Multinational corporations can use Express Connect to connect two VPCs from different regions and use VPN Gateway to connect local sites within regions with low latency at a low cost.
Multinational corporations often have the need to deploy applications in multiple countries and interconnect Operation and Maintenance systems around the world. For example, an enterprise deploys two sets of applications in the eastern United States and Shanghai, and needs to connect offices worldwide as shown in the following figure:
Typical worldwide communication and data transfer solutions, and risks include the following:
|Direct connections over the Internet||Sensitive, proprietary data is disclosed over the Internet and the network quality is unstable.|
|IPsec VPN||Provides high security, but is still dependent on the public Internet. The multinational network quality is limited by the Internet network infrastructure.|
|Dedicated leased line||High security and high network quality, but with relatively high costs.|
Alibaba Cloud provides secure, high-quality, and relatively low-cost solution for connecting office networks around the world by combining VPN Gateway and Express Connect.
You can use Express Connect to connect two VPCs and use VPN Gateway to connect the office sites to VPCs as shown in the following figure:
Create a VPC and a VSwitch.
Configure a local gateway in each office and make sure a static public IP address is available.
The IP address ranges of the various sites cannot be in conflict with one another.
You can create two IPsec connections to connect the offices in the East US 1 region to the VPC. With VPN-Hub, the connected offices can communicate with each other. For more information, see Multi-site connections.
Create a VPN gateway for the VPC in the East US 1 region. For more information, see Manage a VPN gateway.
Create two customer gateways using the public IP addresses of the two offices. For more information, see Create a customer gateway.
Create two IPsec connections to connect the VPN gateway and the customer gateways. For more information, see Manage an IPsec connection.
Local network: 0.0.0.0/0
Note: We recommend that you set local network to 0.0.0.0/0, which greatly simplifies the network. Only one IPsec connection is required per office and the current configurations do not need to be changed when new IPsec connections are created.
Remote network: 10.10.10.0/24 and 10.10.20.0/24
Configure the local gateway according to the configured IPsec connections. For more information, see Local gateway configurations.
Follow procedures in Step 1 to create two IPsec connections to connect the offices in the Shanghai to the Shanghai VPC.
You can connect the two VPCs by creating a pair of Express Connect router interfaces. For more information, see VPC interconnection.
In the left-side navigation panel, click Route Tables.
Click the China East 1 (Hangzhou) region, find the route table of the connected VPC.
Click Add Route Entry.
Add the following route entries for VPC1 (172.16.0.0/16):
Destination CIDR block Next hop type Next hop Description 10.10.10.0/24 (US office 1) VPN Gateway VPN gateway created for VPC 1 Route the traffic destined for 10.10.10.0/24 or 10.10.20.0/24 to the VPN gateway in the US. 10.10.20.0/24 (US office 2) VPN Gateway VPN gateway created for VPC 1 172.17.0.0/16 (Shanghai VPC) VPC VPC2 Route the traffic destined for the destination CIDR block to VPC 2. 10.20.10.0/24 (Shanghai office 3) VPC VPC2 10.20.20.0/24 (Shanghai office 4) VPC VPC2
Add the following route entries to VPC2 (172.17.0.0/16):
Destination CIDR block Next hop type Next hop Description 10.20.10.0/24 (Shanghai office 3) VPN Gateway VPN gateway created for VPC 2 Route the traffic destined for 10.20.10.0/24 or 10.20.20.0/24 to the VPN gateway in Shanghai. 10.20.20.0/24 (Shanghai office 4) VPN Gateway VPN gateway created for VPC 2 172.16.0.0/16 (US VPC) VPC VPC1 Route the traffic destined for the destination CIDR block to VPC 1. 10.10.10.0/24 (US office 1) VPC VPC1 10.10.20.0/24 (US office 2) VPC VPC1
Configure security rules for the ECS instances in the VPC networks according to your individual business requirements.