This topic describes how to establish IPsec-VPN connections between two virtual private clouds (VPCs) to enable resources in the VPCs to access each other.

VPC name | VPC CIDR block | VPC ID | ECS instance name |
---|---|---|---|
VPC1 | 172.16.0.0/12 | vpc-xxxxz0 | ECS1 |
VPC2 | 10.0.0.0/8 | vpc-xxxxut | ECS2 |
Before you start
Make sure that the private IP addresses of the two VPCs do not overlap with each other.
Step 1: Create a VPN gateway
Perform the following operations to create a VPN gateway:
- Log on to the VPC console.
- In the left-side navigation pane, choose .
- On the VPN Gateways page, click Create VPN Gateway.
- On the buy page, set the following parameters, click Buy Now, and complete the payment.
- Name: Enter a name for the VPN gateway.
- Region: Select the region where you want to deploy the VPN gateway.
Note Make sure that the VPC and the VPN gateway for the VPC are deployed in the same region.
- VPC: Select the VPC to be associated with the VPN gateway.
- Bandwidth: Specify the maximum bandwidth of the VPN gateway. The bandwidth is provided for data transfer over the Internet.
- IPsec-VPN: Specify whether to enable IPsec-VPN for the VPN gateway.
- SSL-VPN: Specify whether to enable SSL-VPN for the VPN gateway. SSL-VPN allows you to connect a client to a VPC from any locations.
- SSL Connections: Specify the maximum number of concurrent SSL connections that the VPN gateway supports.
Note This parameter is available only after SSL-VPN is enabled.
- Billing Cycle: Specify the subscription duration.
- Repeat the preceding steps to create a VPN gateway for the other VPC.
The newly created VPN gateway is in the Preparing state. After about two minutes, the state changes to Normal. If the VPN gateway is in the Normal state, it indicates that the VPN gateway is initialized and ready for use. After the VPN gateway is created, a public IP address is assigned to the VPN gateway.Note It takes about one to five minutes to create a VPN gateway.In this example, the public IP addresses that are assigned to the two VPN gateways are 121.xxx.xx.143 and 118.xxx.xx.149. The following table lists the details of the VPN gateways, VPCs, and public IP addresses.
VPC VPN gateway Public IP address Name: VPC 1
ID: vpc-xxxxz0
CIDR block: 172.16.0.0/12
vpn-xxxxxqwj 118.xxx.xx.149 Name: VPC 2
ID: vpc-xxxxut
CIDR block: 10.0.0.0/8
vpn-xxxxxl5z 121.xxx.xx.143
Step 2: Create a customer gateway
Perform the following operations to create a customer gateway.
- In the left-side navigation pane, choose .
- Select the region where you want to deploy the customer gateway.
- On the Customer Gateways page, click Create Customer Gateway.
- On the Create Customer Gateway page, set the following parameters, and click OK.
- Name: Enter a name for the customer gateway.
- IP Address: Enter the public IP address of the gateway device in the on-premises data center to be connected to the VPC.
- Description: Enter a description for the customer gateway.
- Repeat the preceding operations to create another customer gateway with another public
IP address.
The following table lists the details of the VPCs, VPN gateways, and customer gateways.
VPC VPN gateway Public IP address Customer gateway Name: VPC 1
ID: vpc-xxxxz0
CIDR block: 172.16.0.0/12
vpn-xxxxxqwj 121.xxx.xx.143 user_VPC1 Name: VPC 2
ID: vpc-xxxxut
CIDR block: 10.0.0.0/8
vpn-xxxxxl5z 118.xxx.xx.149 user_VPC
Step 3: Create an IPsec-VPN connection
- In the left-side navigation pane, choose .
- Select the region where you want to create an IPsec-VPN connection.
- On the IPsec Connections page, click Create IPsec Connection.
- On the Create IPsec Connection page, set the following parameters for the IPsec-VPN connection, and click OK.
- Name: Enter a name for the IPsec-VPN connection.
- VPN Gateway: Select one of the two VPN gateways that you created in Step 1. In this example, the vpn-xxxxxqwj VPN gateway that is associated with VPC 1 is selected.
- Customer Gateway: Select the customer gateway to be connected through the IPsec-VPN connection. In this example, the user_VPC 2 customer gateway is selected.
- Source CIDR Block: Enter the CIDR block of the VPC with which the selected VPN gateway is associated. In this example, 172.16.0.0/12 is entered.
- Destination CIDR Block: Enter the CIDR block of the VPC to be connected. In this example, the CIDR block of VPC 2 is entered, which is 10.0.0.0/8.
- Immediate Effect: Specify whether to start connection negotiations immediately.
- Yes: Negotiates immediately after the configuration is completed.
- No: Negotiates when data transfer is detected.
- Pre-shared Key: Enter the pre-shared key. In this example, 1234567 is entered. You must set the same pre-shared key for both IPsec-VPN connections.
- Health Check: Enable health checks, and enter the destination IP address, source IP address, retry
interval, and number of retries.
Use the default settings for other parameters.
- Repeat the preceding operations to create an IPsec-VPN connection for VPC 2.
Step 5: Configure routes for each VPN gateway
Perform the following operations to configure a route for each VPN gateway.
- In the left-side navigation pane, choose .
- Select the region where the VPN gateway is deployed.
- On the VPN Gateways page, find the VPN gateway for which you want to configure routes, and click its ID in the Instance ID/Name column.
- In the Destination-based routing tab, click Add Route Entry.
- In the Add Route Entry dialog box, set the following parameters, and click OK.
- Destination CIDR Block: Enter the CIDR block of VPC 2.
- Next Hop: Select an IPsec connection.
- Publish to VPC: Specify whether to automatically publish new routes to the VPC route table. In this example, Yes is selected.
- Weight: Specify a weight. In this example, 100 is entered.
- Repeat the preceding operations to configure a route for the other VPN gateway.
Step 5: Test the connectivity
Log on to ECS 1 in VPC 1, and then ping the private IP address of ECS 2 in VPC 2 (ECS 2) to test the connectivty.
