateway, contact your sales manager or submit a ticket.

How it works

After you establish a private connection between a data center and a VPC through an Express Connect circuit and CEN, you can establish an encrypted tunnel between a private VPN gateway and an on-premises gateway device. You can configure routes to route network traffic between the data center and the VPC to the encrypted tunnel. This way, network traffic transmitted through the tunnel is encrypted.

Overview

The following example describes how a private connection is encrypted. In this example, a client in a data center accesses an Elastic Compute Service (ECS) instance in a VPC.

Diagram
Number Node Description
Client
  1. The client initiates a request.
  2. The client queries the route table and forwards the request packet to the on-premises gateway device.
On-premises gateway device
  1. After the on-premises gateway device receives the request packet, the on-premises gateway device encrypts and encapsulates the request packet based on the destination IP address and IPsec configurations.

    After the request packet is encrypted and encapsulated, the destination IP address changes to the private IP address of the VPN gateway.

  2. The on-premises gateway device queries the route table and forwards the request packet to the virtual border router (VBR) based on the new destination IP address.
VBR After the VBR receives the request packet, the VBR queries the route table and forwards the request packet to the CEN instance.
CEN instance After the CEN instance receives the request packet, the CEN instance queries the route table and forwards the request packet to the VPC.
VPC After the VPC receives the request packet, the VPC queries the route table and forwards the request packet to the VPN gateway.
VPN gateway
  1. After the VPN gateway receives the request packet, the VPN gateway decrypts and re-encapsulates the request packet.
  2. The VPN gateway queries the route table and forwards the request packet to the ECS instance based on the destination IP address of the request packet.
ECS instance
  1. After the ECS instance receives the request packet, the ECS instance sends a response packet to the client.
  2. The ECS instance queries the route table and forwards the response packet to the VPN gateway based on the destination IP address of the response packet.
VPN gateway
  1. After the VPN gateway receives the response packet, the VPN gateway encrypts and encapsulates the response packet.

    After the response packet is encrypted and encapsulated, its destination IP address changes to the VPN IP address of the on-premises gateway device.

  2. The VPN gateway queries the route table and forwards the response packet to the VPC based on the new destination IP address.
VPC After the VPC receives the response packet, the VPC queries the route table and forwards the response packet to the CEN instance.
CEN instance After the CEN instance receives the response packet, the CEN instance queries the route table and forwards the response packet to the VBR.
VBR After the VBR receives the response packet, the VBR queries the route table and forwards the response packet to the on-premises gateway device.
On-premises gateway device
  1. After the on-premises gateway device receives the response packet, the on-premises gateway device decrypts and re-encapsulates the response packet.
  2. The on-premises gateway device queries the route table and forwards the response packet to the client based on the destination IP address of the response packet.

Configuration methods

To encrypt a private connection by using a private VPN gateway, you can configure the VPN gateway and the VBR connected to the VPN gateway in different manners. The following table describes the differences between the configuration methods and provides links to the tutorials.

Configuration method Description Tutorial Impact on communication after the VPN connection is interrupted
Method 1 Configure static routing for the VBR and VPN gateway. Encrypt private connections by using static routes
  • The private connection is no longer encrypted.
  • The private connection between the data center and the VPC is interrupted.

    You can manually withdraw the routes that are advertised on the VPN gateway. After you withdraw the routes, the VPC is connected to the data center through an Express Connect circuit and CEN.

Method 2
  • Configure static routing for the VBR.
  • Configure Border Gateway Protocol (BGP) dynamic routing for the VPN gateway.
Note You cannot configure BGP dynamic routing for the VBR if static routing is configured for the VPN gateway.
Encrypt private connections by using static routing and BGP routing
  • The private connection is no longer encrypted.
  • The system automatically withdraws the BGP dynamic routes that are advertised on the VPN gateway.
  • The VPC is connected to the data center through an Express Connect circuit and CEN.
Method 3 Configure BGP dynamic routing for the VBR and VPN gateway. Encrypt private connections by using BGP routing
  • The private connection is no longer encrypted.
  • The system automatically withdraws the BGP dynamic routes that are advertised on the VPN gateway.
  • The VPC is connected to the data center through an Express Connect circuit and CEN.