All Products
Search
Document Center

VPN Gateway:Upgrade a VPN gateway to enable the dual-tunnel mode

Last Updated:Nov 22, 2024

An IPsec-VPN connection in dual-tunnel mode has an active tunnel and a standby tunnel. If the active tunnel is down, the standby tunnel takes over to ensure service availability. This topic describes how to upgrade a VPN gateway to enable the dual-tunnel mode.

Background information

Before you upgrade a VPN gateway to enable the dual-tunnel mode, we recommend that you know more about the dual-tunnel mode such as the network topology and data transfer path. For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

Supported regions and zones

The following table describes the regions and zones in which you can upgrade IPsec-VPN connections to enable the dual-tunnel mode.

Region

Zone

China (Hangzhou)

Zone K, Zone J, Zone I, Zone H, and Zone G

China (Shanghai)

Zone K, Zone L, Zone M, Zone N, Zone B, Zone D, Zone E, Zone F, and Zone G

China (Nanjing - Local Region)

Zone A

China (Shenzhen)

Zone A, Zone E, Zone D, and Zone F

China (Heyuan)

Zone A and Zone B

China (Guangzhou)

Zone A and Zone B

China (Qingdao)

Zone B and Zone C

China (Beijing)

Zone F, Zone E, Zone H, Zone G, Zone A, Zone C, Zone J, Zone I, Zone L, and Zone K

China (Zhangjiakou)

Zone A, Zone B, and Zone C

China (Hohhot)

Zone A and Zone B

China (Ulanqab)

Zone A, Zone B, and Zone C

China (Chengdu)

Zone A and Zone B

China (Hong Kong)

Zone B, Zone C, and Zone D

Singapore

Zone A, Zone B, and Zone C

Thailand (Bangkok)

Zone A

Japan (Tokyo)

Zone A, Zone B, and Zone C

South Korea (Seoul)

Zone A

Philippines (Manila)

Zone A

Indonesia (Jakarta)

Zone A, Zone B, and Zone C

Malaysia (Kuala Lumpur)

Zone A and Zone B

UK (London)

Zone A and Zone B

Germany (Frankfurt)

Zone A, Zone B, and Zone C

US (Silicon Valley)

Zone A and Zone B

US (Virginia)

Zone A and Zone B

SAU (Riyadh - Partner Region)

Zone A and Zone B

UAE (Dubai)

Zone A

Prerequisites

Before you upgrade a VPN gateway, make sure that the following requirements are met:

  • The AliyunServiceRoleForVpn service-linked role is created within your Alibaba Cloud account.

    During the upgrade process, the system assumes the AliyunServiceRoleForVpn role to deploy the VPN Gateway resources. You can go to the VPN Gateway buy page to check whether the AliyunServiceRoleForVpn service-linked role is created within the current Alibaba Cloud account.

    • If Created is displayed on the buy page, the AliyunServiceRoleForVpn service-linked role is created within your Alibaba Cloud account.

    • If Create Service-linked Role is displayed on the buy page, click Create Service-linked Role. Then, the system automatically creates the AliyunServiceRoleForVpn service-linked role. For more information, see AliyunServiceRoleForVpn.

    服务关联角色-EN

  • IPsec-VPN and SSL-VPN are not enabled at the same time.

    If both IPsec-VPN and SSL-VPN are enabled, you can downgrade the VPN gateway to disable IPsec-VPN or SSL-VPN. For more information, see the Downgrade section of the "Upgrade or downgrade a VPN gateway" topic.

    Before you disable IPsec-VPN or SSL-VPN, make sure that no IPsec-VPN connection or SSL server exists on the VPN gateway. For more information, see the Delete an IPsec-VPN connection section of the "Create and manage IPsec-VPN connections in single-tunnel mode" topic or Delete an SSL server.

  • Routes with the same source CIDR block and destination CIDR block in policy-based or destination-based route tables do not point to different IPsec-VPN connections.

    The following table provides some sample scenarios and solutions.

    Route table

    Source CIDR block

    Destination CIDR block

    Next hop

    Support upgrade

    Solution

    Policy-based route table

    10.10.10.0/24

    172.16.10.0/24

    IPsec-VPN Connection 1

    No.

    You cannot upgrade the VPN gateway because the routes in the policy-based route table have the same source CIDR block and destination CIDR block but point to different IPsec-VPN connections.

    Delete one of the routes, or modify the source CIDR block or destination CIDR block for one of the routes. For more information, see Configure policy-based routes.

    10.10.10.0/24

    172.16.10.0/24

    IPsec-VPN Connection 2

    Destination-based route table

    N/A

    192.168.10.0/24

    IPsec-VPN Connection 3

    No.

    You cannot upgrade the VPN gateway because the routes in the destination-based route table have the same destination CIDR block but point to different IPsec-VPN connections.

    Delete one of the routes, or modify the destination CIDR block for one of the routes. For more information, see Manage destination-based routes.

