Attaching an IPsec-VPN connection to a transit router integrates your on-premises network into the Cloud Enterprise Network (CEN). The Transit Router acts as a centralized hub, allowing your data center to communicate with all attached network instances (VPCs, VBRs, and other VPNs).
Centralized management: A single VPN connection to the transit router provides access to all attached VPCs, eliminating the need for separate VPN connections to each VPC.
Simplified topology: A hub-and-spoke architecture replaces complex full-mesh VPN configurations. Adding a new VPC requires only attaching it to the transit router — no VPN changes needed.
Global reach: Traffic between regions flows over the Alibaba Cloud backbone rather than the public Internet, providing lower latency and higher reliability.
Cross-Account connectivity: Attach VPN connections from one account to a transit router in another, enabling centralized network management across organizational boundaries while keeping billing and ownership separate.
How it works
To connect your data center to Alibaba Cloud through a transit router, you attach an IPsec-VPN connection to the transit router. Once attached, your data center can communicate with all networks connected to the transit router, such as VPCs and other VPN or VBR connections.
Same account: When you create a VPN attachment in the CEN console, the IPsec-VPN connection is created automatically as part of the process.
Cross-account: You must create the IPsec-VPN connection separately in advance, then attach the existing connection to the transit router.
Traffic flow
All traffic between attached networks passes through the transit router. Packets from VPC subnets destined for the on-premises network route through the transit router and out via the IPsec tunnel. In the other direction, your on-premises device (Customer Gateway) sends traffic through the IPsec tunnel to the transit router, which forwards it to the target VPC based on its route table.
For private connections (via VBR and ECR instead of Internet), see Encrypt private connections over Express Connect circuits.
Starting November 26, 2024, newly created IPsec-VPN connections default to dual-tunnel mode. This mode provides active/standby redundancy and cross-zone disaster recovery. For more information, see IPsec-VPN connections associated with transit routers support the dual-tunnel mode.
Considerations
Edition: Only Enterprise Edition Transit Routers support VPN connections.
Region: For regional constraints, see Regions that support IPsec-VPN.
Routing policy: A Reject routing policy (Priority 5000) is automatically added to prevent loops between VPN, VBR, and CCN connections. This policy cannot be modified or deleted.
ECMP: If your data center already connects to the transit router through a VPN Gateway–VPC path, and you also attach a direct VPN connection to the same transit router, ECMP load balancing between the two paths is not supported.
Quotas:
Quota
Default
Adjustable
VPN Attachments per Transit Router
50
ECMP-capable VPN Attachments per Transit Router
16
No
Transit Routers per IPsec-VPN connection
1
No
Prerequisites
General requirements:
Create an Enterprise Edition transit router in the target region. Specify a CIDR block for the transit router. IP addresses for IPsec-VPN connections are allocated from this block. For more information, see CIDR block of the transit router.
Create a Customer Gateway and register your on-premises device.
BGP requirements: To use BGP, the Customer Gateway must have an ASN (Autonomous System Number) configured.
Cross-Account requirements: IPsec-VPN connection and the transit router belong to different Alibaba Cloud accounts.
Create the IPsec-VPN connection and select Cross Account to indicate that the connection will be attached to a transit router in another account.
Cross-account Authorization: Go to the IPsec-VPN connection details page and authorize the transit router account to attach this connection.
Create a VPN Connection (Same Account)
You can create a new VPN connection or select an existing one during the attachment process.
The first time you perform this operation, the system creates the service-linked role AliyunServiceRoleForVpn.
Console
Dual-Tunnel Mode
Log on to the CEN console, click the ID of the CEN instance.
On the tab, find the transit router in the target region, and click .
Select VPN as Instance Type, and set Resource Owner ID to Current Account.
For Individual Resource, choose one of the following:
Create Resource: Create a new IPsec-VPN connection. Configure all parameters below (Basic Information, Tunnel Settings, Encryption Settings, BGP Settings, and Advanced Settings), then click OK.
Select Resource: Select an existing IPsec-VPN connection. Only Advanced Settings need to be configured. All other parameters are inherited from the existing connection.
Single-Tunnel Mode
New IPsec-VPN connections use dual-tunnel mode by default. This section is for managing and modifying existing single-tunnel connections only.
Single-tunnel mode uses the same parameters as dual-tunnel mode, except you configure only one tunnel.
API
CreateTransitRouterVpnAttachment: Attach an IPsec-VPN connection to a transit router.
UpdateTransitRouterVpnAttachmentAttribute: Modify the configuration between a transit router and an IPsec-VPN connection.
Attach a VPN Connection (Cross-Account)
You must create and authorize the VPN connection before attaching it.
Console
Account A (IPsec-VPN Connection Owner):
Create the IPsec-VPN connection: select Cross Account.
Cross-account Authorization: Go to the IPsec-VPN connection details page and authorize the transit router account to attach this connection.
Account B (CEN Owner):
Obtain the UID of Account A and the IPsec-VPN connection ID.
Log on to the CEN console, click the ID of the CEN instance.
On the tab, find the transit router in the target region, and click .
Select VPN as Instance Type, set Resource Owner ID to Different Account, and enter Account A's UID.
Select the authorized IPsec-VPN connection from the Network Instance list.
API
CreateTransitRouterVpnAttachment: Attach an IPsec-VPN connection to a transit router.
Configure Routing
Traffic cannot flow until you configure routes on all three sides.
Transit Router:
Verify that routes to your on-premises CIDR exist in the Transit Router route table. These routes can be:
BGP: Routes are automatically learned if BGP is enabled on the VPN connection.
Static: Manually add routes in the Transit Router route table.
To change the route table associated with the VPN connection, go to the Attachment Details panel and click Modify next to Associated Route Table.
Warning: If route synchronization is enabled, changing the associated route table withdraws the current advertised routes and re-synchronizes routes from the new table.
VPC: Add routes for return traffic to your on-premises network. You can use either method:
Route synchronization: Enable Transit Router route table propagation on the VPC route table to automatically learn routes from the Transit Router.
Static route: Manually add a route entry.
Destination: On-premises CIDR (e.g.,
172.16.0.0/16).Next Hop: The Transit Router attachment.
On-Premise: Add routes to your VPC CIDR pointing to the VPN tunnel interface.
Troubleshooting
For more information, see Troubleshoot IPsec-VPN.
Issue | Solution |
IPsec tunnel down | Check Pre-shared Key and IKE/IPsec parameters match on both sides. |
BGP down | Ensure Customer Gateway has an ASN configured. Check for CIDR overlap. |
No connectivity | Check routes on all three sides: |
Billing
A VPN connection incurs fees for the Transit Router attachment, data forwarding, IPsec-VPN connection, and outbound data transfer. The billable items vary based on the network type (Public or Private).
Public VPN connections
No. | Item | Description | References |
① | Transit router connection | The attachment between the transit router and the IPsec-VPN connection |
|
② | Transit router data forwarding | Data forwarding from the IPsec-VPN connection to the transit router | |
③ | IPsec-VPN connection instance | The IPsec-VPN connection | |
④ | Data transfer | Data transfer from the IPsec-VPN connection to the data center |
Private VPN connections
No. | Item | Description | References |
① | Transit router connection | The connections between the VBR and IPsec-VPN connection |
|
② | Transit router data forwarding | Data forwarding from the VBR to the transit router | |
③ | IPsec-VPN connection | The IPsec-VPN connection | |
④ | Outbound data transfer | Data transfer from the VBR to the data center |