[Upgrade notice] IPsec-VPN connections support the dual-tunnel mode - VPN Gateway

Valued Alibaba Cloud users, IPsec-VPN connections of VPN gateways now support the dual-tunnel mode. In dual-tunnel mode, each IPsec-VPN connection has an active tunnel and a standby tunnel deployed in different zones. If the active tunnel is down, the standby tunnel takes over. This implements disaster recovery across zones and ensures high availability.

Limits

The dual-tunnel mode is supported in the following regions and zones.

Click to view supported regions and zones

Region	Zone
China (Hangzhou)	Zone K, Zone J, Zone I, Zone H, and Zone G
China (Shanghai)	Zone K, Zone L, Zone M, Zone N, Zone B, Zone D, Zone E, Zone F, and Zone G
China (Nanjing - Local Region)	Zone A
China (Shenzhen)	Zone A, Zone E, Zone D, and Zone F
China (Heyuan)	Zone A and Zone B
China (Guangzhou)	Zone A and Zone B
China (Qingdao)	Zone B and Zone C
China (Beijing)	Zone F, Zone E, Zone H, Zone G, Zone A, Zone C, Zone J, Zone I, Zone L, and Zone K
China (Zhangjiakou)	Zone A, Zone B, and Zone C
China (Hohhot)	Zone A and Zone B
China (Ulanqab)	Zone A, Zone B, and Zone C
China (Chengdu)	Zone A and Zone B
China (Hong Kong)	Zone B, Zone C, and Zone D
Singapore	Zone A, Zone B, and Zone C
Thailand (Bangkok)	Zone A
Japan (Tokyo)	Zone A, Zone B, and Zone C
South Korea (Seoul)	Zone A
Philippines (Manila)	Zone A
Indonesia (Jakarta)	Zone A, Zone B, and Zone C
Malaysia (Kuala Lumpur)	Zone A and Zone B
India (Mumbai)	Zone A and Zone B
UK (London)	Zone A and Zone B
Germany (Frankfurt)	Zone A, Zone B, and Zone C
US (Silicon Valley)	Zone A and Zone B
US (Virginia)	Zone A and Zone B
Australia (Sydney)	Zone B
UAE (Dubai)	Zone A

If you purchase new VPN gateways in regions that support the dual-tunnel mode, IPsec-VPN connections of the new VPN gateways support only the dual-tunnel mode and do not support the single-tunnel mode.
However, IPsec-VPN connections of existing VPN gateways in the supported regions support only the single-tunnel mode. You can upgrade a VPN gateway to support the dual-tunnel mode. After a VPN gateway is upgraded, you can no longer create IPsec-VPN connections in single-tunnel mode on the VPN gateway. For more information, see Upgrade a VPN gateway to enable the dual-tunnel mode.
IPsec-VPN connections in the regions that do not support the dual-tunnel mode support only the single-tunnel mode.
In scenarios where an IPsec-VPN connection is associated with a transit router, the dual-tunnel mode is not supported.

Networking in dual-tunnel mode

双隧道模式升级公告

Compared with the current single-tunnel mode, the dual-tunnel mode supports two encrypted tunnels for each IPsec-VPN connection. By default, data is transferred through the active tunnel specified by the system. If the active tunnel is down, the standby tunnel takes over.

If you create a VPN gateway in dual-tunnel mode, you need to specify two vSwitches in different zones from the virtual private cloud (VPC) to which the VPN gateway belongs. The vSwitches are used to create dual-tunnel IPsec-VPN connections in dual-tunnel mode, which implements disaster recovery across zones.
Note
For a region that supports only one zone, disaster recovery across zones is not supported. We recommend that you specify two vSwitches in the zone to implement high availability. You can specify the same vSwitch.
After you create a VPN gateway, the system assigns two IP addresses to create two tunnels.
After you enable SSL-VPN for a public VPN gateway, the system allocates an additional IP address that is used to establish an SSL-VPN connection between a client and the VPN gateway. An SSL-VPN connection and an IPsec-VPN connection use different IP addresses.
When you create a dual-tunnel IPsec-VPN connection in the VPN console, you need to separately configure two tunnels and associate each tunnel with a customer gateway. You can associate the two tunnels with the same customer gateway.
After you configure the two tunnels, you need to add VPN configurations to the on-premises gateway device to establish a dual-tunnel IPsec-VPN connection.

