Set up an active/standby hybrid connection between an on-premises data center (IDC) and Alibaba Cloud using an Express Connect circuit as the primary link and an IPsec-VPN connection as the standby link. When the Express Connect circuit fails, traffic automatically fails over to the IPsec-VPN connection and reverts when the circuit recovers.
A passive standby link that carries no traffic is easy to neglect. Regularly test the failover path — for example, every quarter during a maintenance window — to make sure the IPsec-VPN connection is healthy before you need it. A link that is never exercised can fail silently.
This setup adds latency compared to a dual-Express Connect design. If your workloads are latency-sensitive or bandwidth-intensive, consider a multi-circuit Express Connect design instead.
How it works
The setup uses two virtual private clouds (VPCs) and a transit router in the China (Hangzhou) region:
VPC1 hosts your application workloads on Elastic Compute Service (ECS) instances.
VPC2 is a transit VPC with no workloads. A VPN Gateway attached to VPC2 terminates the IPsec-VPN connection from the on-premises IDC.
A transit router connects VPC1, VPC2, and the virtual border router (VBR) of the Express Connect circuit.
Route priority — cloud to on-premises: The transit router learns the on-premises IDC route from both connections. By default, the route learned from the Express Connect circuit has higher priority. Traffic from VPC1 to the on-premises IDC flows through the Express Connect circuit unless the circuit fails, at which point the VPN route takes over automatically.
Route priority — on-premises to cloud: Configure a higher-priority static route toward VPC1 via the Express Connect circuit on the on-premises gateway device, and a lower-priority static route via the VPN Gateway. This prevents asymmetric routing where traffic leaves over one link but returns over the other, which can cause connection resets and packet loss.
Prerequisites
Before you begin, ensure that you have:
Planned CIDR blocks for all network instances with no overlaps. This guide uses the following address plan:
Resource CIDR block Notable addresses VPC1 192.168.0.0/16 ECS instance: 192.168.20.161 VPC2 10.0.0.0/16 — VBR 10.1.0.0/30 Alibaba Cloud side: 10.1.0.1/30; customer side: 10.1.0.2/30; VLAN ID: 0 On-premises IDC 172.16.0.0/16 Client: 172.16.1.188 On-premises gateway 10.1.0.0/30 Public IP: 211.XX.XX.68; port IP: 10.1.0.2/30; BGP autonomous system (AS) number: 65530 Created VPC1 and VPC2 in the China (Hangzhou) region. Services run in VPC1; VPC2 is left empty and serves only as a transit VPC. For details, see Create and manage a VPC.
Confirmed that the on-premises gateway device supports IKEv1 or IKEv2. Contact the vendor if unsure.
Assigned a static public IP address to the on-premises gateway device.
Reviewed the security group rules on VPC1 ECS instances to allow inbound traffic from the on-premises IDC CIDR block (172.16.0.0/16). See Query security group rules and Add a security group rule.
In this setup, the VBR must use BGP (Border Gateway Protocol) dynamic routing. The VPN Gateway can use either static routing or BGP. This guide uses static routing for the VPN Gateway.
Step 1: Deploy an Express Connect circuit
Create an Express Connect circuit
Apply for an Express Connect circuit in the China (Hangzhou) region. See Apply for a dedicated connection or Procedure for connecting to a shared Express Connect circuit.
Create a VBR
Log on to the Express Connect console.
In the left navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select China (Hangzhou).
Click Create VBR and configure the following parameters, then click OK.
Parameter Value Account Current Account Name VBR (or any name) Physical Connection Interface Select the Express Connect circuit you applied for VLAN ID 0 VBR Bandwidth Select a bandwidth cap Alibaba Cloud-Side IPv4 10.1.0.1 Customer-Side IPv4 10.1.0.2 IPv4 Subnet Mask 255.255.255.252
Configure a BGP group
On the Virtual Border Routers (VBRs) page, click the VBR ID.
On the details page, click the BGP Groups tab, then click Create BGP Group.
Configure the following parameters and click OK.
Parameter Value Name test (or any name) Peer AS Number 65530 BGP Key (leave blank in this example) Description test (or any description)
Configure a BGP peer
On the VBR details page, click the BGP Peers tab, then click Create BGP Peer.
Configure the following parameters and click OK.
Parameter Value BGP Group Select the BGP group you created BGP Peer IP 10.1.0.2 (the IP address of the port on the on-premises gateway device)
Step 2: Deploy a VPN Gateway
Create a VPN Gateway
Log on to the VPN Gateway console.
