If an on-premises gateway device in your data center has multiple public IP addresses, you can use two of them to create active/standby IPsec-VPN connections to a virtual private cloud (VPC). The two IPsec-VPN connections ensure network connectivity between the data center and the VPC.
Example
The following scenario is used as an example in this topic. An enterprise owns a data center in Hangzhou and has a VPC deployed in the China (Hangzhou) region. Applications are deployed on Elastic Compute Service (ECS) instances in the VPC. The enterprise wants to enable the data center to access the VPC over multiple encrypted connections to ensure data security and network redundancy.
An on-premises gateway device in the data center has multiple public IP addresses. The enterprise can use two of them to create two IPsec-VPN connections between the data center and VPC. This ensures the security of data transmission between the data center and VPC and also implements network redundancy.

Networking
Networking requirements
Networking requirements in this scenario:
- A public VPN gateway is created.
- The two IPsec-VPN connections are attached to the same VPN gateway.
- The VPN gateway uses static routing. You can set route priorities to specify active and standby connections.
- Both IPsec-VPN connections have health checks enabled. Health checks are used to test
the availability of the connections.
If the active IPsec-VPN connection fails health checks multiple times, the standby IPsec-VPN connection automatically takes over.
CIDR blocks
Resource | CIDR block and IP address |
---|---|
VPC | Primary CIDR block: 172.16.0.0/16
|
On-premises gateway device | Public IP address of the on-premises gateway device:
|
Data center | CIDR block used to communicate with the VPC: 192.168.0.0/24 |
Prerequisites
The following prerequisites must be met before you start:
- A VPC is deployed in the China (Hangzhou) region and applications are deployed on the ECS instances in VPC1. For more information, see Create a VPC with an IPv4 CIDR block.
- The gateway device in the data center supports the IKEv1 and IKEv2 protocols. Gateway devices that support these protocols can connect to VPN gateways.
- You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules and Add a security group rule.
Procedure

Step 1: Create a VPN gateway
You must create a VPN gateway and enable IPsec-VPN for the VPN gateway before you can create IPsec-VPN connections.
Step 2: Create customer gateways
You must create customer gateways and register the gateway information on Alibaba Cloud before you can create IPsec-VPN connections.
Step 3: Create IPsec-VPN connections
After you create customer gateways, you must create IPsec-VPN connections to connect the on-premises gateway device to the VPN gateway.
Step 4: Add routes to the VPN gateway.
You need to configure routes to route VPC traffic destined for the data center to the IPsec-VPN connections.
Step 5: Configure the on-premises gateway device
After you complete the preceding steps in the console, you must add the VPN settings, route settings, and health check settings to the on-premises gateway device. Otherwise, the IPsec-VPN connections cannot be established between the on-premises gateway device and VPN gateway. After you add these settings to the on-premises gateway device, traffic destined for the VPC is transmitted over the active IPsec-VPN connection. The standby IPsec-VPN connection automatically takes over if the active IPsec-VPN connection fails.
The following configurations are used for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.
Step 6: Test the network connectivity
After you complete the preceding steps, the data center can communicate with the VPC over two IPsec-VPN connections. This section describes how to test the network connectivity and check whether the IPsec-VPN connections can work as active and standby connections.
- Test the network connectivity.
- Check whether the IPsec-VPN connections can work as active and standby connections.