Data transfer in dual-tunnel mode

流量传输方向

From the VPN gateway to the data center (displayed in yellow in the figure)
- If you configure only one tunnel when you create an IPsec-VPN connection, data is transferred from the VPN gateway to the data center through this tunnel. If the tunnel is down, data transfer is interrupted.
- If you configure two tunnels, data is transferred from the VPN gateway to the data center through the active tunnel by default. If the active tunnel is down, the standby tunnel takes over. If the active tunnel recovers, the active tunnel takes over.
From the data center to the VPN gateway (displayed in gray in the figure)
The traffic path from the data center to the VPN gateway depends on the route configuration of the on-premises gateway device.
For example, in scenarios where a data center is connected to a VPC through an IPsec-VPN connection, you can add route configurations to the on-premises gateway device so that data can be transferred between the data center and the VPC through the active tunnel. You can also specify the active tunnel to transfer data from the VPC to the data center and specify a standby tunnel to transfer data from the data center to the VPC.
Important
If both tunnels are enabled, we recommend that you use the active tunnel to transfer data from the data center to the VPC. By default, the active tunnel is used to transfer data from the VPC to the data center. If you use the standby tunnel to transfer data from the data center to the VPC, communication may fail. For more information, see What do I do if a data center cannot access a CLB instance through an IPsec-VPN connection in dual-tunnel mode?

Guides on route configurations for the dual-tunnel mode

We recommend that you configure routes for dual-tunnel IPsec-VPN connections based on the following suggestions:

We recommend that you configure the same routing protocol (static or BGP) for the two tunnels of an IPsec-VPN connection.
If an IPsec-VPN connection uses BGP dynamic routing, the Local ASN of the two tunnels must be the same. The peer ASNs of the two tunnels can be different, but we recommend that you use the same peer ASN.
In scenarios where multiple IPsec-VPN connections are established on a VPN gateway:
- If you configure static routes for the IPsec-VPN connections, the destination CIDR blocks of the policy-based or destination-based routes for different connections cannot overlap with each other. Otherwise, the routes may not take effect.
- If you configure BGP dynamic routing for the IPsec-VPN connections, the destination CIDR blocks of the routes advertised to the VPN gateway through the IPsec-VPN connections cannot overlap with each other. Otherwise, the routes may not take effect.

Comparison between the single-tunnel mode and the dual-tunnel mode

Note

After a single-tunnel IPsec-VPN connection is upgraded to a dual-tunnel IPsec-VPN connection, the billing method does not change and no additional fees are charged.

Item	Single-tunnel mode	Dual-tunnel mode
Number of tunnels for each IPsec-VPN connection	1	2
Number of vSwitches required	You need to specify only one vSwitch when you create a VPN gateway.	You need to specify two vSwitches in different zones when you create a VPN gateway.
High availability	You need to create multiple IPsec-VPN connections on a VPN gateway or create multiple VPN gateways to implement high availability.	Two tunnels of one IPsec-VPN connection can implement high availability.
Route weights	Supported	Unsupported
Health check	Supported	Unsupported
Number of IP addresses assigned to the VPN gateway	After a VPN gateway is created, it is assigned only one IP address. The IP address is used to create an IPsec-VPN or SSL-VPN connection.	If a VPN gateway that supports both IPsec-VPN and SSL-VPN is created, the VPN gateway is assigned three different IP addresses. An IPsec-VPN connection uses two IP addresses to create two tunnels. An SSL-VPN connection uses one IP address to connect to the client. The three IP addresses are unique.

References

Enable communication between two VPCs by using an IPsec-VPN connection in dual-tunnel mode