In the top navigation bar, select China (Hangzhou).
On the VPN Gateways page, click Create VPN Gateway.
On the purchase page, configure the following parameters, click Buy Now, and complete the payment.
When IPsec-VPN is enabled, the system creates an elastic network interface (ENI) in each selected vSwitch. Each ENI occupies one IP address. After creating the VPN Gateway, you cannot change its associated vSwitches.
Parameter Value Instance Name Enter a name Region China (Hangzhou) — must match the region of VPC2 Gateway Type Standard Network Type Public VPC VPC2 Tunnel The system displays the tunnel mode supported in the current region vSwitch 1 Select a vSwitch in VPC2 (the system selects the first vSwitch by default) vSwitch 2 Required only for dual-tunnel mode Peak Bandwidth Select a bandwidth Traffic Pay-by-traffic (default) Subscription Duration By default, a VPN Gateway is billed on an hourly basis IPsec-VPN Enable SSL-VPN Disable Service-linked Role Click Create Service-linked Role to create the AliyunServiceRoleForVpn role Traffic: VPN gateways are billed based on data transfer by default. For more information, see Billing.
Subscription Duration: VPN gateways are billed on an hourly basis by default.
Return to the VPN Gateways page. Wait 1–5 minutes for the gateway status to change from Preparing to Normal, then record the public IP address of the VPN Gateway. You will need it when configuring the on-premises gateway device.
Create a customer gateway
In the left navigation pane, choose Interconnections > VPN > Customer Gateways.
Click Create Customer Gateway and configure the following parameters, then click OK.
Parameter Value Name Enter a name IP Address 211.XX.XX.68 (the public IP address of the on-premises gateway device) ASN (leave blank in this example) Description (optional)
Create an IPsec-VPN connection
In the left navigation pane, choose Interconnections > VPN > IPsec Connections.
Click Bind VPN Gateway.
Configure the following parameters and click OK. For more information, see Create an IPsec-VPN connection in single-tunnel mode.
Parameter Value IPsec Connection Name Enter a name Region China (Hangzhou) Attach VPN Gateway Select the VPN Gateway you created Routing Mode Destination-based Routing Mode Effective Immediately No (negotiation starts when traffic is detected) Customer Gateway Select the customer gateway you created Pre-Shared Key Use the default randomly generated value, or enter a custom key Encryption Configurations IKEv1; other settings use defaults
Configure VPN Gateway routes
After creating the IPsec-VPN connection, advertise the on-premises IDC route to VPC2 so that the transit router can learn it.
Click OK in the Created dialog box.
In the left navigation pane, choose Interconnections > VPN > VPN Gateways, then click the VPN Gateway ID.
On the Destination-based Route Table tab, click Add Route Entry.
Configure the following parameters and click OK.
Two destination-based routes with the same destination CIDR block cannot both have a weight of 100.
Parameter Value Destination CIDR Block 172.16.0.0/16 (the on-premises IDC CIDR block) Next Hop Type IPsec-VPN connection Next Hop Select the IPsec-VPN connection you created Advertise to VPC Yes Weight 100 (high priority)
Load the VPN configuration onto the on-premises gateway device
In the left navigation pane, choose Interconnections > VPN > IPsec Connections.
Find the IPsec-VPN connection and click Generate Peer Configuration in the Actions column.
Apply the downloaded configuration to the on-premises gateway device. For device-specific examples, see Examples of on-premises gateway device configurations.
Step 3: Configure CEN
Connect VPC1, VPC2, and the VBR to a transit router so the on-premises IDC can reach VPC1 over either link.
Create a CEN instance
Create a CEN instance and select Create CEN Instance Only.
Create a transit router
On the Instances page, click the CEN instance ID.
On the Basic Settings > Transit Router tab, click Create Transit Router.
Configure the following parameters and click OK.
Parameter Value Region China (Hangzhou) Edition Automatically determined by the system Enable Multicast Disabled (default) Name Enter a name Transit Router CIDR (not configured in this example)
Connect VPC1 and VPC2 to the transit router
On the Basic Settings > Transit Router tab, find the transit router in China (Hangzhou) and click Create Connection in the Actions column.
On the Connection with Peer Network Instance page, configure the parameters and click OK. Repeat for each VPC. Select vSwitches in at least two zones to enable cross-zone disaster recovery between the VPC and the transit router. Make sure each selected vSwitch has at least one free IP address.
