Use an IPsec-VPN connection and BGP to enable encrypted communication between a VPC and a data center - VPN Gateway

This topic describes how to establish an IPsec-VPN connection in single-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway, and how to configure Border Gateway Protocol (BGP) dynamic routing for the VPC and the data center to automatically learn routes. This way, the VPC and the data center can share resources with each other. This reduces network maintenance costs and network configuration errors.

Prerequisites

A public IP address is assigned to the gateway device in the data center before you associate an IPsec-VPN connection with a public VPN gateway.
The gateway device in the data center must support the IKEv1 or IKEv2 protocol to establish an IPsec-VPN connection with a transit router.
The CIDR block of the data center does not overlap with the CIDR block of the network to be accessed.
The gateway device in the data center supports BGP dynamic routing.

Regions that support BGP dynamic routing

Area	Region
Asia-Pacific	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta)
Europe and Americas	Germany (Frankfurt), UK (London), US (Virginia), US (Silicon Valley)
Middle East	UAE (Dubai)

Scenarios

The following scenario is used as an example. An enterprise has created a VPC in the Germany (Frankfurt) region. The private CIDR block of the VPC is 10.0.0.0/8 and the autonomous system number (ASN) is 65530. The enterprise has a data center in Frankfurt. The public IP address of the data center is 2.XX.XX.2, the private CIDR block is 172.17.0.0/16, and the ASN is 65531. The enterprise wants to establish a connection between the VPC and the data center for business development.

You can use IPsec-VPN to establish a connection between the VPC and the data center, and configure BGP dynamic routing. After the configuration is complete, the VPC and the data center can automatically learn routes and communicate with each other by using BGP dynamic routing. This reduces network maintenance costs and network configuration errors.

Note

An autonomous system (AS) is a small unit that independently determines the routing protocol to be used in the system. This unit is an independent and manageable network unit. It may consist of a simple network or a network group that is controlled by one or more network administrators. Each AS has a globally unique identifier called ASN.

架构图

Preparations

A VPC is created in the Germany (Frankfurt) region and cloud services are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
Make sure that the security group rules for the ECS instances in the VPC allow the on-premises gateway device to access cloud resources. For more information, see Query security group rules and Add a security group rule.

Procedure

本地数据中心和VPC（BGP）-配置流程

Step 1: Create a VPN gateway

Log on to the VPN gateway console.
On the VPN Gateways page, click Create VPN Gateway.

On the buy page, configure the parameters described in the following table, click Buy Now, and then complete the payment.

Parameter	Description
Instance Name	The name of the VPN gateway.
Resource Group	The resource group to which the VPN gateway belongs. If you leave this parameter empty, the VPN gateway belongs to the default resource group. You can manage the resource group to which the VPN gateway belongs and resource groups to which other cloud resources belong in the Resource Management console. For more information, see What is Resource Management?
Region	The region in which you want to create the VPN gateway. Make sure that the VPN gateway and the VPC with which you want to associate the VPN gateway reside in the same region.
Gateway Type	The type of VPN gateway that you want to create. Default value: Standard.
Network Type	The network type of the VPN gateway. Valid values: Public: The VPN gateway can be used to establish VPN connections over the Internet. Private: The VPN gateway can be used to establish VPN connections over private networks. Note If you want to establish a VPN connection over a private network, you recommend that you associate a router with the private IPsec-VPN connection. For more information, see Create multiple private IPsec-VPN connections to implement load balancing.
Tunnels	The tunnel mode of the VPN gateway. The system displays the tunnel modes that are supported in this region. Valid values: Single-tunnel Dual-tunnel For more information about the tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
VPC	The VPC with which you want to associate the VPN gateway.
vSwitch	The vSwitch with which you want to associate the VPN gateway. Select a vSwitch from the selected VPC. If you select Single-tunnel, you need to specify only one vSwitch. If you select Dual-tunnel, you need to specify two vSwitches. After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch. Note The system selects a vSwitch by default. You can change or use the default vSwitch. After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.
vSwitch 2	The other vSwitch with which you want to associate the VPN gateway in the associated VPC if you select Dual-tunnel. Specify two vSwitches in different zones in the associated VPC to implement disaster recovery across zones for IPsec-VPN connections. For a region that supports only one zone, disaster recovery across zones is not supported. We recommend that you specify two vSwitches in the zone to implement high availability of IPsec-VPN connections. You can also select the same vSwitch as the first one. Regions that support only one zone China (Nanjing - Local Region), Thailand (Bangkok), South Korea (Seoul), Philippines (Manila), UAE (Dubai), and Mexico.
Peak Bandwidth	The maximum bandwidth of the VPN gateway. Unit: Mbit/s.
Traffic	The metering method of the VPN gateway. Default value: Pay-by-data-transfer.
IPsec-VPN	Specifies whether to enable the IPsec-VPN feature for the VPN gateway. Default value: Enable. You must enable this feature if you want to establish an IPsec-VPN connection.
SSL-VPN	Specifies whether to enable the SSL-VPN feature for the VPN gateway. Default value: Disable. You do not need to enable this feature for the VPN gateway to establish an IPsec-VPN connection.
Billing Cycle	Select a billing cycle. The billing cycle of the VPN gateway. Default value: By Hour.
Service-linked Role	Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn. VPN Gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created and you do not need to create it again.

