This topic describes how to use IPsec-VPN to establish a secure connection between two virtual private clouds (VPCs). This way, the cloud resources in one VPC can access the cloud resources in the other VPC.

Example

Note
  • VPN gateways do not support inter-border connections. When you create an IPsec-VPN connection between two VPCs, both the VPCs must be in the Chinese mainland or outside the Chinese mainland. For more information about the regions that are in the Chinese mainland or outside the Chinese mainland, see Which regions are in the Chinese mainland and which regions are outside the Chinese mainland? .
  • If you want to create a connection between a VPC in the Chinese mainland and a VPC outside the Chinese mainland, we recommend that you use the Cloud Enterprise Network (CEN) service. For more information, see What is CEN?.
  • If you create an IPsec-VPN connection between two VPCs in different regions, the IPsec-VPN connection quality is determined by the Internet connection quality. In this case, we recommend that you use CEN to connect the VPCs. For more information, see Use Enterprise Edition transit routers to connect VPCs across regions and accounts.

The following scenario is used as an example in this topic: An enterprise created a VPC named VPC 1 in the China (Hangzhou) region and another VPC named VPC 2 in the China (Qingdao) region. Elastic Compute Service (ECS) instances are deployed in the VPCs, and services are deployed on the ECS instances. Due to business development, the services in VPC 1 and VPC 2 need to communicate with each other.

To ensure network security, the enterprise decides to use VPN gateways to establish an IPsec-VPN connection between VPC 1 and VPC 2. This way, data transmission between the VPCs is encrypted and the cloud resources can communicate with each other in a secure manner.

Connect the VPCs

Prerequisites

  • A VPC named VPC 1 is created in the China (Hangzhou) region, and a VPC named VPC 2 is created in the China (Qingdao) region. ECS instances are deployed in the VPCs, and services are deployed on the ECS instances. For more information, see Create a VPC with an IPv4 CIDR block.
    The following table describes the configurations of VPC 1 and VPC 2 in this example.
    Important You can specify the CIDR blocks based on your business requirements. Make sure that the CIDR blocks that need to communicate do not overlap.
    VPC nameRegionVPC CIDR blockVPC IDName of ECS instanceIP address of ECS instance
    VPC1China (Hangzhou)192.168.0.0/16vpc-bp1e0yx3nsosmitth****ECS1192.168.20.161
    VPC2China (Qingdao)10.0.0.0/16vpc-m5e83sapxp88cgp5f****ECS210.0.1.110
  • You are aware of the security group rules that are applied to the ECS instances in the VPCs. Make sure that the security group rules allow the ECS instances to communicate with each other. For more information, see View security group rules and Add a security group rule.

Procedure

Connect VPCs - Procedure

Step 1: Create a VPN gateway

  1. Log on to the VPN Gateway console.
  2. In the top navigation bar, select the region where you want to create the VPN gateway.
    In this example, the China (Hangzhou) region is selected.
    Note The VPN gateway must belong to the same region as the VPC that you want to associate with the VPN gateway.
  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the buy page, set the following parameters, click Buy Now, and then complete the payment.
    ParameterDescription
    NameEnter a name for the VPN gateway. In this example, VPN Gateway 1 is entered.
    RegionSelect the region where you want to deploy the VPN gateway. In this example, the China (Hangzhou) region is selected.
    VPCSelect the VPC with which you want to associate the VPN gateway. In this example, VPC 1 is selected.
    Specify VSwitchSpecify whether to deploy the VPN gateway in a specified vSwitch of the VPC. In this example, No is selected.
    Maximum BandwidthSpecify a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
    TrafficSelect a metering method for the VPN gateway. Default value: Pay-by-data-transfer.

    For more information, see Billing.

    IPsec-VPNSpecify whether to enable IPsec-VPN. In this example, Enable is selected.
    SSL-VPNSpecify whether to enable SSL-VPN. In this example, Disable is selected.
    Duration

    Specify the billing cycle. Default value: By Hour.

    Service-linked RoleClick Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn.

    For more information about how a VPN gateway assumes the role to access other cloud resources, see AliyunServiceRoleForVpn.

    If Created is displayed, the service-linked role is created and you do not need to create it again.

    For more information, see Create a VPN gateway.
  5. Return to the VPN Gateways page to view the VPN gateway.
    After you create a VPN gateway, it is in the Preparing state. After 1 to 5 minutes, the VPN gateway changes to the Normal state. After the VPN gateway changes to the Normal state, the VPN gateway is ready for use.
  6. Repeat Substep 2 to Substep 4 of Step 1 to create a VPN gateway named VPN Gateway 2 in the China (Qingdao) region. Specify VPC 2 for the VPC parameter. Specify the same values as VPN Gateway 1 for the other parameters.
    The following table describes the information about the VPN gateways that are created in this example.
    RegionVPN gateway nameVPC nameVPN gateway IDVPN gateway IP address
    China (Hangzhou)VPN Gateway 1VPC1vpn-bp1l5zihic47jprwa****120.XX.XX.40
    China (Qingdao)VPN Gateway 2VPC2vpn-m5eqjnr4ii6jajpms****118.XX.XX.20

