You can create IPsec-VPN connections between multiple sites and locations. With the VPN-Hub function, the connected sites can communicate with the connected VPC, and also communicate with each of the other sites. VPN-Hub meets the needs of large enterprises to establish intranet communications between different sites.
VPN-Hub overview
The VPN-Hub function is enabled by default. To achieve multi-site connections, you must create corresponding IPsec-VPN connections. A VPN Gateway can have up to ten IPsec-VPN connections. Therefore, you can connect up to ten office sites with one VPN Gateway.
The following scenario is used to illustrate connecting office sites in the cities of Shanghai, Hangzhou, and Ningbo. Before you begin, make sure that you have obtained the public IP address of the gateway device for each office site.


Step 1: Create a VPN Gateway
Step 2: Create an IPsec-VPN connection to the Shanghai office
- Create a customer gateway and register the public IP address of the local gateway
device to Alibaba Cloud to establish an IPsec-VPN connection.
The IP address of the customer gateway is the public IP address of the gateway device of the Shanghai office. For more information, see Create a customer gateway.
- Create an IPsec-VPN connection.
Create an IPsec connection to connect the VPN Gateway and the customer gateway. For more information, see Create an IPsec-VPN connection.
- Load VPN configurations to the gateway device of the local office site.
Load VPN configurations according to the requirements on the gateway device of the local office site. For more information, see Configure local gateways.
Step 3: Create additional IPsec-VPN connections for the other two sites
Follow the same procedures in the Step 2 to create two IPsec connections for the Hangzhou office and the Ningbo office.
Step 4: Configure the VPN Gateway route
To configure the VPN Gateway route, follow these steps:
- Log on to the VPC console.
- In the left-side navigation pane, choose .
- On the VPN Gateways page, select the region of the VPN Gateway.
- Find the target VPN Gateway, and click the instance ID in the Instance ID/Name column.
- On the Destination-based Routing page, click Add Route Entry.
- Configure three route entries according to the following information and then click
OK.
- Destination CIDR Block: Enter the private CIDR block to be accessed.
- Next Hop: Select the target IPsec-VPN connection instance.
- Publish to VPC: Select whether to publish the new route to the VPC route table.
- Weight: Select a weight.
The following are the destination-based routes configured in this example:
Destination CIDR Block Next Hop Publish to VPC Weight 10.10.10.0/24 IPsec-VPN connection instance 1 Yes 100 10.10.20.0/24 IPsec-VPN connection instance 2 Yes 100 10.10.30.0/24 IPsec-VPN connection instance 3 Yes 100
The IPsec-VPN connections to the three office sites have now been established. Each office site can now communicate with the VPC and can communicate with the other office sites over their intranet.