After the VPN gateway is created, the system assigns an IP address to the VPN gateway to establish an IPsec-VPN connection with the on-premises data center. 创建VPN网关

What to do next

After the VPN gateway is created, you must also create a customer gateway before you can establish an IPsec-VPN connection. The customer gateway is used to register the information about the gateway device of your data center with Alibaba Cloud. The information includes the IP address and autonomous system number (ASN) of the Border Gateway Protocol (BGP). For more information, see Create and manage a customer gateway.

The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the state of the VPN gateway changes to Normal, the VPN gateway is ready for use. After the VPN gateway is created, a public IP address is automatically assigned to the gateway for establishing VPN connections. VPN网关公网IP地址

Note

If you want to use an existing VPN gateway, make sure that it is updated to the latest version. By default, if the existing VPN gateway i not of the latest version, you cannot use the BGP dynamic routing feature.

If the Upgrade button is displayed for your VPN gateway, you can click the Upgrade button to upgrade the gateway to the latest version. For more information, see Upgrade a VPN gateway.

Step 2: Enable BGP dynamic routing

BGP is used to exchange routing information between different ASs. To use the BGP dynamic routing feature, you must enable the BGP dynamic routing feature for the VPN gateway.

In the left navigation pane, choose Interconnections > VPN > VPN Gateways.
In the top navigation bar, select the region where the VPN gateway instance resides.
On the VPN Gateways page, find the created VPN Gateway and turn on the switch in the Enable Automatic Route Advertisement column.
After the BGP dynamic routing feature is enabled, the VPN Gateway automatically advertises BGP routes to the VPC.

Step 3: Create a customer gateway

You can create a customer gateway to register the public IP address and BGP AS of the data center to Alibaba Cloud.

In the navigation pane on the left, choose Interconnections > VPN > Customer Gateways.
In the top navigation bar, select the region in which you want to create the customer gateway.
Note
The customer gateway and the VPN gateway to be connected must be deployed in the same region.
On the Customer Gateway page, click Create Customer Gateway.

In the Create Customer Gateway panel, configure the parameters that are described in the following table and click OK.

The following table describes only the parameters that are relevant to this topic. You can use the default values of other parameters or leave them empty. For more information, see Customer gateway.

Parameter	Description
IP Address	The public IP address of the gateway device in the data center. In this example, `2.XX.XX.2` is used.
ASN	The ASN of the gateway device in the data center. In this example, `65531` is used.

Step 4: Create an IPsec-VPN connection

In the left navigation pane, choose Interconnections > VPN > IPsec Connections.
On the IPsec Connections page, click Bind VPN Gateway.

Configure the parameters that are described in the following table and click OK.

