All Products
Search
Document Center

VPN Gateway:Establish IPsec-VPN connections between two VPCs

Last Updated:Jul 23, 2024

This topic describes how to use IPsec-VPN to establish a secure connection between two virtual private clouds (VPCs). This way, the cloud resources in one VPC can access the cloud resources in the other VPC.

Scenarios

Note
  • VPN gateways do not support cross-border connections. When you create an IPsec-VPN connection between two VPCs, both the VPCs must be in the Chinese mainland or outside the Chinese mainland. For more information about the regions that are in the Chinese mainland or outside the Chinese mainland, see Intra-border connections.

  • If you want to create a connection between a VPC in the Chinese mainland and a VPC outside the Chinese mainland, we recommend that you use the Cloud Enterprise Network (CEN) service. For more information, see What is CEN?

  • If you create an IPsec-VPN connection between two VPCs that are in different regions, the IPsec-VPN connection quality is determined by the Internet connection quality. In this case, we recommend that you use CEN to connect the VPCs. For more information, see Use Enterprise Edition transit routers to connect VPCs across regions and accounts.

The following scenario is used as an example in this topic: An enterprise created a VPC named VPC 1 in the China (Hangzhou) region and another VPC named VPC 2 in the China (Qingdao) region. Elastic Compute Service (ECS) instances are deployed in the VPCs, and services are deployed on the ECS instances. Due to business development, the services in VPC 1 and VPC 2 need to communicate with each other.

To ensure network security, the enterprise decides to use VPN gateways to establish an IPsec-VPN connection between VPC 1 and VPC 2. This way, data transmission between the VPCs is encrypted and the cloud resources can communicate with each other over secure connections.

VPC之间互联

Prerequisites

  • The following scenario is used as an example in this topic: An enterprise created a VPC named VPC 1 in the China (Hangzhou) region and another VPC named VPC 2 in the China (Qingdao) region. Elastic Compute Service (ECS) instances are deployed in the VPCs, and services are deployed on the ECS instances. For more information, see Create an IPv4 VPC.

    The following table describes the configurations of VPC 1 and VPC 2 in this example.

    Important

    You can specify the CIDR blocks based on your business requirements. Make sure that the CIDR blocks that need to communicate do not overlap.

    VPC name

    Region

    VPC CIDR block

    VPC ID

    ECS instance name

    ECS instance IP address

    VPC1

    China (Hangzhou)

    192.168.0.0/16

    vpc-bp1e0yx3nsosmitth****

    ECS1

    192.168.20.161

    VPC2

    China (Qingdao)

    10.0.0.0/16

    vpc-m5e83sapxp88cgp5f****

    ECS2

    10.0.1.110

  • You understand the security group rules that apply to the ECS instances in the VPCs. Make sure that the security group rules allow the ECS instances to communicate with each other. For more information, see View security group rules and Add a security group rule.

Procedure

VPC与VPC互通-配置流程

Step 1: Create a VPN gateway

  1. Log on to the VPN Gateway console.

  2. In the top navigation bar, select the region where you want to create the VPN gateway.

    In this example, the China (Hangzhou) region is selected.

    Note

    The VPN gateway must belong to the same region as the VPC that you want to associate with the VPN gateway.

  3. On the VPN Gateways page, click Create VPN Gateway.

  4. On the buy page, set the following parameters, click Buy Now, and then complete the payment.

    Parameter

    Description

    Name

    Enter a name for the VPN gateway. In this example, VPN Gateway 1 is entered.

    Region

    Select the region where you want to deploy the VPN gateway. In this example, the China (Hangzhou) region is selected.

    Gateway Type

    Select a VPN gateway type. In this example, Standard is selected.

    Network Type

    Select the network type of the VPN gateway. In this example, Public is selected.

    Tunnels

    The supported tunnel modes are automatically displayed.

    VPC

    Select the VPC with which you want to associate the VPN gateway. In this example, VPC 1 is selected.