The first time you connect a VPC, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router to create an ENI in the VPC's vSwitch. See AliyunServiceRoleForCEN.
Parameter VPC1 VPC2 Network Type VPC VPC Region China (Hangzhou) China (Hangzhou) Resource Owner ID Your Account Your Account Billing Method Pay-As-You-Go Pay-As-You-Go Attachment Name VPC1-test VPC2-test Networks VPC1 VPC2 vSwitch One vSwitch in Zone H and one in Zone I One vSwitch in Zone H and one in Zone I Advanced Settings Keep defaults (all items selected) Keep defaults (all items selected)
Connect the VBR to the transit router
On the Basic Settings > Transit Router tab, click Create Connection again.
Configure the following parameters and click OK.
Parameter Value Network Type Virtual Border Router (VBR) Region China (Hangzhou) Resource Owner ID Your Account Attachment Name VBR Networks Select the VBR instance Advanced Settings Keep defaults
Advertise the VPN route from VPC2 to CEN
After advertising the VPN Gateway route to VPC2, the route's advertise status in VPC2 is Not Advertised by default. Manually advertise it so that the transit router learns the route to the on-premises IDC from VPC2.
Log on to the Cloud Enterprise Network console and click the CEN instance ID.
Find the transit router in China (Hangzhou) and click its ID.
On the Network Instance Route Table tab, select the VPC2 network instance.
Find the route to 172.16.0.0/16 and click Advertise in the Advertise Status column.
In the PublishRoute dialog box, click OK.
Step 4: Configure the on-premises gateway device
The following configuration is for reference. Commands vary by device vendor — contact your vendor for device-specific syntax.
# Configure the port that connects to the Express Connect circuit.
interface GigabitEthernet 0/12
no switchport
ip address 10.1.0.2 255.255.255.252 # Must match the VBR customer-side peer IPv4 address.
# Establish a BGP session with the VBR and advertise the on-premises IDC CIDR block.
router bgp 65530
bgp router-id 10.1.0.2
network 172.16.0.0 mask 255.255.0.0 # Advertise the on-premises IDC CIDR block.
neighbor 10.1.0.1 remote-as 45104 # BGP peer with the VBR (Alibaba Cloud AS: 45104).
exit
# Add a low-priority static route to VPC1 via the VPN Gateway.
# preference 255 ensures this route is used only when the BGP route from Express Connect is unavailable.
ip route 192.168.0.0 255.255.0.0 <Public IP address of the VPN Gateway> preference 255This configuration controls route priority in both directions:
Cloud to on-premises: The transit router prefers the Express Connect route (BGP-learned) over the VPN route by default.
On-premises to cloud: The BGP route via the VBR has a lower preference value (higher priority) than the static route via the VPN Gateway (preference 255), so the on-premises gateway sends traffic over the Express Connect circuit first.
Both directions must be configured. If only the cloud side is configured, on-premises traffic may return over the VPN link while cloud traffic goes over the Express Connect circuit, causing asymmetric routing and potential connection issues.
Step 5: Verify the connection
Verify normal operation
From a client in the on-premises IDC, run
pingtoward an ECS instance in VPC1 (192.168.0.0/16). A successful reply confirms basic connectivity.Run
tracerouteto confirm traffic flows over the Express Connect circuit. The output should include hops through the VBR IP range (10.1.0.0/30). If you see 10.1.0.1 in the path, traffic is going over the Express Connect circuit as expected.traceroute 192.168.20.161 ... 2 <1 ms 10.1.0.1 # VBR Alibaba Cloud-side IP — traffic is on the Express Connect circuit. ...
Verify failover
On the on-premises gateway device, shut down the port connected to the Express Connect circuit.
From the client, run
pingtoward the same ECS instance. A successful reply confirms that the standby IPsec-VPN link is active.Run
tracerouteagain. The VBR hops (10.1.0.1) should no longer appear. Instead, you should see the VPN Gateway public IP in the path, confirming that failover is working.Restore the Express Connect circuit port and verify that traffic reverts to the Express Connect path (10.1.0.1 reappears in the
tracerouteoutput).
Run this failover test periodically — for example, every quarter during a maintenance window — not just after initial setup. A passive standby link that is never exercised can develop configuration drift or expire silently, leaving you without a working backup when you need it most.