IPsec-VPN creates an encrypted tunnel between your on-premises network, such as a data center or office, and an Alibaba Cloud Virtual Private Cloud (VPC). This allows both networks to securely communicate as if they were on the same private network.
The Alibaba Cloud VPN Gateway service complies with relevant Chinese national policies and regulations and supports only non-cross-border connections. For cross-border connectivity, use the TransitRouter instead.
Two association modes
IPsec-VPN provides two connection methods. You can choose a method based on the number of VPCs that you need to connect:
Attach to a VPN gateway (connect to a single VPC)
You can attach an IPsec-VPN connection to a VPN Gateway instance. This method is suitable for connecting an on-premises data center to a single VPC.
How it works: On-premises gateway device ↔ IPsec-VPN tunnel ↔ VPN Gateway ↔ VPC
Use cases:
Connect to a single VPC
Use SSL-VPN for remote access at the same time (supported only by classic VPN gateways)
Attach to a transit router (connect to multiple VPCs)
You can attach an IPsec-VPN connection directly to a transit router in Cloud Enterprise Network (CEN). This method is suitable for connecting an on-premises data center to multiple VPCs.
How it works: On-premises gateway device ↔ IPsec-VPN tunnel ↔ Transit Router ↔ Multiple VPCs
Use cases:
Connect to multiple VPCs in the same or different regions
Use equal-cost multi-path (ECMP) load balancing for high availability
Establish a connection with a bandwidth of more than 1 Gbps for a single connection (up to 2 Gbps is supported)
Core components
Component | Description |
A gateway device deployed on Alibaba Cloud. It serves as the cloud-side endpoint of the encrypted tunnel. VPN gateways are available in two types: enhanced and classic. | |
A core component of Cloud Enterprise Network (CEN) that forwards traffic across VPCs and regions. In multi-VPC scenarios, it replaces a VPN gateway as the cloud-side endpoint. | |
A logical object in Alibaba Cloud that records the public IP address of an on-premises gateway device. This object is required to create an IPsec-VPN connection. | |
Defines the parameters for the encrypted tunnel from the cloud to the on-premises gateway device. These parameters include the encryption algorithm, authentication algorithm, and pre-shared key (PSK). | |
A physical device or software in the on-premises data center that supports IPsec VPN. Examples include strongSwan, Cisco, and H3C. This device negotiates with the cloud-side endpoint to establish a tunnel. |
For simplicity, this document uses on-premises data center to refer to any on-premises network that needs to establish an IPsec-VPN connection with Alibaba Cloud, such as a corporate data center or office network.
Dual-tunnel mode
By default, each IPsec-VPN connection includes two encrypted tunnels. In regions that support multiple zones, the two tunnels are deployed in different zones to provide zone-level disaster recovery. In regions that support only a single zone, such as China (Wuhan - Local Region), both tunnels are deployed in the same zone. This deployment does not provide zone-level disaster recovery but still provides link redundancy.
Attach to a VPN gateway: Active-passive mode
The two tunnels work as active/standby links:
Under normal conditions, traffic is transmitted only through the active tunnel.
If the active tunnel fails, traffic automatically switches to the standby tunnel.
When the active tunnel recovers, traffic automatically switches back.
For more information, see Attach to a VPN gateway.
Attach to a transit router: ECMP mode
The two tunnels form an ECMP link:
Both tunnels transmit traffic at the same time for load balancing.
If either tunnel fails, traffic automatically converges to the other tunnel.
When the failed tunnel recovers, it automatically resumes sharing traffic.
For more information, see Attach to a transit router.
When you create an IPsec-VPN connection, make sure that both tunnels are configured and active. If you configure or use only one tunnel, you cannot benefit from link redundancy and zone-level disaster recovery, and the SLA for VPN Gateway does not apply.
Scenarios
Scenarios for attaching to a VPN gateway
VPC to data center: The most common scenario. You can use IPsec-VPN to connect an on-premises data center to an Alibaba Cloud VPC to build a hybrid cloud.
VPC to VPC: You can use IPsec-VPN to quickly connect two VPCs for resource sharing across VPCs.
Multicloud connection: You can use IPsec-VPN to connect an Alibaba Cloud VPC to a VPC on another cloud platform, such as AWS or Azure.
Multi-site connection: You can connect multiple office networks to a VPN gateway at the same time and use the hub-and-spoke feature to enable private network peering among the sites.
Scenarios for attaching to a transit router
VPC to data center: You can connect an on-premises data center to any VPC through an IPsec-VPN connection and a transit router. This is suitable for scenarios where you need to connect to multiple VPCs.
High-availability ECMP connection: You can attach multiple IPsec-VPN connections to the same transit router to form an ECMP link. Multiple links carry traffic at the same time.
Express Connect circuit encryption: You can encrypt traffic over an Express Connect circuit that is already established for a private connection and use a transit router to connect to multiple VPCs.
Global multi-site full-mesh connection: You can connect multiple on-premises sites to the nearest transit routers using IPsec-VPN and use CEN to achieve a full-mesh topology.
Recommendations for choosing a scenario
For recommendations on how to choose an association mode and for a detailed comparison of the two modes, such as encryption algorithms and performance specifications, see Choose an association mode.
Billing
For more information, see Billing of IPsec-VPN.