    VSwitch

    Select a vSwitch from the selected VPC.

    • If you select Single-tunnel, you need to specify only one vSwitch.

    • If you select Dual-tunnel, you need to specify two vSwitches.

      After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch.

    Note
    • By default, the system selects a vSwitch. You can change or use the default vSwitch.

    • After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.

    vSwitch 2

    Select another vSwitch from the selected VPC.

    Ignore this parameter if you select Single-tunnel.

    Maximum Bandwidth

    Specify a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.

    Traffic

    Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.

    For more information, see Billing.

    IPsec-VPN

    Specify whether to enable IPsec-VPN. In this example, Enable is selected.

    SSL-VPN

    Specify whether to enable SSL-VPN. In this example, Disable is selected.

    Duration

    Select a billing cycle. Default value: By Hour.

    Service-linked Role

    Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.

    The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

    If Created is displayed, it indicates that the service-linked role is created and you do not need to create it again.

    For more information, see Create a VPN gateway.

  5. Return to the VPN Gateways page to view the VPN gateway.

    After you create a VPN gateway, it is in the Preparing state. After 1 to 5 minutes, the VPN gateway changes to the Normal state. After the VPN gateway changes to the Normal state, the VPN gateway is ready for use.

  6. Repeat Substep2 to Substep4 of Step 1 to create a VPN gateway named VPN Gateway 2 in the China (Qingdao) region. Specify VPC 2 for the VPC parameter. Specify the same values as VPN Gateway 1 for the other parameters.

    The following table describes the information about the VPN gateways that are created in this example.

    Region

    VPN gateway name

    VPC name

    VPN gateway ID

    VPN gateway IP address

    China (Hangzhou)

    VPN Gateway 1

    VPC1

    vpn-bp1l5zihic47jprwa****

    120.XX.XX.40

    China (Qingdao)

    VPN Gateway 2

    VPC2

    vpn-m5eqjnr4ii6jajpms****

    118.XX.XX.20

Step 2: Create a customer gateway

  1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

  2. In the top navigation bar, select the region of the customer gateway.

    Note

    Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.

  3. On the Customer Gateway page, click Create Customer Gateway.

  4. In the Create Customer Gateway panel, set the following parameters and click OK.

    You must create a customer gateway in the China (Hangzhou) region and the China (Qingdao) region. The following table describes the parameters of the customer gateways.

    Parameter

    Description

    China (Hangzhou)

    China (Qingdao)

    Name

    Enter a name for the customer gateway.

    Customer1

    Customer2

    IP Address

    Enter the public IP address of the customer gateway.

    In this example, the IP address of VPN Gateway 2, 118.XX.XX.XX. 20, is entered

    Note

    In this example, VPN Gateway 1 is the customer gateway of VPC 2, and VPN Gateway 2 is the customer gateway of VPC 1.

    In this example, the IP address of VPN Gateway 1, 120.XX.XX.40, is entered

    For more information, see Create a customer gateway.

    The following table describes the information about the VPN gateway, customer gateway, and VPC in each region.

    Region

    VPC name

    VPN gateway name

    Customer gateway name

    Customer gateway ID

    Customer gateway IP address

    China (Hangzhou)

    VPC1

    VPN Gateway 1

    Customer1

    cgw-bp1er5cw26c2b35vm****

    118.XX.XX.20

    China (Qingdao)

    VPC2

    VPN Gateway 2

    Customer2

    cgw-m5e6qdvuxquse3fvm****

    120.XX.XX.40

Step 3: Create an IPsec-VPN connection

After you create the VPN gateways and customer gateways, you can create IPsec-VPN connections to connect the VPN gateways to the customer gateways.

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  2. In the top navigation bar, select the region in which the IPsec-VPN connection resides.