    N/A

    192.168.10.0/24

    IPsec-VPN Connection 4

  • Route tables in the virtual private cloud (VPC) that is associated with the VPN gateway do not contain such routes: The destination CIDR block is a subnet of the Client CIDR Block of an SSL server, or a subnet of the Client CIDR Block of an IPsec server, and the next hop is the VPN gateway.

    For example, if the Client CIDR Block of an SSL server is 192.168.10.0/24, route tables in the VPC that is associated with the VPN gateway cannot contain such routes: The destination CIDR block is a subnet of 192.168.10.0/24, such as 192.168.10.0/25 or 192.168.10.0/26, and the next hop is the VPN gateway.

    You can manage custom routes in VPC route tables. For more information, see Create and manage a route table.

  • The Border Gateway Protocol (BGP) tunnel CIDR block of each IPsec-VPN connection is unique if multiple IPsec-VPN connections exist on the VPN gateway and all IPsec-VPN connections use BGP.

    You can modify the CIDR block of a BGP tunnel. For more information, see the Modify an IPsec-VPN connection section of the "Create and manage IPsec-VPN connections in single-tunnel mode" topic.

  • Two vSwitches are specified in the VPC that is associated with the VPN gateway, and the vSwitches have sufficient idle IP addresses.

    • Make sure that the zones in which the vSwitches are deployed support the dual-tunnel mode. For more information, see the Supported regions and zones section of this topic.

    • If multiple zones in the current region support the dual-tunnel mode, the two vSwitches that you specify must belong to different zones to implement disaster recovery across zones for IPsec-VPN connections. Each vSwitch must have at least two idle IP addresses.

    • If only one zone in the current region supports the dual-tunnel mode, you need to specify two vSwitches in this zone:

      • If you specify the same vSwitch, make sure that the vSwitch has at least four idle IP addresses.

      • If you specify two different vSwitches, make sure that each vSwitch has at least two idle IP addresses.

Usage notes on the upgrade process

Warning

A VPN gateway is unavailable during the upgrade process. The existing connections are interrupted. We recommend that you upgrade a VPN gateway during a network maintenance window to prevent service interruptions.

  • The upgrade takes about 10 minutes. During this period, the VPN gateway cannot forward traffic.

  • You cannot manage the VPN gateway during the upgrade process.

Procedure

  1. Log on to the VPN gateway console.
  2. In the top navigation bar, select the region in which the VPN gateway resides.

  3. On the VPN Gateways page, click the ID of the VPN gateway that you want to manage.

  4. In the upper-right corner of the details page, click Enable Zone Redundancy.

  5. In the Enable Zone Redundancy dialog box, specify a vSwitch and enable environment verification. Make sure that the requirements are met and click Enable.

    • If the environment verification failed, refer to the Prerequisites section of this topic for troubleshooting.

    • After you click Enable, the system starts the upgrade.

What to do next

  • In scenarios where the VPC that is associated with the VPN gateway is connected to Cloud Enterprise Network (CEN), if a custom route that points to the VPN gateway exists in the route table of the VPC and has been advertised to CEN, this route becomes unadvertised after the upgrade is complete. In this case, you need to advertise this route to CEN again. For more information, see Advertise routes to a transit router.

    2024-02-22_16-46-49

  • If the IPsec-VPN feature remains enabled, the standby tunnel of an IPsec-VPN connection is unavailable by default after the upgrade is complete. You need to configure the peer gateway device to enable the standby tunnel. For more information, see Connect a VPC to a data center in dual-tunnel mode and Connect a VPC to a data center in dual-tunnel and BGP routing mode.

    • After the upgrade is complete, the VPN gateway has two IP addresses, one of which is the IP address owned by the VPN gateway before the upgrade. The other is allocated by the system. The two IP addresses are used to establish encrypted tunnels.升级-VPN网关.png

    • After the upgrade is complete, each IPsec-VPN connection has an active tunnel and a standby tunnel. By default, the tunnels are associated with the same customer gateway. By default, the tunnel that already exists before the upgrade serves as the active tunnel and its configurations remain unchanged. By default, the standby tunnel is unavailable.升级-隧道.png

  • If the SSL-VPN feature remains enabled, the SSL-VPN configurations remain unchanged after the upgrade is complete. You can enable the IPsec-VPN feature and create an IPsec-VPN connection in dual-tunnel mode. For more information, see the Procedure section of the "Enable IPsec-VPN" topic and Create and manage IPsec-VPN connections in dual-tunnel mode.

    After the upgrade is complete, the IP address of the VPN gateway is used only by the SSL-VPN feature. After you enable the IPsec-VPN feature, the system reallocates two IP addresses to the VPN gateway and allows you to establish an IPsec-VPN connection in dual-tunnel mode.升级-SSL.png

Important

When you use a dual-tunnel IPsec-VPN connection, make sure that the active tunnel and standby tunnel are available. If you configure or use only one of the tunnels, IPsec-VPN connection redundancy based on active/standby tunnels and zone-disaster recovery are not supported.