VPN Gateway supports the dynamic routing feature of Border Gateway Protocol (BGP). You can use a VPN gateway to connect a data center to Alibaba Cloud. Then, you can enable BGP dynamic routing to allow the VPN gateway to automatically learn routes. This reduces network maintenance costs and prevents network configuration errors.
You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.
Regions that support BGP dynamic routing
|Asia Pacific||China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and India (Mumbai)|
|Europe & Americas||Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)|
|Middle East & India||UAE (Dubai)|
Overview of BGP dynamic routing
BGP is a dynamic routing protocol based on Transmission Control Protocol (TCP). BGP is used to exchange routing and network accessibility information across autonomous systems (ASs).
BGP dynamic routing is an additional feature added to IPsec-VPN connections. BGP dynamic routing is integrated with the route learning and route advertisement features of Cloud Enterprise Network (CEN). You can establish IPsec-VPN connections between Alibaba Cloud and your data center in a more efficient, flexible, and reliable manner with BGP dynamic routing.
- Automatically advertises dynamic routes in the cloud and in data centers, and handles route conflicts.
- Supports static routing and dynamic routing. These routing methods allow you to route network traffic to specified egresses.
- Allows you to establish multiple tunnel connections between a VPN gateway and a data center, and supports equal-cost multi-path routing (ECMP) to enable disaster recovery.
- Make sure that the same autonomous system number (ASN) of the data center is specified on the virtual border router (VBR) and the VPN gateway. This condition must be met when you connect the data center to a virtual private cloud (VPC) by using an Express Connect circuit and a VPN gateway for connection resilience. This prevents route flapping in the data center.
- If multiple VPCs are associated with the same CEN instance, make sure that the VPN gateways associated with the VPCs are not connected to the data center through BGP. This prevents route flapping in the cloud.
- If you use the same VPN gateway to establish IPsec-VPN connections with more than one data center, you must not advertise routes of different IPsec-VPN connections to each other.
- If multiple VPN gateways are created in a VPC, you must not advertise routes of different VPN gateways to each other.
How BGP dynamic routes are advertised
- To Alibaba Cloud
The customer VPN gateway automatically uses BGP to learn routes that are destined for the CIDR block of the data center and advertises the routes to the VPN gateway in the cloud. If you enable automatic BGP advertisement for the VPN gateway on Alibaba Cloud, the VPN gateway automatically advertises the learned routes to the system route table of the VPC. No route is advertised to the custom route tables.
- To the data center
The VPN gateway on Alibaba Cloud automatically uses BGP to learn routes from the system route table of the VPC, and then advertises the routes to the customer VPN gateway. No route is learned from the custom route tables of the VPC.
Relationship between BGP dynamic routing and static routing
When you use a VPN gateway, you can use BGP dynamic routing or static routing (destination-based routing or policy-based routing) to establish IPsec-VPN connections between a data center and Alibaba Cloud.
- If you use BGP dynamic routing, you do not need to configure static routes for the
VPN gateway. The VPN gateway uses BGP to automatically learn and advertise routes
based on How BGP dynamic routes are advertised. To enable communication between the data center and Alibaba Cloud, you need to only
configure routes for the on-premises gateway device and cloud resources.
In scenarios where multiple IPsec-VPN connections are established between the data center and Alibaba Cloud by using one VPN gateway, BGP supports ECMP. If one of the IPsec-VPN connections fails, BGP automatically switches routes to ensure high availability.
- If you select static routing, you must configure routes for the on-premises gateway
device, cloud resources, and the VPN gateway.
If multiple IPsec-VPN connections are established between the data center and Alibaba Cloud by using one VPN gateway, you can use the health check feature to ensure high availability.
|Route type||Route priority on a VPN gateway||Route priority within a VPC|
By default, the BGP route table of a VPN gateway supports up to 50 routes. To increase the quota, Submit a ticket.
- After you enable BGP dynamic routing, the tunnel CIDR block must fall within 169.254.0.0/16 and the subnet mask must be 30. The tunnel CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.
- After an IPsec-VPN connection is associated with the VPN gateway, the VPN gateway cannot receive 0.0.0.0/0 routes that are advertised by a BGP peer. After an IPsec-VPN connection is associated with a transit router, the on-premises gateway device and the transit router can advertise 0.0.0.0/0 routes by using BGP.
- After you enable BGP dynamic routing for multiple IPsec-VPN connections of the same VPN gateway, the IPsec-VPN connections must use the same local ASN.
- After you enable BGP dynamic routing for a VPN gateway that is attached to a CEN instance,
you must enable overlapping routing for the CEN instance.
Note By default, overlapping routing is enabled for CEN instances that are created after March 1, 2019 (UTC+8). For more information about how to enable overlapping routing, see Enable overlapping routing.
- If a VPC is associated with multiple VPN gateways, you cannot set the VPN gateways as BGP peers.
- In the scenario in which a VPC is associated with multiple VPN gateways and BGP dynamic routing is enabled for the VPN gateways, if the VPN gateways are associated with the same customer gateway, make sure that the IPsec-VPN connections of the VPN gateways use the same local ASN. Otherwise, routing loops may occur.
Before you use BGP dynamic routing, take note of the following information.
- We recommend that you set Routing Mode to Destination Routing Mode for IPsec-VPN connections.
- After you create a customer gateway, you cannot modify its IP address or ASN. We recommend that you prepare in advance.