The following table describes only the parameters that are relevant to this topic. You can use the default values of other parameters or leave them empty. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

Parameter	Description
Name	The name of the IPsec-VPN connection.
Region	Select the region where the VPN gateway to be associated with the IPsec-VPN connection is deployed. The IPsec-VPN connection is created in the same region as the VPN gateway.
Bind VPN Gateway	The VPN gateway to be associated with the IPsec-VPN connection. In this example, the VPN gateway that is created in Step 1 is selected.
Routing Mode	Select a routing mode. Valid values: Destination Routing Mode or Protected Data Flows. If the IPsec-VPN connection uses BGP dynamic routing, we recommend that you select Destination Routing Mode. In this example, Destination Routing Mode is selected.
Effective Immediately	Specify whether to immediately start negotiations for the connection. Yes: immediately starts negotiations after the configuration is complete. No: starts negotiations when inbound traffic is detected. In this example, Yes is selected.
Customer Gateway	The customer gateway to be associated with the IPsec-VPN connection. In this example, the customer gateway that is created in Step 3 is selected.
Pre-shared Key	The pre-shared key that is used for authentication. The pre-shared keys must be the same on both the VPN gateway associated with the IPsec-VPN connection and the gateway device in the data center. In this example, `123456****` is used.
Enable BGP	Specify whether to enable Border Gateway Protocol (BGP). If you want to use BGP routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off. In this example, Enable BGP is turned on.
Local ASN	The local ASN of the tunnel. Default value: 45104. In this example, `65530` is used.
Encryption Configuration	Use the default values of parameters except for the following parameters. Set the DH Group parameter in the IKE Configurations section to group14. Set the DH Group parameter in the IPsec Configurations section to group14. Note You must configure parameters in the Encryption Configuration section based on the gateway device in the data center to ensure that the encryption configurations of the IPsec-VPN connection are consistent with those of the gateway device in the data center.
BGP Configuration	Tunnel CIDR Block The CIDR block of the IPsec tunnel. In this example, `169.254.10.0/30` is used. Local BGP IP address The BGP IP address on the VPC side. The IP address must fall within the CIDR block of the IPsec tunnel. In this example, `169.254.10.1` is used.
BGP Configuration

In the Created message, click OK.
On the IPsec Connections page, find the IPsec-VPN connection that you want to manage, and click Download Configuration in the Actions column.
In the IPsec-VPN Connection Configuration dialog box, copy the configuration and save it to a local path. You can use the configuration to configure your on-premises gateway device.

Step 5: Add VPN configurations to the gateway device in the data center

After you create an IPsec-VPN connection, you need to add the VPN configurations to the gateway device in the data center to establish a VPN connection between the VPC and the data center.

Add the VPN configuration to the customer gateway device. For more information, see Single tunnel configuration example in Configure a Cisco firewall.

Download the VPN configurations to be added to the gateway device in the data center. For more information, see the "Download the configurations of an IPsec-VPN connection" section of the Create and manage IPsec-VPN connections in single tunnel mode topic.
Add the VPN configurations to the gateway device in the data center. For more information, see the Configure an IPsec-VPN configuration in single-tunnel mode section
of the Load the IPsec-VPN configuration to a Cisco firewall device topic.
After the IPsec-VPN connection is created, routes are automatically advertised based on BGP dynamic routing.
- After you advertise the CIDR block of the data center by using BGP dynamic routing on the gateway device in the data center, the VPN gateway on Alibaba Cloud automatically advertises the routes that are learned from the data center to the system route table of the VPC. You can view route information about the system route table on the Dynamic Route tab.
- The VPN Gateway on Alibaba Cloud automatically learns the system routes from the system route table of the VPC and automatically advertises the routes to the gateway device in the data center.

Step 6: Test the connectivity

Log on to an Elastic Compute Service (ECS) instance in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.
Run the ping command to access a client in the data center and check the connectivity.
The result shows that the ECS instance in the VPC can access the client in the data center.
Log on to the client in the data center.
Run the ping command to access the ECS instance in the VPC and check the connectivity.
The result shows that the client in the data center can access the ECS instance in the VPC.