This topic describes how to use IPsec-VPN to establish a secure connection between two virtual private clouds (VPCs). This way, the cloud resources in one VPC can access the cloud resources in the other VPC.
Scenarios
If you want to create connections between two VPCs when one of them is in the Chinese mainland and the other is outside the Chinese mainland, we recommend that you use the Cloud Enterprise Network (CEN) service. For more information, see What is CEN?
The following scenario is used as an example in this topic: An enterprise created a VPC named VPC 1 in the China (Hangzhou) region and another VPC named VPC 2 in the China (Qingdao) region. Elastic Compute Service (ECS) instances are deployed in the VPCs, and services are deployed on the ECS instances. Due to business development, the services in VPC 1 and VPC 2 need to communicate with each other.
To ensure network security, the enterprise decides to use VPN gateways to establish an IPsec-VPN connection between VPC 1 and VPC 2. This way, data transmission between the VPCs is encrypted and the cloud resources can communicate with each other in a secure manner.

Prerequisites
- A VPC named VPC 1 is created in the China (Hangzhou) region, and a VPC named VPC 2
is created in the China (Qingdao) region. ECS instances are deployed in the VPCs,
and services are deployed on the ECS instances. For more information, see Create a VPC with an IPv4 CIDR block.The following table describes the configurations of VPC 1 and VPC 2 in this example.Note You can specify the CIDR blocks based on your business requirements. Make sure that the CIDR blocks that need to communicate do not overlap.
VPC name Region VPC CIDR block VPC ID Name of ECS instance IP address of ECS instance VPC1 China (Hangzhou) 192.168.0.0/16 vpc-bp1e0yx3nsosmitth**** ECS1 192.168.20.161 VPC2 China (Qingdao) 10.0.0.0/16 vpc-m5e83sapxp88cgp5f**** ECS2 10.0.1.110 - You are aware of the security group rules that are applied to the ECS instances in the VPCs. Make sure that the security group rules allow the ECS instances to communicate with each other. For more information, see Query security group rules and Add a security group rule.
Procedure

Step 1: Create a VPN gateway
Step 2: Create a customer gateway
Step 3: Create an IPsec-VPN connection
After you create the VPN gateways and customer gateways, you can create IPsec-VPN connections to connect the VPN gateways to the customer gateways.