Encrypt private connections between cloud and data center using BGP routing - Express Connect

To encrypt the private connection between a data center and a virtual private cloud (VPC), you can create an Express Connect Router (ECR) and use it to connect the virtual border router (VBR) and the VPC. Then, you can create a VPN gateway and configure BGP routing for the VPN gateway and the VBR.

Example

An enterprise owns a data center in China (Hangzhou) and has a VPC deployed in the same region. Applications are deployed on Elastic Compute Service (ECS) instances in the VPC. Due to business growth, the enterprise wants to connect the VPC to the data center by using an Express Connect circuit and ECR. Additionally, it wants to encrypt the connection between the VPC and the data center for security reasons.

After private connections are created, the enterprise creates a VPN gateway in the VPC and establishes an IPsec-VPN connection between the VPN gateway and the on-premises gateway device. Then, it configures BGP routing for both the VBR and VPN gateway to encrypt the private connection.

Preparations

Private VPN gateways are in invitational preview. Make sure you have already applied for access permissions from your account manager.

You must plan networks for the data center and network instances. Ensure that the CIDR block of the data center does not overlap with those of the network instances. The following table describes the CIDR blocks in this example:

Target	CIDR block planning	IP address
VPC	Primary CIDR block: 10.0.0.0/16 CIDR block of vSwitch 1: 10.0.0.0/24 CIDR block of vSwitch 2: 10.0.1.0/24	ECS1: 10.0.1.1 ECS2: 10.0.1.2
VBR	10.0.0.0/30	VLAN ID: 201 IPv4 address on the Alibaba Cloud side: 10.0.0.2/30 IPv4 address on the user side: 10.0.0.1/30 In this example, the user side refers to the on-premises gateway device.
ECR	-	ASN: 45104
Data center	10.0.0.0/30 192.168.0.0/24	VPN IP address: 192.168.0.251 The VPN IP address refers to the IP address of the interface on the on-premises gateway device that will establish an IPsec connection with the VPN gateway. IP address of the interface connected to the Express Connect circuit: 10.0.0.1 ASN: 65530

You have created a VPC in the China (Hangzhou) region and deployed applications on the ECS instances in it. For more information, see Create and manage a VPC.
In the scenario, the VPC has two vSwitches. vSwitch 1 is in Zone H and vSwitch 2 is in Zone I. ECS instances are deployed on vSwitch 2. vSwitch 1 is used only to associate with the VPN gateway.
Note
When you create a VPC, we recommend creating a dedicated vSwitch in the VPC for the VPN gateway. This way, the vSwitch can allocate a private IP address to the VPN gateway.
Check the on-premises gateway device in the data center and ensure that it supports standard IKEv1 and IKEv2 protocols. To check whether the gateway device supports these protocols, contact the gateway vendor.
You are familiar with the security group rules that apply to the ECS instances in the VPC and the access control rules that apply to the client in the data center. Make sure that the rules allow the ECS instances in the VPC to communicate with the client in the data center. For more information, see View security group rules and Add a security group rule.

Procedure

Step 1: Deploy an Express Connect circuit

You must deploy an Express Connect circuit to connect the data center to the VPC.

Create an Express Connect circuit.
You must apply for an Express Connect circuit in the China (Hangzhou) region. For more information, see Classic mode or Connection process for hosted connections over Express Connect circuits.
In this example, a dedicated physical connection is selected.

Create a VBR.

Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where you want to create the VBR.
In this example, the China (Hangzhou) region is selected.
On the Virtual Border Routers (VBRs) page, click Create VBR.

In the Create VBR panel, configure the following parameters and click OK.

The following table describes only the key parameters. For more information, see Create and manage a VBR.

Parameter	Description
Account	Current Account is selected.
Name	VBR is entered.
Express Connect Circuit	Click Dedicated Physical Connection and choose Express Connect circuit created in Step 1.
VLAN ID	201 is entered.
Set VBR Bandwidth Value	Select a maximum bandwidth value for the VBR.
Alibaba Cloud Side IPv4 Address	10.0.0.2 is entered.
Data Center Side IPv4 Address	10.0.0.1 is entered.
IPv4 Subnet Mask	255.255.255.252 is entered.

Add a custom route for the VBR to advertise the CIDR block of the data center to Alibaba Cloud.

On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
Click the Routes tab, and then click Add Route.

In the Add Route panel, configure the following parameters and click OK.

Parameter	Description
Next Hop Type	Select Physical Connection Interface.
Destination CIDR Block	Enter the CIDR block of the data center. In this example, 192.168.0.0/16 is entered.
Next Hop	Select the Express Connect circuit created in Step 1.