Step 2: Create a customer gateway

  1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
  2. In the top navigation bar, select the region where you want to create the customer gateway.
    Note Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.
  3. On the User Gateway page, click Create Customer Gateway.
  4. In the Create Customer Gateway panel, set the following parameters and click OK.
    You must create a customer gateway in the China (Hangzhou) region and the China (Qingdao) region. The following table describes the parameters of the customer gateways.
    ParameterDescriptionChina (Hangzhou)China (Qingdao)
    NameEnter a name for the customer gateway. Customer1Customer2
    IP AddressEnter the public IP address of the customer gateway. In this example, the IP address of VPN Gateway 2, 118.XX.XX.XX. 20, is entered
    Note In this example, VPN Gateway 1 is the customer gateway of VPC 2, and VPN Gateway 2 is the customer gateway of VPC 1.
    In this example, the IP address of VPN Gateway 1, 120.XX.XX.40, is entered

    For more information, see Create a customer gateway.

    The following table describes the information about the VPN gateway, customer gateway, and VPC in each region.
    RegionVPC nameVPN gateway nameCustomer gateway nameCustomer gateway IDCustomer gateway IP address
    China (Hangzhou)VPC1VPN Gateway 1Customer1cgw-bp1er5cw26c2b35vm****118.XX.XX.20
    China (Qingdao)VPC2VPN Gateway 2Customer2cgw-m5e6qdvuxquse3fvm****120.XX.XX.40

Step 3: Create an IPsec-VPN connection

After you create the VPN gateways and customer gateways, you can create IPsec-VPN connections to connect the VPN gateways to the customer gateways.

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  2. In the top navigation bar, select the region of the IPsec-VPN connection.
  3. On the IPsec Connections page, click Create IPsec Connection.
  4. On the Create IPsec Connection page, set the following parameters for the IPsec-VPN connection, and click OK.
    You must create an IPsec-VPN connection in the China (Hangzhou) region and another IPsec-VPN connection in the China (Qingdao) region. The following table describes the parameters of the IPsec-VPN connections.
    ParameterDescriptionChina (Hangzhou)China (Qingdao)
    NameEnter a name for the IPsec-VPN connection. IPsec-VPN Connection 1IPsec-VPN Connection 2
    VPN GatewaySelect the VPN gateway that you created. VPN gateway 1VPN gateway 2
    Customer GatewaySelect the customer gateway that you created. Customer1Customer2
    Routing ModeSelect a routing mode. Select Destination Routing Mode. Select Destination Routing Mode.
    Effective ImmediatelySpecify whether to immediately start negotiations.
    • Yes: starts negotiations when the configuration is complete.
    • No: starts connection negotiations when traffic is received.
    Note If you use a VPN gateway to create IPsec-VPN connections between two VPCs, we recommend that you set Effective Immediately to Yes for one IPsec-VPN connection. This way, IPsec negotiations can be immediately started.
    No is selected in this example. Yes is selected in this example.
    Pre-Shared KeyEnter a pre-shared key.
    • The pre-shared key must be 1 to 100 characters in length, and can contain digits, letters, and the following characters: ~`!@#$%^&*()_-+={}[]\|;:',.<>/?.
    • If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. After you create an IPsec-VPN connection, you can click Edit to view the pre-shared key that is generated by the system. For more information, see Modify an IPsec-VPN connection.
    Important The pre-shared key configured for the IPsec-VPN connection and the peer gateway device must be the same. Otherwise, the system cannot establish an IPsec-VPN connection.
    fddsFF123****

    Use the default settings for the other parameters. For more information, see the Create and manage IPsec-VPN connections.

  5. In the Established dialog box, click OK.

Step 4: Configure routes

  1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.
  2. In the top navigation bar, select the region of the VPN gateway.
  3. On the VPN Gateway page, find the VPN gateway that you want to manage and click its ID.
  4. On the Destination-based Routing tab, click Add Route Entry.
  5. In the Add Route Entry panel, set the following parameters and click OK.
    You must add a route to VPN Gateway 1 and VPN Gateway 2. The following table describes the parameters of routes.
    ParameterDescriptionVPN Gateway 1VPN Gateway 2
    Destination CIDR BlockEnter the destination CIDR block to be connected. Enter 10.0.0.0/16, which is the private CIDR block of VPC 2. Enter 192.168.0.0/16, which is the private CIDR block of VPC 1.
    Next Hop TypeSelect the next hop type. In this example, IPsec Connection is selected. In this example, IPsec Connection is selected.
    Next HopSelect the next hop. Select IPsec-VPN Connection 1. Select IPsec-VPN Connection 2.
    Publish to VPCSpecify whether to advertise the route to the VPC that is associated with the VPN gateway. Yes is selected in this example. Yes is selected in this example.
    WeightSpecify a weight for the route.
    • 100: specifies a high priority for the route.
    • 0: specifies a low priority for the route.
    The default value 100 is used in this example. The default value 100 is used in this example.
    For more information, see Create a destination-based route.

Step 5: Test network connectivity

  1. Log on to ECS 1 in VPC 1.
    For more information about how to log on to an ECS instance, see Methods used to connect to ECS instances.
  2. Run the ping command to ping the IP address of ECS 2 to test network connectivity.
    ping <IP address of ECS 2>

    If you can receive echo reply packets as shown in the following figure, the connection is established.

    Test network connectivity between the VPCs