VPN Gateway:Create multiple IPsec-VPN connections over the Internet for load balancing

Scenarios

The preceding scenario is used as an example in this topic. An enterprise owns a data center in Hangzhou and created a VPC in the China (Shanghai) region. Applications are deployed on an Elastic Compute Service (ECS) instance in the VPC. The enterprise wants to use VPN Gateway to enable the data center and VPC to communicate over encrypted connections. The enterprise also wants to create multiple encrypted connections between the data center and VPC to implement load balancing based on ECMP routing.

To do this, the enterprise needs to create multiple IPsec-VPN connections between the data center and Alibaba Cloud, and attach the IPsec-VPN connections and VPC to the same Cloud Enterprise Network (CEN) instance. This way, the data center and VPC can communicate over encrypted connections and load balancing based on ECMP routing can be implemented.

Network design

Network settings

The following network settings are used in this topic:

• Set the Gateway Type parameter of the IPsec-VPN connections to Public. This way, the IPsec-VPN connections between the data center and Alibaba Cloud are created over the Internet.

• The resources associated with the IPsec-VPN connections must be of the CEN type. This way, the IPsec-VPN connections can form ECMP connections.

• Configure BGP dynamic routing over IPsec.

CIDR blocks

Preparations

Procedure

Step 1: Create customer gateways

Before you create IPsec-VPN connections, you need to create customer gateways to provide information about the on-premises gateway devices to Alibaba Cloud.

1. Log on to the VPN Gateway console.

2. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

3. In the top navigation bar, select the region where you want to create the customer gateways.

   VPN gateways do not support cross-border IPsec-VPN connections. Therefore, you need to follow the nearby access principle and select a region that is closest to your data center when you choose the region in which your customer gateways are deployed. China (Hangzhou) is selected in this example.

   For more information about cross-border connections, see What are inter-border connections and intra-border connections?.

4. On the Customer Gateway page, click Create Customer Gateway.

5. In the Create Customer Gateway panel, set the following parameters and click OK.

   Create three customer gateways that use the following configurations in the China (Hangzhou) region. Use the default values for the other parameters. For more information, see Create a customer gateway.

   Parameter	Description	Customer Gateway 1	Customer Gateway 2	Customer Gateway 3
   Name	Enter a name for each customer gateway.	Enter Customer-Gateway1.	Enter Customer-Gateway2.	Enter Customer-Gateway3.
   IP Address	Enter the public IP addresses of the on-premises gateway devices to be connected to Alibaba Cloud.	Enter the public IP address of On-premises Gateway Device 1: 11.XX.XX.1.	Enter the public IP address of On-premises Gateway Device 2: 11.XX.XX.2.	Enter the public IP address of On-premises Gateway Device 3: 11.XX.XX.3.
   ASN	Enter the BGP ASN of the on-premises gateway devices.	Enter 65530.

Step 2: Create IPsec-VPN connections

After you create customer gateways, you need to create IPsec-VPN connections from Alibaba Cloud to the on-premises gateway devices.

1. Log on to the VPN Gateway console.

2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

3. In the top navigation bar, select the region in which you want to create IPsec-VPN connections.

   The IPsec-VPN connections and customer gateways must be created in the same region. China (Hangzhou) is selected in this example.

4. On the IPsec Connections page, click Create IPsec-VPN Connection.

5. On the Create IPsec-VPN Connection page, configure the IPsec-VPN connection based on the following information and click OK.

   Create three IPsec-VPN connections that use the following configurations in the China (Hangzhou) region. You are charged for using IPsec-VPN connections. For more information, see Billing rules.