Configure the on-premises gateway device.
You must add the following route to the on-premises gateway device to route traffic destined for the VPC from the data center to the Express Connect circuit.
The following configurations are for reference only. The commands may vary by the network device vendor. Contact your vendor to get information about commands.
```
ip route 10.0.0.0 255.255.0.0 10.0.0.2
```

Step 2: Configure an ECR

You must associate the VPC and VBR with an ECR. Then, the data center and VPC can communicate with each other over private connections by using the ECR.

Create an ECR.

Log on to the Express Connect Console.
In the left-side navigation pane, click Express Connect Router (ECR). On the Express Connect Router (ECR) page, click Create ECR.

In the Create ECR dialog box, configure the parameters that are described in the following table, select I have read and understand the billing rules, and then click OK.

Parameter	Description
Name	Enter the gateway name. In this example, ECR is entered.
ASN	The ASN of the ECR. In this example, 45104 is entered.
Description	Enter a description for the gateway. In this example, ECR-for-test-private-VPN-Gateway is entered.

Connect to the VPC instance.

Log on to the Express Connect console.
In the left-side navigation pane, click Express Connect Router (ECR), and then on the Express Connect Router (ECR) page, click the ECR created in Step 1.
Click the VPC tab, and then click Associate VPC.

In the Associate VPC dialog box, configure the following parameters and click OK.

Parameter	Description
Resource Owner	The type of account to which the VPC belongs. In this example, Current Account is selected.
Region	The region in which the VPC resides. In this example, China (Hangzhou) is selected.
VPC ID	The ID of the VPC that you want to associate with the ECR. In this example, the ID of the VPC is selected.

Associate the VBR with the ECR.

Log on to the Express Connect console.
In the left-side navigation pane, click Express Connect Router (ECR), and then on the Express Connect Router (ECR) page, click the ECR created in Step 1.
Click the VBR tab, and then click Associate VBR.

In the Associate VBR dialog box, configure the following parameters and click OK.

Parameter	Description
Resource Owner	The type of the account to which the VBR belongs. In this example, Current Account is selected.
Region	The region in which the VBR resides. In this example, China (Hangzhou) is selected.
Network Instance	Select the target VBR instance. In this example, VBR is selected.

Step 3: Deploy a VPN gateway

After you complete the preceding steps, the data center can communicate with the VPC over private connections. However, data transmission is not encrypted. To encrypt the private connection, you must deploy a VPN gateway in the VPC and create an IPsec-VPN connection to the on-premises gateway device.

Create a VPN gateway.

Log on to the VPN Gateway console.
In the top menu bar, select the region where you want to deploy the VPN gateway.
The VPN gateway must be deployed in the same region as the VPC to which you want to associate the VPN gateway. In this example, China (Hangzhou) is selected.
On the VPN Gateways page, click Create VPN Gateway.

On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

Parameter	Description
Name	Enter a name for the VPN gateway. In this example, `VPN Gateway 1` is entered.
Region	Select the region where you want to deploy the VPN gateway. China (Hangzhou) is selected.
Gateway Type	Select the type of the VPN gateway. Standard is selected.
Network Type	Select the network type of the VPN gateway. Private is selected.
Tunnels	The tunnel mode supported by IPsec-VPN connections in the region is displayed.
VPC	The VPC with which you want to associate the VPN gateway. In this example, VPC is selected.
vSwitch	A vSwitch in the VPC. If you select Single-tunnel, you need to specify only one vSwitch. If you select Dual-tunnel, you need to specify two vSwitches. After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch. Note The system selects a vSwitch by default. You can change or use the default vSwitch. After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.
vSwitch 2	A vSwitch in the VPC. Ignore this parameter if you select Single-tunnel.
Maximum Bandwidth	Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
Traffic	The billing method of the VPN gateway. Default value: Pay-by-data-transfer. For more information, see Billing overview.
IPsec-VPN	Private VPN gateways support only the IPsec-VPN feature. In this example, the default value Enable is selected for the IPsec-VPN feature.
Duration	Select a subscription duration. The billing cycle of the VPN gateway. Default value: By Hour.
Service-linked Role	Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn. The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created and you do not need to create it again.

Go back to the VPN Gateways page, view the created VPN gateway, and record the private IP address of the VPN gateway for subsequent IPsec connection configuration.
The status of the newly created VPN gateway is Preparing. After approximately 1 to 5 minutes, the status changes to Normal. This indicates that the VPN gateway is initialized and ready for use.

Create a customer gateway.
1. In the left-side navigation pane, choose Cross-network Interconnection > VPN > Customer Gateways.
2. On the Customer Gateway page, click Create Customer Gateway.
3. In the Create Customer Gateway panel, configure the following parameters and click OK.
  The following content describes only the key parameters.
  - Name: Enter a name for the customer gateway.
    In this example, Customer-Gateway is entered.
  - IP Address: Enter the VPN IP address of the on-premises gateway device to be connected to the VPN gateway.
    In this example, 192.168.0.251 is entered.
  - ASN: Enter the ASN of the on-premises gateway device.
    In this example, 65530 is entered.

