IPsec-VPN lets you establish an encrypted tunnel that connects your on-premises network, such as a corporate data center or office, to an Alibaba Cloud virtual private cloud (VPC) for secure, private connection.
Alibaba Cloud VPN Gateway operates in compliance with applicable laws and regulations in China. It supports only non-cross-border connections. For cross-border connections, use VPN Gateway with a Transit Router.
Use cases
IPsec-VPN is used to create Site-to-Site encrypted connections and is available in two deployment models:
Attach to a VPN gateway: Connects your on-premises network to a single VPC.
Attach to a transit router (TR): Connects your on-premises network to multiple VPCs.
Components
Attach to a VPN gateway
Component | Description |
When connecting an on-premises network to a single VPC, the VPN gateway acts as the cloud-side gateway. It has a public IP address to communicate with the on-premises gateway device. | |
A logical object in Alibaba Cloud that stores the public IP address of your on-premises gateway device. This object is required to create an IPsec-VPN connection. | |
Defines the encrypted tunnel from the VPN gateway to the on-premises gateway device. In this connection, you configure parameters for both ends, such as the encryption algorithm, authentication algorithm, and Pre-Shared Key (PSK). | |
On-premises gateway device | A physical device (typically a gateway) or software appliance in your on-premises data center. The on-premises gateway device must support VPN functionality to negotiate and establish an IPsec-VPN connection with the cloud-side gateway. For simplicity, this topic uses on-premises data center to refer to any network or site that needs to establish an IPsec-VPN connection with Alibaba Cloud, such as a corporate data center or office network. |
Attach to a Transit Router
Component | Description |
When connecting an on-premises network to multiple VPCs, the Transit Router acts as the cloud-side gateway. To use it, you create a VPN connection on the Transit Router and attach an IPsec-VPN connection instance to it. | |
A logical object in Alibaba Cloud that stores the public IP address of your on-premises gateway device. This object is required to create an IPsec-VPN connection. | |
Defines the encrypted tunnel from the Transit Router to the on-premises gateway device. In this connection, you configure parameters for both ends, such as the encryption algorithm, authentication algorithm, and Pre-Shared Key (PSK). | |
On-premises gateway device | A physical device (typically a gateway) or software appliance in your on-premises data center. The on-premises gateway device must support VPN functionality to negotiate and establish an IPsec-VPN connection with the cloud-side gateway. For simplicity, this topic uses on-premises data center to refer to any network or site that needs to establish an IPsec-VPN connection with Alibaba Cloud, such as a corporate data center or office network. |
Dual-tunnel mode
By default, an IPsec-VPN connection includes two encrypted tunnels. In regions with multiple zones, the two tunnels are deployed in different zones to provide zone-level disaster recovery. In regions with only a single zone, such as China (Wuhan - Local Region), both tunnels are deployed in the same zone. This setup does not offer zone-level disaster recovery but still provides redundancy.
In the Attach to a VPN gateway scenario, two encrypted tunnels work in active/standby mode. By default, traffic flows through the active tunnel. If the active tunnel fails, traffic is automatically routed to the standby tunnel. For more information, see Attach to a VPN Gateway.
In the Attach to a Transit Router scenario, the two tunnels automatically form an Equal-Cost Multi-Path (ECMP) link. Traffic is transmitted over both tunnels. If one tunnel fails, its traffic is rerouted to the other tunnel. For more information, see Attach to a Transit Router.
When you create an IPsec-VPN connection, you must configure both tunnels to ensure high availability. If you configure or use only one tunnel, you lose the connection's link redundancy and zone-level disaster recovery. In this case, the Service Level Agreement (SLA) for VPN Gateway does not apply.
Feature comparison
Item | Attach to a VPN Gateway | Attach to a Transit Router |
Use cases | Connect an on-premises network to a single VPC | Connect an on-premises network to multiple VPCs |
Supported encryption algorithms | Supports international standard commercial cryptographic algorithms | Supports international standard commercial cryptographic algorithms |
IPsec-VPN connection tunnel mode | Dual-tunnel mode Some existing VPN gateways only support creating IPsec-VPN connections in single-tunnel mode. We recommend that you upgrade to dual-tunnel mode. | Dual-tunnel mode Existing IPsec-VPN connections in single-tunnel mode do not provide high availability. We recommend that you delete and recreate the IPsec-VPN connection without disrupting your network connectivity. New IPsec-VPN connections are created in dual-tunnel mode by default. |
High-availability mechanism | Active/standby tunnels: Traffic flows through the active tunnel by default and automatically fails over to the standby tunnel if the active one fails. | ECMP: The two tunnels provide load balancing and redundancy. |
Bandwidth per IPsec-VPN connection | Up to 1000 Mbps. The maximum bandwidth of VPN Gateway instances in some regions is 500 Mbps. For more information, see VPN Gateway limits. |
For existing single-tunnel connections, the maximum bandwidth is 1,000 Mbps. |
Packets per second (PPS) | The total PPS rate for a single VPN Gateway instance is 120,000 in both directions (based on a packet size of 256 bytes). If a VPN Gateway instance has multiple IPsec-VPN connections, the total PPS rate for all connections cannot exceed 120,000 (based on a packet size of 256 bytes). | In dual-tunnel mode, the total PPS rate for each tunnel is 120,000 in both directions (based on a packet size of 256 bytes). For existing single-tunnel mode connections, the total PPS rate for one IPsec-VPN connection is 120,000 in both directions (based on a packet size of 256 bytes). |
Billing
For more information, see Billing of IPsec-VPN.