   Parameter	Description	IPsec-VPN Connection 1	IPsec-VPN Connection 2	IPsec-VPN Connection 3
   Name	Enter a name for each IPsec-VPN connection.	Enter IPsec-VPN Connection 1.	Enter IPsec-VPN Connection 2.	Enter IPsec-VPN Connection 3.
   Associate Resource	Select the type of network resource to be associated with the IPsec-VPN connections.	In this example, CEN is selected.
   Gateway Type	Select the network type of the IPsec-VPN connection.	In this example, Public is selected.
   CEN Instance ID	Select a CEN instance.	In this example, the CEN instance created in the Preparations section is selected.
   Transit Router	The transit router to be associated with the IPsec-VPN connections.	The system automatically selects a transit router in the region in which the IPsec-VPN connections are created.
   Zone	Select the zone in which the IPsec-VPN connection is created. Make sure that the IPsec-VPN connection is created in a zone that supports transit routers.	In this example, Hangzhou Zone H is selected.
   Customer Gateway	Select the customer gateways to be associated with the IPsec-VPN connections.	Select Customer-Gateway1.	Select Customer-Gateway2.	Select Customer-Gateway3.
   Routing Mode	Select a routing mode.	In this example, Destination Routing Mode is selected.
   Effective Immediately	Specify whether to immediately start IPsec negotiations after the configuration takes effect. Valid values: Yes: starts negotiations when the configuration is complete. No: starts connection negotiations when traffic is received.	In this example, Yes is selected.
   Pre-Shared Key	Enter a pre-shared key that is used to authenticate the on-premises gateway devices. The pre-shared key must be 1 to 100 characters in length, and can contain digits, letters, and the following characters: ~`!@#$%^&*()_-+={}[]\|;:',.<>/?. If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection. Important The IPsec-VPN connection and the peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.	Enter fddsFF123****.	Enter fddsFF456****.	Enter fddsFF789****.
   Encryption Configuration	Set encryption configurations, including IKE configurations and IPsec configurations.	In this example, ikev2 is selected for the Version parameter in the IKE Configurations section. The default values are used for other parameters. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.
   BGP Configuration	Specify whether to enable BGP. By default, BGP is disabled.	In this example, BGP is enabled.
   Tunnel CIDR Block	Specify the CIDR block that is used for IPsec tunneling. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.	Enter 169.254.10.0/30.	Enter 169.254.11.0/30.	Enter 169.254.12.0/30.
   Local BGP IP address	Enter a BGP IP address for the IPsec-VPN connection. This IP address must fall within the CIDR block for IPsec tunneling.	Enter 169.254.10.1.	Enter 169.254.11.1.	Enter 169.254.12.1.
   Local ASN	Enter the ASN of the IPsec-VPN connections.	Enter 65531.	Enter 65531.	Enter 65531.
   Health Check	Specify whether to enable the health check feature. The health check feature is disabled by default.	In this example, the health check feature is disabled.

   After the IPsec-VPN connections are created, the system assigns a gateway IP address to each IPsec-VPN connection. The gateway IP address is an endpoint on the Alibaba Cloud side of the IPsec-VPN connection. You can view the gateway IP address of the IPsec-VPN connection on the details page, as shown in the following figure.

   The following table describes the gateway IP addresses that are assigned to IPsec-VPN Connection 1, IPsec-VPN Connection 2, and IPsec-VPN Connection 3.

   IPsec-VPN connections	Gateway IP address
   IPsec-VPN Connection 1	120.XX.XX.191
   IPsec-VPN Connection 2	47.XX.XX.213
   IPsec-VPN Connection 3	47.XX.XX.161

   Note

   The system assigns gateway IP addresses to IPsec-VPN connections only after you associate the IPsec-VPN connections with transit routers. When you create an IPsec-VPN connection, if you set Associate Resource to Do Not Associate or VPN Gateway, the system does not assign a gateway IP address to the IPsec-VPN connection.

6. Go to the IPsec Connections page, find the IPsec-VPN connection that you created and click Generate Peer Configuration in the Actions column.

   Download the configurations of the three IPsec-VPN connections to your on-premises machine so that you can use the configurations when you add VPN configurations to the on-premises gateway devices.

