VPN Gateway supports the dynamic routing feature of Border Gateway Protocol (BGP). You can use a VPN gateway to connect a data center to Alibaba Cloud. Then, you can enable BGP dynamic routing to allow the VPN gateway to automatically learn routes. This reduces network maintenance costs and prevents network configuration errors.
If your VPN gateway uses the latest version, you can use BGP dynamic routing. Otherwise, BGP dynamic routing is not supported by default.
You can check whether your VPN gateway uses the latest version based on the status of the Upgrade button. If your VPN gateway does not use the latest version, you can click upgrade to update your VPN gateway. For more information, see Upgrade a VPN gateway.
Regions that support BGP dynamic routing
China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and India (Mumbai)
Europe & Americas
Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)
Middle East & India
BGP is a dynamic routing protocol based on Transmission Control Protocol (TCP). BGP is used to exchange routing and network accessibility information across autonomous systems (AS).
BGP dynamic routing is an additional feature added to IPsec-VPN connections. BGP dynamic routing is integrated with the route learning and route advertisement features of Cloud Enterprise Network (CEN). You can establish IPsec-VPN connections between Alibaba Cloud and your data center in a more efficient, flexible, and reliable manner with BGP dynamic routing.
BGP dynamic routing provides the following features:
Automatically advertises dynamic routes in the cloud and in data centers, and handles route conflicts.
Supports static routing and dynamic routing. These routing methods allow you to route network traffic to specified egresses.
Allows you to establish multiple tunnel connections between a VPN gateway and a data center, and supports equal-cost multi-path routing (ECMP) to enable disaster recovery.
Before you use BGP dynamic routing to establish an IPsec-VPN connection, take note of the following items:
Make sure that the same autonomous system number (ASN) of the data center is specified on the virtual border router (VBR) and the VPN gateway. This condition must be met when you connect the data center to a virtual private cloud (VPC) by using an Express Connect circuit and a VPN gateway for connection resilience. This prevents route flapping in the data center.
If multiple VPCs are associated with the same CEN instance, make sure that the VPN gateways associated with the VPCs are not connected to the data center through BGP. This prevents route flapping in the cloud.
If you use the same VPN gateway to establish IPsec-VPN connections with more than one data center, you must not advertise routes of different IPsec-VPN connections to each other.
If multiple VPN gateways are created in a VPC, you must not advertise routes of different VPN gateways to each other.
How BGP dynamic routes are advertised
After an IPsec-VPN connection is established on a VPN gateway, BGP dynamic routes are advertised in the following ways:
To Alibaba Cloud
The customer VPN gateway automatically uses BGP to learn routes that are destined for the CIDR block of the data center and advertises the routes to the VPN gateway in the cloud. If you enable automatic BGP advertisement for the VPN gateway on Alibaba Cloud, the VPN gateway automatically advertises the learned routes to the system route table of the VPC. No route is advertised to the custom route tables.
To the data center
The VPN gateway on Alibaba Cloud automatically uses BGP to learn system routes and custom routes from the system route table of the VPC, and then advertises the routes to the customer VPN gateway. No route is learned from the custom route tables of the VPC.
Relationship between BGP dynamic routing and static routing
When you use a VPN gateway, you can use BGP dynamic routing or static routing (destination-based routing or policy-based routing) to establish IPsec-VPN connections between a data center and Alibaba Cloud.
You can choose a routing method based on whether the on-premises gateway device supports BGP. If the on-premises gateway device supports BGP, you can use BGP dynamic routing. If the on-premises gateway does not support BGP, you must use static routing.
If you use BGP dynamic routing, you do not need to add static routes to your VPN gateway. Routes are automatically learned and advertised based on the BGP route advertising rules. To enable communication between the data center and Alibaba Cloud, you need to only configure routes for the on-premises gateway device and cloud resources.
In scenarios where multiple IPsec-VPN connections are established between the data center and Alibaba Cloud by using one VPN gateway, BGP supports ECMP. If one of the IPsec-VPN connections fails, BGP automatically switches routes to ensure high availability.
If you select static routing, you must configure routes for the on-premises gateway device, cloud resources, and the VPN gateway.
If multiple IPsec-VPN connections are established between the data center and Alibaba Cloud by using one VPN gateway, you can use the health check feature to ensure high availability.
The following table shows how routes of different types are applied when routes in the route table of a VPN gateway or a VPC conflict with each other.
Different types of routes are applied in the following order: P0 > P1 > P2 > P3.
Route priority on a VPN gateway
Route priority within a VPC
By default, the BGP route table of a VPN gateway supports up to 50 routes. If you want to increase the quota limit, submit a ticket.
After you enable BGP dynamic routing, the tunnel CIDR block must fall within 169.254.0.0/16 and the subnet mask must be 30. The tunnel CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.
After an IPsec-VPN connection is associated with the VPN gateway, the VPN gateway cannot receive 0.0.0.0/0 routes that are advertised by a BGP peer. After an IPsec-VPN connection is associated with a transit router, the on-premises gateway device and the transit router can advertise 0.0.0.0/0 routes by using BGP.
Do not use BGP to advertise routes whose destination CIDR block is a subnet of 100.64.0.0/10 or 100.64.0.0/10, or contains 100.64.0.0/10 to VPN gateways. If such a route is advertised to a VPN gateway, the status of the IPsec-VPN connection cannot be displayed in the VPN Gateway console, or IPsec negotiations fail.
After you enable BGP dynamic routing for multiple IPsec-VPN connections of the same VPN gateway, the IPsec-VPN connections must use the same local ASN.
After you enable BGP dynamic routing for a VPN gateway that is attached to a CEN instance, you must enable overlapping routing for the CEN instance.Note
By default, overlapping routing is enabled for CEN instances that are created after March 1, 2019 (UTC+8). For more information about how to enable overlapping routing, see Enable overlapping routing.
If a VPC is associated with multiple VPN gateways, you cannot set the VPN gateways as BGP peers.
In the scenario in which a VPC is associated with multiple VPN gateways and BGP dynamic routing is enabled for the VPN gateways, if the VPN gateways are associated with the same customer gateway, make sure that the IPsec-VPN connections of the VPN gateways use the same local ASN. Otherwise, routing loops may occur.
Before you use BGP dynamic routing, take note of the following information.
We recommend that you set Routing Mode to Destination Routing Mode for IPsec-VPN connections.
After you create a customer gateway, you cannot modify its IP address or ASN. We recommend that you prepare in advance.