VPN Gateway provides network connection services that securely and reliably connect enterprise data centers, office networks, and Internet clients to Virtual Private Cloud (VPC) of Alibaba Cloud through encrypted and private tunnels.
Alibaba Cloud VPN Gateway provides services in compliance with state policies and regulations. You can use VPN Gateway to establish only intra-border connections. For more information, see What are cross-border connections and non-cross-border connections?
Features
VPN Gateway supports IPsec-VPN and SSL-VPN connections. These types of connections are ideal for different scenarios.
IPsec-VPN
IPsec-VPN is a network connection technology based on routes. IPsec-VPN provides flexible traffic routing methods and allows you to configure and maintain VPN policies in an efficient manner. You can use IPsec-VPN to establish connections between VPCs and data centers or office networks.
The method used to establish an IPsec-VPN connection varies based on the resource associated with the IPsec-VPN connection. For more information, see the following figures.
Associate an IPsec-VPN connection with a VPN gateway
In scenarios where IPsec-VPN connections are associated with VPN gateways, the current single-tunnel mode is upgraded to the dual-tunnel mode. The dual-tunnel mode improves the high availability of IPsec-VPN connections. For more information about the dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
Associate an IPsec-VPN connection with a transit router
Comparison
The following table describes the differences between IPsec-VPN connections associated with VPN gateways and IPsec-VPN connections associated with transit routers.
Item | Associated with a VPN gateway | Associated with a transit router |
Associated resource | To create an IPsec-VPN connection, you must purchase a VPN gateway and associate the VPN gateway with a VPC. Your data center or office network can communicate with the associated VPC or with other networks through the associated VPC. | You do not need to purchase a VPN gateway or associate the VPN gateway with a VPC to create an IPsec-VPN connection. You must create a Cloud Enterprise Network (CEN) instance and create a transit router on the CEN instance. Your data center or office network can communicate with all VPCs connected to the transit router or with other networks through the transit router. |
Supported encryption algorithm | Commercial cryptographic algorithms that comply with international standards | Commercial cryptographic algorithms that comply with international standards |
Tunnel mode supported by IPsec-VPN connections |
| Single-tunnel mode |
Maximum bandwidth supported by each IPsec-VPN connection | 1,000 Mbit/s. Note The maximum bandwidth supported by VPN gateways in some regions is 200 Mbit/s. For more information about the regions, see Limits on VPN gateways. | 1 Gbit/s by default. You can increase the bandwidth of an IPsec-VPN connection by using other methods. For more information, see the How do I increase the maximum bandwidth of IPsec-VPN connections? section of the "FAQ about VPN gateways" topic. |
Maximum number of packets that can be transmitted through each IPsec-VPN connection per second | 120,000 (256 bytes per packet) | 120,000 (256 bytes per packet) |
Supported network type |
|
|
Method used to implement high availability | Active/standby connections | Equal-cost multi-path (ECMP) routing |
Typical scenarios |
For more information, see Associate IPsec-VPN connections with VPN gateways. |
For more information, see Associate IPsec-VPN connections with transit routers. |
SSL-VPN
SSL-VPN is a network connection technology based on the OpenVPN architecture. SSL-VPN is ideal for establishing network connections between Internet clients and VPCs. After you deploy the required resources, you need to only load an SSL client certificate on an Internet client and initiate a connection to a VPC.
SSL-VPN supports only public VPN gateways that use internationally accepted commercial cryptographic algorithms. For more information about SSL-VPN scenarios, see Common scenarios of SSL-VPN.
Benefits
Secure
VPN Gateway uses the Internet Key Exchange (IKE) and Internet Protocol Security (IPsec) protocols to encrypt and secure data transmission.
Stable
VPN Gateway adopts the hot-standby architecture to implement failover within a few seconds, enable session persistence, and ensure zero service downtime.
Easy-to-use
A VPN gateway is ready-to-use and its configurations immediately take effect. You can deploy VPN gateways in a fast manner.
Cost-effective
VPN Gateway provides encrypted and Internet-based connections that are more cost-effective than Express Connect circuits.