You can create IPsec connections between multiple sites and locations. With the VPN-Hub function, the connected sites can communicate with the connected VPC, and also communicate with each of the other sites. VPN-Hub meets the needs of large enterprises to establish intranet communications between different sites.

VPN-Hub overview

The VPN-Hub function is enabled by default. To achieve multi-site connections, you must create corresponding IPsec connections. A VPN Gateway can have up to ten IPsec connections. Therefore, you can connect up to ten office sites with one VPN Gateway.

The following scenario is used to illustrate connecting office sites in the cities of Shanghai, Hangzhou, and Ningbo. Before you begin, make sure that you have obtained the public IP address of the gateway device for each office site.



As shown in the following figure, to connect the three office sites (Shanghai, Hangzhou, and Ningbo), you only need to create a VPN Gateway and three customer gateways and establish three IPsec connections.
Note Make sure the IP address ranges of all the connected sites do not conflict with each other.


Step 1. Create a VPN Gateway

Create a customer gateway using the public IP address configured for the local gateway in the Shanghai office. For more information, see Manage a VPN Gateway.
Note Make sure the IPsec-VPN function is enabled.

Step 2: Create an IPsec connection to the Shanghai office

  1. Create a customer gateway using the public IP address configured for the local gateway in the Shanghai office.

    For more information, see Create a customer gateway.

  2. Create an IPsec connection.

    Create an IPsec connection to connect the VPN Gateway and the customer gateway. For more information, see Create an IPsec connection.

    • Local network: 0.0.0.0/0.
      Note We recommend that you set local network to 0.0.0.0/0, which greatly simplifies the network. Only one IPsec connection is required per office and the current configurations do not need to be changed when new IPsec connections are created.
    • Remote network: the IP address range of the local data center. In this example, it is the IP address range of the Shanghai office: 10.10.10.0/24.

  3. Configure the local gateway according to the configured IPsec connections.

    Download the configurations of the IPsec connection, then configure the local gateway.  For more information, see Local gateway configurations.

Step 3: Create additional IPsec connections for the other two sites

Follow the same procedures in the Step 2 to create two IPsec connections for the Hangzhou office and the Ningbo office.

Step 4: Configure the route in VPC

  1. Log on to the VPC console.
  2. In the left-side navigation bar, click Route Tables. Find the route table of the target VPC and click Manage.
  3. On the Route Tables page, click Add Route Entry to add the following routes.
    Destination CIDR block Next hop type Next hop
    10.10.10.0/24 VPN Gateway The VPN Gateway created in the Step 1
    10.10.20.0/24 VPN Gateway The VPN Gateway created in the Step 1
    10.10.30.0/24 VPN Gateway The VPN Gateway created in the Step 1

The IPsec connections to the three office sites have now been established. Each office site can now communicate with the VPC and can communicate with the other office sites over their intranet.