Create an IPsec-PN connection.

In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
On the IPsec-VPN connection page, click Create IPsec-VPN Connection.

On the Create IPsec Connection page, configure the following parameters and click OK.

The following table describes only the key parameters. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

Parameter	Description
Name	Enter a name for the IPsec-VPN connection. In this example, `IPsec Connection 1` is entered.
VPN Gateway	The VPN gateway that you created. In this example, VPN Gateway 1 is selected.
Customer Gateway	The customer gateway that you created. In this example, Customer-Gateway is selected.
Routing Mode	Select a routing mode. In this example, Destination Routing Mode is selected.
Effective Immediately	Select whether to apply changes immediately. Yes: immediately starts negotiations after the configuration is complete. No: starts negotiations when inbound traffic is detected. In this example, Yes is selected.
Pre-shared Key	The pre-shared key that is used for authentication. If you do not enter a value, the system generates a random 16-character string as the pre-shared key. Important Make sure that the on-premises gateway device and the IPsec-VPN connection use the same pre-shared key. In this example, `fddsFF123****` is entered.
Encryption Configuration	In this example, ikev2 is selected for the Version parameter in the IKE Configurations section. The default values are used for the other parameters.
BGP Configuration	In this example, BGP Configuration is enabled. Configure the following parameters: Tunnel CIDR Block: the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length. In this example, `169.254.10.0/30` is entered. Local BGP IP Address: the BGP IP address on the VPN gateway side. This IP address must fall within the CIDR block of the IPsec tunnel. In this example, `169.254.10.1` is entered. The BGP IP address on the data center side is `169.254.10.2`. Local ASN: the ASN on the VPN gateway side. Default value: 45104. In this example, the default value 45104 is used. Important If you configure BGP routing for both the VBR and the VPN gateway, make sure that the ASN of VPN gateway side is the same as that of VBR. This facilitates route management.
Health Check	In this example, the default settings are used.

After you create an IPsec-VPN connection, click OK in the Created message.

Enable automatic BGP advertising for the VPN gateway.
After automatic BGP advertising is enabled and a peering connection is established between the VPN gateway and the on-premises gateway device, the VPN gateway learns and advertises the CIDR block of the data center to the VPC. The VPN gateway also advertises the routes in the system route table of the VPC to the on-premises gateway device.
1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.
2. On the VPN Gateways page, find VPN Gateway 1 and choose > Enable Automatic BGP Propagation in the Actions column.
3. In the Enable Automatic BGP Propagation dialog box, click OK.
Download the IPsec connection configurations for the on-premises gateway device.
1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
2. On the IPsec Connections page, find IPsec Connection 1, and click Download Peer Configuration in the Actions column.
  Save the downloaded IPsec configurations on your client.

Add VPN configurations, BGP configurations, and static routes to the on-premises gateway device.

Configure VPN, BGP, and static routes to the on-premises gateway device based on the IPsec configurations that you downloaded.

The following configurations are for reference only. The commands may vary based on the network device vendor. Contact your vendor to obtain information about specific commands.

Log on to the command-line interface of the on-premises gateway device.

Run the following commands to configure the IKEv2 proposal and policy:

crypto ikev2 proposal alicloud  
encryption aes-cbc-128          //Configure the encryption algorithm. In this example, aes-cbc-128 is used.
integrity sha1                  //Configure the authentication algorithm. In this example, sha1 is used.
group 2                         //Configure the DH group. In this example, group 2 is used.
exit
!
crypto ikev2 policy Pureport_Pol_ikev2
proposal alicloud
exit
!

Run the following commands to configure the IKEv2 keyring:

crypto ikev2 keyring alicloud
peer alicloud
address 10.0.0.167               //Configure the private IP address of the VPN gateway. In this example, 10.0.0.167 is used.
pre-shared-key fddsFF123****     //Configure the pre-shared key. In this example, fddsFF123**** is used.
exit
!

Run the following commands to configure the IKEv2 profile:

crypto ikev2 profile alicloud
match identity remote address 10.0.0.167 255.255.255.255    //Configure the private IP address of the VPN gateway. In this example, 10.0.0.167 is used.
identity local address 192.168.0.251    //Configure the VPN IP address of the data center. In this example, 192.168.0.251 is used.
authentication remote pre-share   //Set the authentication mode of the remote side to PSK (pre-shared key).
authentication local pre-share    //Set the authentication mode of the local side to PSK.
keyring local alicloud            //Use the IKEv2 keyring.
exit
!

Run the following commands to set transform:

crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode tunnel
exit
!

