edit-icon download-icon

Configure multi-site connections

Last Updated: Apr 11, 2018

VPN-Hub overview

You can create IPsec connections between multiple sites and locations. With the VPN-Hub function, the connected sites can communicate with the connected VPC, and also communicate with each of the other sites. VPN-Hub meets the needs of large enterprises to establish intranet communications between different sites.

The VPN-Hub function is enabled by default. To achieve multi-site connections, you will need to create corresponding IPsec connections. A VPN Gateway can have up to ten IPsec connections. Therefore, you can connect up to ten office sites with one VPN Gateway.

The following scenario is used to illustrate connecting office sites in the cities of Shanghai, Hangzhou, and Ningbo:


To connect these three sites (Shanghai, Hangzhou, and Ningbo), you need to create a VPN Gateway, three customer gateways, and then create IPsec connections to connect them. This is illustrated in the following diagram:

Note: Make sure the IP address ranges of all the connected sites do not conflict with each other.


Step 1: Create a VPN Gateway

Create a VPN Gateway for the VPC. For more information, see Manage a VPN Gateway.

Note: Make sure that the IPsec-VPN function is enabled.

Step 2: Create an IPsec connection to the Shanghai office

  1. Create a customer gateway using the public IP address configured for the local gateway in the Shanghai office.

    For more information, see Manage a customer gateway.

  2. Create an IPsec connection.

    Create an IPsec connection to connect the VPN Gateway and the customer gateway. For more information, see Manage an IPsec connection.

    The following are the configurations of the IPsec connection used in this tutorial:

    • Local network:

      We recommend that you set local network to, which greatly simplifies the network. Only one IPsec connection is required per office and the current configurations do not need to be changed when a new IPsec connection is created.

    • Remote network: the IP address range of the local data center. In this example, it is the IP address range of the Shanghai office:

  3. Configure the local gateway.

    Download the configurations of the IPsec connection, then configure the local gateway. For more information, see Local gateway configurations.

Step 3: Create additional IPsec connections for the other two sites

Follow the same procedures in the Step 2 to create two IPsec connections for the Hangzhou office and the Ningbo office.

Step 4: Configure routing

  1. In the left-side navigation panel, and click Route Tables.

  2. Click the China East 1 (Hangzhou) region, and locate the route table of the connected VPC.

  3. Click Add Route Entry.

  4. Configure the route entry, and click OK.

    The following three route entries are added in this tutorial:

    Destination CIDR blockNext hop typeNext hop GatewayThe VPN Gateway created in the Step 1 GatewayThe VPN Gateway created in the Step 1 GatewayThe VPN Gateway created in the Step 1

The IPsec connections to the three office sites have now been established. Each office site can now communicate with the VPC and, can communicate with the other office sites over their intranet.

Thank you! We've received your feedback.