This topic describes how to attach an IPsec-VPN connection to a transit router. You can create an IPsec-VPN connection to connect a data center to a transit router, which allows the data center to communicate with other networks.
Limits
- Only Enterprise Edition transit routers support VPN connections.
- IPsec-VPN connections only in some regions can be attached to transit routers. For
more information about the regions that support IPsec-VPN connections, see Regions that support different features of VPN Gateway.
If you need to attach an IPsec-VPN connection in the China (Nanjing - Local Region), China (Ulanqab), China (Heyuan), China (Guangzhou), China (Chengdu), Japan (Tokyo), Australia (Sydney), Malaysia (Kuala Lumpur), South Korea (Seoul), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai), Germany (Frankfurt), or UK (London) region to a transit router, contact your sales manager or submit a ticket.
- After you attach an IPsec-VPN connection to an Enterprise Edition transit router, the transit router automatically adds a routing policy whose direction is Import to Regional Gateway, priority is 5000, and action is Deny to all the route tables of the transit router. This routing policy disables network communication among the IPsec-VPN connection, virtual border routers (VBRs), and Cloud Connect Network (CCN) instances.
- If you directly connect your data center to a transit router by using an IPsec-VPN connection when the data center is already connected to the transit router over an IPsec-VPN connection and a VPC connection, the VPC connection and the IPsec-VPN connections do not support load balancing.
- The following table lists the resource quotas.
Item Default quota Adjustable The maximum number of IPsec-VPN connections for equal-cost multipath (ECMP) supported by a transit router 16 Not supported The maximum number of transit routers supported by an IPsec-VPN connection 1 Not supported
Billing methods
After you attach an IPsec-VPN connection to a transit router, the billable items include transit router connections, transit router data forwarding, IPsec-VPN connections, data transfer, and outbound data transfer. The billable items vary based on the network type of the IPsec-VPN connection. The following table describes the billing rules for connections between transit routers and IPsec-VPN connections.
Billing rules for Internet connections between transit routers and IPsec-VPN connections

No. | Billable item | Description | References |
---|---|---|---|
① | Transit router connection | The connection between the transit router and the IPsec-VPN connection | |
② | Transit router data forwarding | Data forwarding from the IPsec-VPN connection to the transit router | |
③ | IPsec-VPN connection | The IPsec-VPN connection | |
④ | Data transfer | Data transfer from the IPsec-VPN connection to the data center |
Billing rules for private connections between transit routers and IPsec-VPN connections

No. | Billable item | Description | References |
---|---|---|---|
① | Transit router connection | The connections between the VBR and IPsec-VPN connection | |
② | Transit router data forwarding | Data forwarding from the VBR to the transit router | |
③ | IPsec-VPN connection | The IPsec-VPN connection | |
④ | Outbound data transfer fees | Data transfer from the VBR to the data center |
Procedure
Before you can attach an IPsec-VPN connection to a transit router, you must create an IPsec-VPN connection. You can attach the IPsec-VPN connection to the transit router to allow your data center to access Alibaba Cloud. The data center is also connected to the transit router over the IPsec-VPN connection and can communicate with other networks that are attached to the transit router.
You can create IPsec-VPN connections in the Cloud Enterprise Network (CEN) console or in the VPN Gateway console. You can create IPsec-VPN connections that belong to a different Alibaba Cloud account. The following figure shows how to attach an IPsec-VPN connection that belongs to your Alibaba Cloud account or a different Alibaba Cloud account to a transit router in the CEN or VPN Gateway console.
- When you create an IPsec-VPN connection, you must specify a customer gateway. Make sure that a customer gateway is deployed before you create an IPsec-VPN connection.
- If you create an IPsec-connection in the VPN Gateway console, set Associate Resource to Do Not Associate.

Prerequisites
- Create a customer gateway
- Create and manage IPsec-VPN connections
- Create a transit routerImportant If you need to create a VPN connection in one of the Australia (Sydney), Germany (Frankfurt) and Indonesia (Jakarta) regions, you must also create a CIDR block for the transit router. An IP address is automatically allocated from the CIDR block to the IPsec-VPN connection. For more information about transit router CIDR blocks, see ᴺᵉʷTransit router CIDR blocks.
- Grant the permissions on the IPsec-VPN connection to a transit router of another Alibaba Cloud account
Connect a transit router to an IPsec-VPN connection
Manage automatic route advertising from the transit router to the IPsec-VPN connection
If BGP dynamic routing is enabled for the IPsec-VPN connection and data center, you can perform the following steps to specify whether the transit router automatically advertises routes that are learned from other network instances to the IPsec-VPN connection.
Associate the attachment with another transit router route table
- Log on to the CEN console.
- On the Instances page, find the CEN instance that you want to manage and click the instance ID.
- On the tab, click the ID of the transit router that you want to manage.
- On the Intra-region Connections tab, find the attachment that you want to manage and click the ID.
- In the Attachment Details panel, find the Basic Information section and click Modify next to Associated Route Table.
- In the Modify Route Table dialog box, select a route table and click OK.
References
- CreateTransitRouterVpnAttachment: attaches an IPsec-VPN connection to a transit router.
- UpdateTransitRouterVpnAttachmentAttribute: modifies the configuration of the attachment between a transit router and an IPsec-VPN connection.
- UpdateTransitRouterRouteTable: associates the attachment between a transit router and an IPsec-VPN connection with another transit router route table.