You can create IPsec-VPN connections between multiple sites and locations. With the VPN-Hub function, the connected sites can communicate with the connected VPC, and also communicate with each of the other sites. VPN-Hub meets the needs of large enterprises to establish intranet communications between different sites.

VPN-Hub overview

The VPN-Hub function is enabled by default. To achieve multi-site connections, you must create corresponding IPsec-VPN connections. A VPN Gateway can have up to ten IPsec-VPN connections. Therefore, you can connect up to ten office sites with one VPN Gateway.

The following scenario is used to illustrate connecting office sites in the cities of Shanghai, Hangzhou, and Ningbo. Before you begin, make sure that you have obtained the public IP address of the gateway device for each office site.



As shown in the following figure, to connect the three office sites (Shanghai, Hangzhou, and Ningbo), you only need to create a VPN Gateway and three customer gateways, and establish three IPsec-VPN connections.
Note Make sure the IP address ranges of all the connected sites do not conflict with each other.


Step 1: Create a VPN Gateway

Create a VPN Gateway in the region to which the VPC belongs. Three IPsec-VPN connections will be established for the VPN Gateway and are connected to the office sites in Shanghai, Hangzhou, and Ningbo. For more information, see Create a VPN Gateway.
Note Make sure that the IPsec-VPN function is enabled.

Step 2: Create an IPsec-VPN connection to the Shanghai office

  1. Create a customer gateway and register the public IP address of the local gateway device to Alibaba Cloud to establish an IPsec-VPN connection.

    The IP address of the customer gateway is the public IP address of the gateway device of the Shanghai office. For more information, see Create a customer gateway.

  2. Create an IPsec-VPN connection.

    Create an IPsec connection to connect the VPN Gateway and the customer gateway. For more information, see Create an IPsec-VPN connection.

  3. Load VPN configurations to the gateway device of the local office site.

    Load VPN configurations according to the requirements on the gateway device of the local office site. For more information, see Local gateway configuration.

Step 3: Create additional IPsec-VPN connections for the other two sites

Follow the same procedures in the Step 2 to create two IPsec connections for the Hangzhou office and the Ningbo office.

Step 4: Configure the VPN Gateway route

To configure the VPN Gateway route, follow these steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose VPN > VPN Gateways.
  3. On the VPN Gateways page, select the region of the VPN Gateway.
  4. Find the target VPN Gateway, and click the instance ID in the Instance ID/Name column.
  5. On the Destination-based Routing page, click Add Route Entry.
  6. Configure three route entries according to the following information and then click OK.
    • Destination CIDR Block: Enter the private CIDR block to be accessed.
    • Next Hop: Select the target IPsec-VPN connection instance.
    • Publish to VPC: Select whether to publish the new route to the VPC route table.
    • Weight: Select a weight.

    The following are the destination-based routes configured in this example:

    Destination CIDR Block Next Hop Publish to VPC Weight
    10.10.10.0/24 IPsec-VPN connection instance 1 Yes 100
    10.10.20.0/24 IPsec-VPN connection instance 2 Yes 100
    10.10.30.0/24 IPsec-VPN connection instance 3 Yes 100

The IPsec-VPN connections to the three office sites have now been established. Each office site can now communicate with the VPC and can communicate with the other office sites over their intranet.