Step 3: Configure on-premises gateway devices

After the IPsec-VPN connections are created, perform the following steps to add the VPN and BGP configurations in the IPsec-VPN connection configurations that you downloaded to the on-premises gateway devices. This way, the data center can communicate with Alibaba Cloud over the IPsec-VPN connections.

The following configurations are used for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.

1. Open the CLI of the on-premises gateway device.

2. Run the following commands to configure the IKEv2 proposal and policy:

   //Add the following configuration to the three on-premises gateway devices:
   crypto ikev2 proposal alicloud  
   encryption aes-cbc-128          //Configure the encryption algorithm. In this example, aes-cbc-128 is used. 
   integrity sha1                  //Configure the authentication algorithm. In this example, sha1 is used. 
   group 2                         //Configure the DH group. In this example, group 2 is used. 
   exit
   !
   crypto ikev2 policy Pureport_Pol_ikev2
   proposal alicloud
   exit
   !

3. Run the following commands to set the IKEv2 keyring:

   //Add the following configuration to On-premises Gateway Device 1:
   crypto ikev2 keyring alicloud
   peer alicloud
   address 120.XX.XX.191              //Specify the public IP address of the gateway on the Alibaba Cloud side of IPsec-VPN Connection 1. In this example, 120.XX.XX.191 is specified. 
   pre-shared-key fddsFF123****     //Configure the pre-shared key. In this example, fddsFF123**** is used. 
   exit
   !
   //Add the following configuration to On-premises Gateway Device 2:
   crypto ikev2 keyring alicloud
   peer alicloud
   address 47.XX.XX.213               //Specify the public IP address of the gateway on the Alibaba Cloud side of IPsec-VPN Connection 2. In this example, 47.XX.XX.213 is specified. 
   pre-shared-key fddsFF456****     //Configure the pre-shared key. In this example, fddsFF456**** is used. 
   exit
   !
   //Add the following configuration to On-premises Gateway Device 3:
   crypto ikev2 keyring alicloud
   peer alicloud
   address 47.XX.XX.161              //Specify the public IP address of the gateway on the Alibaba Cloud side of IPsec-VPN Connection 3. In this example, 47.XX.XX.161 is specified. 
   pre-shared-key fddsFF789****     //Configure the pre-shared key. In this example, fddsFF789**** is used. 
   exit
   !

4. Run the following commands to set the IKEv2 profile:

   //Add the following configuration to On-premises Gateway Device 1:
   crypto ikev2 profile alicloud
   match identity remote address 120.XX.XX.191 255.255.255.255    //Match the public IP address of the gateway on the Alibaba Cloud side of IPsec-VPN Connection 1. In this example, 120.XX.XX.191 is matched. 
   identity local address 11.XX.XX.1    //Specify the public IP address of On-premises Gateway Device 1. In this example, 11.XX.XX.1 is used. 
   authentication remote pre-share   //Set the authentication mode of the remote side to PSK. 
   authentication local pre-share    //Set the authentication mode of the local side to PSK. 
   keyring local alicloud            //Use the IKEv2 keyring. 
   exit
   !
   //Add the following configuration to On-premises Gateway Device 2:
   crypto ikev2 profile alicloud
   match identity remote address 47.XX.XX.213 255.255.255.255    //Match the public IP address of the gateway on the Alibaba Cloud side of IPsec-VPN Connection 2. In this example, 47.XX.XX.213 is matched. 
   identity local address 11.XX.XX.2    //Specify the public IP address of On-premises Gateway Device 2. In this example, 11.XX.XX.2 is used. 
   authentication remote pre-share   //Set the authentication mode of the remote side to PSK. 
   authentication local pre-share    //Set the authentication mode of the local side to PSK. 
   keyring local alicloud            //Use the IKEv2 keyring. 
   exit
   !
   //Add the following configuration to On-premises Gateway Device 3:
   crypto ikev2 profile alicloud
   match identity remote address 47.XX.XX.161 255.255.255.255    //Match the public IP address of the gateway on the Alibaba Cloud side of IPsec-VPN Connection 3. In this example, 47.XX.XX.161 is matched. 
   identity local address 11.XX.XX.3    //Specify the public IP address of On-premises Gateway Device 3. In this example, 11.XX.XX.3 is used. 
   authentication remote pre-share   //Set the authentication mode of the remote side to PSK. 
   authentication local pre-share    //Set the authentication mode of the local side to PSK. 
   keyring local alicloud            //Use the IKEv2 keyring. 
   exit
   !

