VPN gateways are commonly used to establish IPsec-VPN connections over the Internet. Due to the security compliance requirements of some enterprises or institutions, such as those in the finance and healthcare sectors, they may require higher data security when connecting to the cloud. For example, these enterprises want to use leased lines to connect to cloud, encrypt sensitive data before transmission, or forbid IPsec-VPN connections created by using public IP addresses. In this scenario, these enterprises or institutions can use private IPsec-VPN connections to connect to VPCs on Alibaba Cloud through Express Connect circuits and transit routers. They can use private IP addresses to create private IPsec-VPN connections between a customer gateway device and transit router in order to encrypt and transmit private traffic over the Express Connect circuit.
How it works
Private IPsec-VPN connections are based on Express Connect circuits and transit routers. For example, if you want to connect a data center to the cloud, you can deploy an Express Connect circuit and a transit router to connect the data center to a VPC. Then, you can assign one or two private IP addresses to the customer gateway device, specify the transit router CIDR block, and specify the VPN gateway IP address for creating IPsec-VPN connections. You must ensure that the private IP addresses can be used for private communication between the customer gateway device and transit router. Each private IPsec-VPN connection created between the customer gateway device and transit router by using these private IP addresses has two tunnels. In a region that has multiple zones, the two tunnels are deployed in different zones to ensure the high availability of the IPsec-VPN connection. After a private IPsec-VPN connection is created, you can configure routes to transmit private traffic between the data center and VPC over the private IPsec-VPN connection. This way, private traffic can be encrypted and transmitted over the Express Connect circuit to meet the requirements of security compliance.
In the following figure, a client in the data center needs to access an ECS instance in the VPC. The figure shows the procedure for encrypting and transmitting private traffic over the Express Connect circuit.
Use scenarios
You can use a combination of private IPsec-VPN connections and the routing control features of transit routers to flexibly control the connection over which private traffic is encrypted and transmitted.
Encrypt and transmit all private traffic
Encrypt and transmit private traffic from different environments
Encrypt and transmit partial private traffic
References
If your customer gateway device supports BGP dynamic routing, we recommend that you use BGP dynamic routing to encrypt and transmit data over Express Connect circuits.
For more information about BGP dynamic routing, see the following topics:
If your customer gateway device does not support BGP dynamic routing, see Use static routing to encrypt and transmit private traffic over Express Connect circuits.