VPN Gateway is a network connection service that securely and reliably connects enterprise data centers, office networks, and Internet clients to virtual private clouds (VPCs) of Alibaba Cloud through encrypted and private tunnels.

Note Alibaba Cloud VPN Gateway provides services in compliance with state policies and regulations. You can use VPN Gateway to establish only intra-border connections. For more information, see What are inter-border connections and intra-border connections? .
Service introduction-202209-1

Features

VPN Gateway supports IPsec-VPN and SSL-VPN connections. These types of connections are ideal for different scenarios.

IPsec-VPN

IPsec-VPN is a network connection technology based on routes. IPsec-VPN provides flexible traffic routing methods and allows you to configure and maintain VPN policies in an efficient manner. You can use IPsec-VPN to establish connections between VPCs and data centers or office networks.

The method used to establish an IPsec-VPN connection varies based on the resource associated with the IPsec-VPN connection. For more information, see the following figures.

Associate an IPsec-VPN connection with a VPN gateway

Service introduction-202209-4

Associate an IPsec-VPN connection with a transit router

Service introduction-202209-3

Comparison

The following table describes the differences between IPsec-VPN connections associated with VPN gateways and IPsec-VPN connections associated with transit routers.

Item IPsec-VPN connection associated with a VPN gateway IPsec-VPN connection associated with a transit router
Associated resource To create an IPsec-VPN connection, you must purchase a VPN gateway and associate the VPN gateway with a VPC.

The data center or office network can communicate with the associated VPC or with other networks through the associated VPC.

To create an IPsec-VPN connection, you do not need to purchase a VPN gateway or associate the VPN gateway with a VPC. You must create a Cloud Enterprise Network (CEN) instance and create a transit router on the CEN instance.

The data center or office network can communicate with all VPCs connected to the transit router or with other networks through the transit router.

Supported encryption algorithms

Commercial cryptographic algorithms that comply with international standards

Commercial cryptographic algorithms that comply with international standards
Maximum bandwidth supported by each IPsec-VPN connection 1000 Mbit/s
Note The maximum bandwidth supported by VPN gateways in some regions is 200 Mbit/s. For more information about the regions, see Limits on VPN gateways.
1 Gbit/s by default. The maximum bandwidth can be modified based on business requirements.
Supported network type
  • Public

    Indicates an encrypted connection over the Internet.

  • Private

    Indicates an encrypted connection over an Express Connect circuit.

    Note Private VPN gateways are in invitational preview. To use a private VPN gateway, contact your sales manager or submit a ticket.
  • Public

    Indicates an encrypted connection over the Internet.

  • Private

    Indicates an encrypted connection over an Express Connect circuit.

Method used to implement high availability Active/standby connections Equal-cost multi-path (ECMP) routing
Scenario
  • Connect a data center to a VPC
  • Connect a VPC to a VPC
  • Connect a data center to a VPC by using high availability active/standby connections
  • Connect multiple office networks
  • Encrypt private connections over Express Connect circuits
For more information, see the Associate IPsec-VPN connections with VPN gateways.
  • Connect a data center to a VPC
  • Connect a data center to a VPC by using high availability ECMP connections
  • Connect multiple office networks
  • Encrypt private connections over Express Connect circuits
For more information, see the Associate IPsec-VPN connections with transit routers.

SSL-VPN

SSL-VPN is a network connection technology based on the OpenVPN architecture. SSL-VPN is ideal for establishing network connections between Internet clients and VPCs. After you deploy the required resources, you need to only load an SSL client certificate on an Internet client and initiate a connection to a VPC.

SSL-VPN supports only public VPN gateways that use internationally accepted commercial cryptographic algorithms. For more information, see Common scenarios of SSL-VPN.

Service introduction-202209-2

Benefits

  • Security

    VPN Gateway uses the Internet Key Exchange (IKE) and Internet Protocol Security (IPsec) protocols to encrypt and secure data transmission.

  • Stability

    VPN Gateway adopts the hot-standby architecture to implement failover within a few seconds, enable session persistence, and ensure zero service downtime.

  • Ease of use

    A VPN gateway is ready-to-use and its configurations immediately take effect. You can deploy VPN gateways in a fast manner.

  • Cost savings

    VPN Gateway provides encrypted and Internet-based connections that are more cost-effective than Express Connect circuits.