  3. On the IPsec Connections page, click Create IPsec-VPN Connection.

  4. On the Create IPsec-VPN Connection page, set the parameters for the IPsec-VPN connection, and click OK.

    You must create an IPsec-VPN connection in the China (Hangzhou) region and another IPsec-VPN connection in the China (Qingdao) region. The following table describes the parameters of the IPsec-VPN connections.

    Parameter

    Description

    China (Hangzhou)

    China (Qingdao)

    Name

    Enter a name for the IPsec-VPN connection.

    IPsec-VPN Connection 1

    IPsec-VPN Connection 2

    VPN Gateway

    Select the VPN gateway that you created.

    VPN Gateway 1

    VPN Gateway 2

    Customer Gateway

    Select the customer gateway that you created.

    Customer1

    Customer2

    Routing Mode

    Select a routing mode.

    Select Destination Routing Mode.

    Select Destination Routing Mode.

    Effective Immediately

    Specify whether to immediately start negotiations.

    • If you set the Effective Immediately parameter to Yes when you create an IPsec-VPN connection, the negotiations immediately start after the configuration is complete.

    • If you set the Effective Immediately parameter to No when you create an IPsec-VPN connection, the negotiations start when inbound traffic is detected.

    Note

    If you use a VPN gateway to create IPsec-VPN connections between two VPCs, we recommend that you set Effective Immediately to Yes for one IPsec-VPN connection. This way, IPsec negotiations can be immediately started.

    In this example, No is selected.

    Yes is selected in this example.

    Pre-Shared Key

    Enter a pre-shared key.

    • The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?

    • If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key. After an IPsec-VPN connection is created, you can click Edit in the Actions column to view the pre-shared key that is generated for the IPsec-VPN connection. For more information, see the Modify an IPsec-VPN connection section of the "Create and manage IPsec-VPN connections in single-tunnel mode" topic.

    Important

    The pre-shared key configured for the IPsec-VPN connection and the peer gateway device must be the same. Otherwise, the system cannot establish an IPsec-VPN connection.

    fddsFF123****

    Use the default settings for the other parameters. For more information, see Create and manage an IPsec-VPN connection in single-tunnel mode.

  5. In the Created dialog box, click OK.

Step 4: Configure routes

  1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

  2. In the top navigation bar, select the region in which the VPN gateway resides.

  3. On the VPN Gateway page, find the VPN gateway that you want to manage and click its ID.

  4. On the Destination-based Route Table tab, click Add Route Entry.

  5. In the Add Route Entry panel, set the following parameters and click OK.

    You must add a route to VPN Gateway 1 and VPN Gateway 2. The following table describes the parameters of routes.

    Parameter

    Description

    VPN Gateway1

    VPN Gateway 2

    Destination CIDR Block

    Enter the destination CIDR block.

    Enter 10.0.0.0/16, which is the private CIDR block of VPC 2.

    Enter 192.168.0.0/16, which is the private CIDR block of VPC 1.

    Next Hop Type

    Select the next hop type.

    Select IPsec Connection.

    Select IPsec Connection.

    Next Hop

    Select a next hop.

    In this example, IPsec-VPN Connection 1 is selected.

    In this example, IPsec-VPN Connection 2 is selected.

    Publish to VPC

    Specify whether to advertise the route to the VPC that is associated with the VPN gateway.

    Yes is selected in this example.

    Yes is selected in this example.

    Weight

    Select a weight for the route.

    • 100: specifies a high priority for the route.

    • 0: specifies a low priority for the route.

    The default value 100 is used in this example.

    The default value 100 is used in this example.

    For more information, see Add a destination-based route.

Step 5: Test the network connectivity

  1. Log on to ECS1 in VPC1.

    For more information about how to log on to an ECS instance, see Guidelines on instance connection.

  2. Run the ping command to ping the IP address of ECS 2 to test network connectivity.

    ping <IP address of ECS 2>

    If you can receive echo reply packets as shown in the following figure, the VPCs can communicate with each other.

    VPC与VPC互通-连通性测试