5. Run the following commands to configure transform:

   //Add the following configuration to the three on-premises gateway devices:
   crypto ipsec transform-set TSET esp-aes esp-sha-hmac
   mode tunnel
   exit
   !

6. Run the following commands to configure the IPsec profile and set the transform, PFS, and IKEv2 profile:

   //Add the following configuration to the three on-premises gateway devices:
   crypto ipsec profile alicloud
   set transform-set TSET
   set pfs group2
   set ikev2-profile alicloud
   exit
   !

7. Run the following commands to configure IPsec tunneling:

   //Add the following configuration to On-premises Gateway Device 1:
   interface Tunnel100
   ip address 169.254.10.2 255.255.255.252    //Specify the IP address of the tunnel on the On-premises Gateway Device 1 side. In this example, 169.254.10.2 is used. 
   tunnel source GigabitEthernet1
   tunnel mode ipsec ipv4
   tunnel destination 120.XX.XX.191            //Specify the IP address of the tunnel on the Alibaba Cloud side. In this example, 120.XX.XX.191 is used. 
   tunnel protection ipsec profile alicloud
   no shutdown
   exit
   !
   interface GigabitEthernet1                 //Configure the IP address of the interface that is used to connect to the VPN gateway. 
   ip address 11.XX.XX.1 255.255.255.0
   negotiation auto
   !
   //Add the following configuration to On-premises Gateway Device 2:
   interface Tunnel100
   ip address 169.254.11.2 255.255.255.252    //Specify the IP address of the tunnel on the On-premises Gateway Device 2 side. In this example, 169.254.11.2 is used. 
   tunnel source GigabitEthernet1
   tunnel mode ipsec ipv4
   tunnel destination 47.XX.XX.213            //Specify the IP address of the tunnel on the Alibaba Cloud side. In this example, 47.XX.XX.213 is used. 
   tunnel protection ipsec profile alicloud
   no shutdown
   exit
   !
   interface GigabitEthernet1                 //Configure the IP address of the interface that is used to connect to the VPN gateway. 
   ip address 11.XX.XX.2 255.255.255.0
   negotiation auto
   !
   //Add the following configuration to On-premises Gateway Device 3:
   interface Tunnel100
   ip address 169.254.12.2 255.255.255.252    //Specify the IP address of the tunnel on the On-premises Gateway Device 3 side. In this example, 169.254.12.2 is used. 
   tunnel source GigabitEthernet1
   tunnel mode ipsec ipv4
   tunnel destination 47.XX.XX.161           //Specify the IP address of the tunnel on the Alibaba Cloud side. In this example, 47.XX.XX.161 is used. 
   tunnel protection ipsec profile alicloud
   no shutdown
   exit
   !
   interface GigabitEthernet1                 //Configure the IP address of the interface that is used to connect to the VPN gateway. 
   ip address 11.XX.XX.3 255.255.255.0
   negotiation auto
   !