Run the following commands to configure the IPsec profile and set the transform, PFS, and IKEv2 profile:
```
crypto ipsec profile alicloud
set transform-set TSET
set pfs group2
set ikev2-profile alicloud
exit
!
```

Run the following commands to configure the IPsec tunnel:

interface Tunnel100
ip address 169.254.10.2 255.255.255.252    //Configure the tunnel address for the data center. In this example, 169.254.10.2 is used.
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 10.0.0.167              //Configure the private IP address of the VPN gateway. In this example, 10.0.0.167 is used.
tunnel protection ipsec profile alicloud
no shutdown
exit
!
interface GigabitEthernet1                 //Configure the IP address of the interface that is used to connect to the VPN gateway.
ip address 192.168.0.251 255.255.255.0
negotiation auto
!

Run the following commands to configure BGP routing:

Important

To ensure that traffic from the VPC to the data center is routed to the encrypted tunnel of the VPN gateway, you must advertise a CIDR block that is smaller than the CIDR block of the data center in the BGP configurations of the on-premises gateway device.

For example, in this example, the CIDR block of the data center is 192.168.0.0/16. The CIDR block advertised in the BGP configurations of the on-premises gateway device must be smaller than this CIDR block. In this example, 192.168.1.0/24 is advertised.

router bgp 65530                         //Enable BGP routing and configure the ASN of the data center. In this example, 65530 is used.
neighbor 169.254.10.1 remote-as 45104    //Configure the ASN of the BGP peer. In this example, the ASN of the VPN gateway 45104 is used.
neighbor 169.254.10.1 ebgp-multihop 10   //Set the EBGP hop-count to 10.  
!
address-family ipv4
network 192.168.1.0 mask 255.255.255.0   //Advertise the CIDR block of the data center. In this example, 192.168.1.0/24 is advertised.
neighbor 169.254.10.1 activate           //Activate the BGP peer.
exit-address-family
!

Run the following command to configure a static route:

ip route 10.0.0.167 255.255.255.255 10.0.0.2  //Route traffic from the data center to the VPN gateway through the Express Connect circuit.

Step 4: Configure routes for instances

After you complete the steps above, an encrypted tunnel is established between the on-premises gateway device and the VPN gateway. You must configure routes for the cloud network instances to route traffic to the encrypted tunnel when the data center communicates with Alibaba Cloud.

Add a custom route to the VPC.

Log on to the VPC console.
In the left-side navigation pane, click Route Tables.
In the top navigation bar, select the region to which the route table belongs.
In this example, China (Hangzhou) is selected.
On the Route Tables page, find the route table that you want to manage and click its ID.
This example shows how to find the system route table of the VPC.
On the Route Entry List tab, click the Custom Route tab and click Add Route Entry.

In the Add Route Entry dialog box, configure the following parameters and click OK.

Parameter	Description
Name	Enter a name for the custom route.
Destination CIDR Block	Enter the destination CIDR block of the custom route. In this example, IPv4 CIDR Block is selected and the VPN IP address of the on-premises gateway device `192.168.0.251/32` is entered.
Next Hop Type	Select the type of the next hop. In this example, Direct Connect Gateway is selected.
Leased Line Gateway	Select the next hop of the custom route. In this example, ECR is selected.

Add a custom route to the VBR.

Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where the VBR is deployed.
In this example, China (Hangzhou) is selected.
On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
Click the Routes tab, and then click Add Route.

In the Add Route panel, configure the following parameters and click OK.

Parameter	Description
Next Hop Type	Select Physical Connection Interface.
Destination CIDR Block	The VPN IP address of the on-premises gateway device. In this example, `192.168.0.251/32` is entered.
Next Hop	Select the Express Connect circuit created in Step 1.

Step 5: Test and verify

After you complete the preceding steps, the data center can communicate with the VPC over private and encrypted connections. The following section describes how to check the connectivity between the data center and VPC, and check whether the private connection is encrypted by the VPN gateway.

Check the network connectivity.
1. Log on to ECS 1. For more information, see Choose an ECS remote connection method.
2. Run the ping command to ping a client in the data center to check the network connectivity between the data center and VPC.
```
ping <IP address of a client in the data center>
```
  If an echo reply packet is returned, the data center is connected to the VPC.
Check whether the private connection is encrypted.
1. Log on to the VPN Gateway console.
2. In the top navigation bar, select the region where the VPN gateway is deployed.
  In this example, China (Hangzhou) is selected.
3. In the left-side navigation pane, choose Cross-network Interconnection > VPN > IPsec Connections.
4. On the IPsec Connections page, find the IPsec-VPN connection created in IPsec Connections page, find the IPsec-VPN connection created in Step 3 and click its ID.
5. Click the Monitor tab to view traffic monitoring data.