8. Run the following commands to configure BGP:

   //Add the following configuration to On-premises Gateway Device 1:
   router bgp 65531                         //Enable BGP and configure the BGP ASN of the data center. In this example, 65531 is used. 
   bgp router-id 169.254.10.2               //Specify the ID of the BGP router. In this example, 169.254.10.2 is used. 
   bgp log-neighbor-changes
   neighbor 169.254.10.1 remote-as 65530    //Configure the ASN of the BGP peer. In this example, the BGP ASN of IPsec-VPN Connection 1 is used, which is 65530. 
   neighbor 169.254.10.1 ebgp-multihop 10   //Set the eBGP hop-count to 10.   
   !
   address-family ipv4
   network 192.168.0.0 mask 255.255.255.0   //Advertise the CIDR blocks of the data center. In this example, the CIDR blocks 192.168.0.0/24, 192.168.1.0/24, and 192.168.2.0/24 are advertised. 
   network 192.168.1.0 mask 255.255.255.0   
   network 192.168.2.0 mask 255.255.255.0   
   neighbor 169.254.10.1 activate           //Activate the BGP peer. 
   exit-address-family
   !
   //Add the following configuration to On-premises Gateway Device 2:
   router bgp 65531                         //Enable BGP and configure the BGP ASN of the data center. In this example, 65531 is used. 
   bgp router-id 169.254.11.2               //Specify the ID of the BGP router. In this example, 169.254.11.2 is used. 
   bgp log-neighbor-changes
   neighbor 169.254.11.1 remote-as 65530    //Configure the ASN of the BGP peer. In this example, the BGP ASN of IPsec-VPN Connection 2 is used, which is 65530. 
   neighbor 169.254.11.1 ebgp-multihop 10   //Set the eBGP hop-count to 10.   
   !
   address-family ipv4
   network 192.168.0.0 mask 255.255.255.0   //Advertise the CIDR blocks of the data center. In this example, the CIDR blocks 192.168.0.0/24, 192.168.1.0/24, and 192.168.2.0/24 are advertised. 
   network 192.168.1.0 mask 255.255.255.0   
   network 192.168.2.0 mask 255.255.255.0   
   neighbor 169.254.11.1 activate           //Activate the BGP peer. 
   exit-address-family
   !
   //Add the following configuration to On-premises Gateway Device 3:
   router bgp 65531                         //Enable BGP and configure the BGP ASN of the data center. In this example, 65531 is used. 
   bgp router-id 169.254.12.2               //Specify the ID of the BGP router. In this example, 169.254.12.2 is used. 
   bgp log-neighbor-changes
   neighbor 169.254.12.1 remote-as 65530    //Configure the ASN of the BGP peer. In this example, the BGP ASN of IPsec-VPN Connection 3 is used, which is 65530. 
   neighbor 169.254.12.1 ebgp-multihop 10   //Set the eBGP hop-count to 10.   
   !
   address-family ipv4
   network 192.168.0.0 mask 255.255.255.0   //Advertise the CIDR blocks of the data center. In this example, the CIDR blocks 192.168.0.0/24, 192.168.1.0/24, and 192.168.2.0/24 are advertised. 
   network 192.168.1.0 mask 255.255.255.0   
   network 192.168.2.0 mask 255.255.255.0   
   neighbor 169.254.12.1 activate           //Activate the BGP peer. 
   exit-address-family
   !

Step 4: Create a VPC connection

After you associate the IPsec-VPN connections with a transit router, you need to log on to the CEN console, create a VPC connection, and associate the VPC with a transit router. This way, the data center can communicate with the VPC.

1. Log on to the CEN console.

2. On the Instances page, click the ID of the CEN instance that you want to manage.

3. On the Basic Settings > Transit Router tab, find the transit router in the China (Shanghai) region and click Create Connection in the Actions column.

4. On the Connection with Peer Network Instance page, set the following parameters and click OK.

   Parameter	Description	VPC connection
   Network Type	Specify the type of network instance.	In this example, VPC is selected.
   Region	Select the region of the network instance.	In this example, China (Shanghai) is selected.
   Transit Router	The system automatically displays the transit router in the current region.
   Resource Owner ID	Specify whether the network instance belongs to the current Alibaba Cloud account.	In this example, Your Account is selected.
   Billing Method	Select a billing method for the VPC connection. Default value: Pay-As-You-Go. For more information about the billing rules for transit routers, see Billing rules.
   Attachment Name	Enter a name for the VPC connection.	In this example, VPC-test is used.
   Networks	Select a network instance.	In this example, the VPC created in the Preparations section is selected.
   vSwitch	Select the vSwitches that are deployed in the zones of the transit router. If the transit router supports only one zone in the current region, select a vSwitch in the zone. If the transit router supports multiple zones in the current region, you need to select at least two vSwitches that reside in different zones. When the VPC and transit router communicate, the vSwitches are used to implement zone-disaster recovery. We recommend that you select a vSwitch in each zone to reduce the network latency and improve network performance because data can be transmitted over a shorter distance. Make sure that each selected vSwitch has at least one idle IP address. If the VPC does not have a vSwitch in the zone supported by the transit router or the vSwitch does not have an idle IP address, create a new vSwitch in the zone. For more information, see Create and manage a vSwitch. For more information, see Connect VPCs.	In this example, vSwitch 1 is selected in Zone F and vSwitch 2 is selected in Zone G.
   Advanced Settings	Specify whether to enable the advanced features. By default, all advanced features are enabled.	In this example, the default setting is used.

Step 5: Create an inter-region connection

The transit router associated with the IPsec-VPN connections and the transit router associated with the VPC are deployed in different regions. By default, the data center cannot communicate with the VPC in this scenario. To allow the data center to communicate with the VPC across regions, you need to create an inter-region connection between the transit router in the China (Hangzhou) region and the transit router in the China (Shanghai) region.

You can allocate bandwidth to an inter-region connection from a bandwidth plan or pay for the bandwidth usage of the inter-region connection on a pay-by-data-transfer basis. In this example, a bandwidth plan is used.

1. Log on to the CEN console.

2. Purchase a bandwidth plan.

   Purchase a bandwidth plan to allocate bandwidth for inter-region communication before you create an inter-region connection.

   1. On the Instances page, find the CEN instance that you want to manage and click its ID.

   2. On the details page of the CEN instance, choose Basic Settings > Bandwidth Plans and click Purchase Bandwidth Plan(Subscription).

   3. On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

      Parameter	Description
      CEN ID	Select the CEN instance for which you want to purchase the bandwidth plan. After you complete the payment, the bandwidth plan is automatically associated with the CEN instance. In this example, the CEN instance created in the Preparations section is selected.
      Area A	Select one of the areas where you want to enable inter-region communication. Mainland China is selected in this example. Note After you purchase a bandwidth plan, you cannot change the areas that you selected for the bandwidth plan. For more information about the regions and areas that support bandwidth plans, see Work with a bandwidth plan.
      Area B	Select the other area where you want to enable inter-region communication. Mainland China is selected in this example.
      Billing method	Displays the billing method of the bandwidth plan. The default billing method is Pay by Bandwidth. For more information about bandwidth plan billing, see Billing rules.
      Bandwidth	Select a bandwidth value based on your business requirements. Unit: Mbit/s.
      Bandwidth_package_name	Enter a name for the bandwidth plan.
      Order time	Select a subscription duration for the bandwidth plan. You can select Auto-renewal to allow the system to automatically renew the bandwidth plan.

3. Create an inter-region connection.

   1. On the Instances page, find the CEN instance that you want to manage and click its ID.

   2. Navigate to the Basic Settings > Bandwidth Plans tab and click Set Region Connection.

   3. On the Connection with Peer Network Instance page, set the following parameters and click OK.

      Parameter	Description
      Network type	Inter-region Connection is selected in this example.
      Region	Select the region that you want to connect. China (Hangzhou) is selected in this example.
      Transit Router	The system automatically displays the ID of the transit router in the selected region.
      Attachment Name	Enter a name for the inter-region connection. In this example, Cross-Region-test is used.
      Peer Region	Select the other region to be connected. In this example, China (Shanghai) is selected.
      Transit Router	The system automatically displays the ID of the transit router in the selected region.
      Bandwidth Allocation Mode	The following modes are supported: Allocate from Bandwidth Plan: Bandwidth resources are allocated from a purchased bandwidth plan. Pay-By-Data-Transfer: You are charged for data transfer over the inter-region connection. In this example, Allocate from Bandwidth Plan is selected.
      Bandwidth Plan	Select the bandwidth plan that is associated with the CEN instance.
      Bandwidth	Specify a bandwidth value for the inter-region connection. Unit: Mbit/s.
      Advanced Settings	By default, all advanced features are enabled. In this example, the default setting is used.

Step 6: Test the connectivity

After you create an inter-region connection, the data center can communicate with the VPC. The traffic between the data center and VPC is load-balanced based on ECMP routing by using the three IPsec-VPN connections. This section describes how to test the network connectivity and how to check whether the three IPsec-VPN connections are used to load-balance the traffic.

1. Test the network connectivity.

   1. Log on to the ECS instance in the VPC. For more information, see Guidelines on ECS instance connection.

   2. Run the ping command on the ECS instance to access a client in the data center.

      ping <IP address of the client in the data center>

      If the ECS instance receives echo reply messages, the data center can communicate with the VPC.

2. Check whether traffic is load-balanced.

   Use multiple clients in the data center to continuously send requests to the ECS instance in the VPC. Then, navigate to the details pages of the three IPsec-VPN connections to view the traffic monitoring data. If all details pages display traffic monitoring data, the three IPsec-VPN connections are used to load-balance the traffic.

   1. Log on to the VPN Gateway console.

   2. In the top navigation bar, select the region in which the IPsec-VPN connection is created.

   3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

   4. On the IPsec Connections page, click the ID of the IPsec-VPN connection that you want to manage.

      Go to the details page of the IPsec-VPN connection to view the monitoring data of data transfer on the Monitor tab.

Routing configuration

In this topic, the default routing configuration is used to create the IPsec-VPN connections, VPC connection, and inter-region connection. When the default routing configuration is used, CEN automatically learns and distributes routes to enable the data center to communicate with the VPC. The following sections describe the default routing configuration.

IPsec-VPN connections

If you associate an IPsec-VPN connection with a transit router when you create the IPsec-VPN connection, the system automatically applies the following routing configuration to the IPsec-VPN connection:

• The IPsec-VPN connection is associated with the default route table of the transit router. The transit router forwards traffic from the IPsec-VPN connection based on the default route table.

• The destination-based routes that you configure for the IPsec-VPN connection and the routes learned from the data center through the IPsec-VPN connection by using BGP dynamic routing are automatically propagated to the default route table of the transit router.

• The transit router automatically propagates the routes in the default route table to the BGP route table associated with the IPsec-VPN connection.

• The routes learned from the VPC through the IPsec-VPN connection by using BGP dynamic routing are automatically propagated to the data center.

VPCs

If you use the default routing configuration (with all advanced features enabled) when you create a VPC, the system automatically applies the following routing configuration to the VPC:

• Associate with Default Route Table of Transit Router

  After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.

• Propagate System Routes to Default Route Table of Transit Router

  After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.

• Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC

  After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the VPC connection.

Inter-region connections

If you use the default routing configuration (with all advanced features enabled) when you create an inter-region connection, the system automatically applies the following routing configuration to the inter-region connection:

• Associate with Default Route Table of Transit Router

  After this feature is enabled, the inter-region connection is automatically associated with the default route table of the transit router. The transit router uses the default route table to forward network traffic across regions.

• Propagate System Routes to Default Route Table of Transit Router

  After this feature is enabled, the inter-region connection advertises system routes to the default route table of the transit router.

• Automatically Advertise Routes to Peer Region

  After this feature is enabled, the routes of the transit router deployed in the current region are automatically advertised to the route table of the peer transit router. The routes are used for cross-region communication between network instances.

Route entries