Upgrade a VPN gateway to enable the dual-tunnel mode

0.0.201

important

This topic contains important information on necessary precautions. We recommend that you read this topic carefully before proceeding.

An IPsec-VPN connection in dual-tunnel mode has an active tunnel and a standby tunnel. If the active tunnel is down, the standby tunnel takes over to ensure service availability. This topic describes how to upgrade a VPN gateway to enable the dual-tunnel mode.

Background information

Before you upgrade a VPN gateway to enable the dual-tunnel mode, we recommend that you know more about the dual-tunnel mode such as the network topology and data transfer path. For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

Supported regions and zones

The following table describes the regions and zones in which you can upgrade IPsec-VPN connections to enable the dual-tunnel mode.

Note

You can call the DescribeVpnGatewayAvailableZones operation to query zones that support dual-tunnel IPsec-VPN connections in the specified region. If the zones listed in the table differ from the information returned by the DescribeVpnGatewayAvailableZones operation, the zones returned by the DescribeVpnGatewayAvailableZones operation shall prevail.

Region	Zone

Region	Zone
China (Hangzhou)	Zone K, Zone J, Zone I, Zone H, and Zone G
China (Shanghai)	Zone L, Zone M, Zone N, Zone A, Zone B, Zone E, Zone F, and Zone G
China (Nanjing - Local Region)	A
China (Shenzhen)	Zone A (discontinued), Zone C, Zone E, Zone D, and Zone F
China (Heyuan)	Zone A and Zone B
China (Guangzhou)	Zone A and Zone B
China (Qingdao)	Zone B and Zone C
China (Beijing)	Zone F, Zone E, Zone H, Zone G, Zone A, Zone C, Zone J, Zone I, Zone L, and Zone K
China (Zhangjiakou)	Zone A, Zone B, and Zone C
China (Hohhot)	Zone A and Zone B
China (Ulanqab)	Zone A, Zone B, and Zone C
China (Chengdu)	Zone A and Zone B
China (Hong Kong)	Zone B, Zone C, and Zone D
Singapore	Zone A, Zone B, and Zone C
Thailand (Bangkok)	A
Japan (Tokyo)	Zone A, Zone B, and Zone C
South Korea (Seoul)	A
Philippines (Manila)	A
Indonesia (Jakarta)	Zone A, Zone B, and Zone C
Malaysia (Kuala Lumpur)	Zone A and Zone B
UK (London)	Zone A and Zone B
Germany (Frankfurt)	Zone A, Zone B, and Zone C
US (Silicon Valley)	Zone A and Zone B
US (Virginia)	Zone A and Zone B
SAU (Riyadh - Partner Region)	Zone A and Zone B
UAE (Dubai)	A

Prerequisites

Before you upgrade a VPN gateway, make sure that the following requirements are met:

The AliyunServiceRoleForVpn service-linked role is created within your Alibaba Cloud account.
During the upgrade process, the system assumes the AliyunServiceRoleForVpn role to deploy the VPN Gateway resources. You can go to the VPN Gateway buy page to check whether the AliyunServiceRoleForVpn service-linked role is created within the current Alibaba Cloud account.
- If Created is displayed on the buy page, the AliyunServiceRoleForVpn service-linked role is created within your Alibaba Cloud account.
- If Create Service-linked Role is displayed on the buy page, click Create Service-linked Role. Then, the system automatically creates the AliyunServiceRoleForVpn service-linked role. For more information, see AliyunServiceRoleForVpn.
IPsec-VPN and SSL-VPN are not enabled at the same time.

If both IPsec-VPN and SSL-VPN are enabled, you can downgrade the VPN gateway to disable IPsec-VPN or SSL-VPN. For more information, see the Downgrade section of the "Upgrade or downgrade a VPN gateway" topic.
Before you disable IPsec-VPN or SSL-VPN, make sure that no IPsec-VPN connection or SSL server exists on the VPN gateway. For more information, see the Delete an IPsec-VPN connection section of the "Create and manage IPsec-VPN connections in single-tunnel mode" topic or Delete an SSL server.

Routes with the same source CIDR block and destination CIDR block in policy-based or destination-based route tables do not point to different IPsec-VPN connections.

The following table provides some sample scenarios and solutions.

Route table	Source CIDR block	Destination CIDR block	Next hop	Support upgrade	Solution
Policy-based route table	10.10.10.0/24	172.16.10.0/24	IPsec-VPN Connection 1	No. You cannot upgrade the VPN gateway because the routes in the policy-based route table have the same source CIDR block and destination CIDR block but point to different IPsec-VPN connections.	Delete one of the routes, or modify the source CIDR block or destination CIDR block for one of the routes. For more information, see Configure policy-based routes.
Policy-based route table	10.10.10.0/24	172.16.10.0/24	IPsec-VPN Connection 2
Destination-based route table	N/A	192.168.10.0/24	IPsec-VPN Connection 3	No. You cannot upgrade the VPN gateway because the routes in the destination-based route table have the same destination CIDR block but point to different IPsec-VPN connections.	Delete one of the routes, or modify the destination CIDR block for one of the routes. For more information, see Manage destination-based routes.
Destination-based route table	N/A	192.168.10.0/24	IPsec-VPN Connection 4

Route tables in the virtual private cloud (VPC) that is associated with the VPN gateway do not contain such routes: The destination CIDR block is a subnet of the Client CIDR Block of an SSL server, or a subnet of the Client CIDR Block of an IPsec server, and the next hop is the VPN gateway.

For example, if the Client CIDR Block of an SSL server is 192.168.10.0/24, route tables in the VPC that is associated with the VPN gateway cannot contain such routes: The destination CIDR block is a subnet of 192.168.10.0/24, such as 192.168.10.0/25 or 192.168.10.0/26, and the next hop is the VPN gateway.
You can manage custom routes in VPC route tables. For more information, see Create and manage a route table.
The Border Gateway Protocol (BGP) tunnel CIDR block of each IPsec-VPN connection is unique if multiple IPsec-VPN connections exist on the VPN gateway and all IPsec-VPN connections use BGP.

You can modify the CIDR block of a BGP tunnel. For more information, see the Modify an IPsec-VPN connection section of the "Create and manage IPsec-VPN connections in single-tunnel mode" topic.
Two vSwitches are specified in the VPC that is associated with the VPN gateway, and the vSwitches have sufficient idle IP addresses.
- Make sure that the zones in which the vSwitches are deployed support the dual-tunnel mode. For more information, see the Supported regions and zones section of this topic.
- If multiple zones in the current region support the dual-tunnel mode, the two vSwitches that you specify must belong to different zones to implement disaster recovery across zones for IPsec-VPN connections. Each vSwitch must have at least two idle IP addresses.
- If only one zone in the current region supports the dual-tunnel mode, you need to specify two vSwitches in this zone:
  - If you specify the same vSwitch, make sure that the vSwitch has at least four idle IP addresses.
  - If you specify two different vSwitches, make sure that each vSwitch has at least two idle IP addresses.

Usage notes on the upgrade process

Warning

A VPN gateway is unavailable during the upgrade process. The existing connections are interrupted. We recommend that you upgrade a VPN gateway during a network maintenance window to prevent service interruptions.

The upgrade takes about 10 minutes. During this period, the VPN gateway cannot forward traffic.
You cannot manage the VPN gateway during the upgrade process.

Procedure

Log on to the VPN gateway console.
In the top navigation bar, select the region in which the VPN gateway resides.
On the VPN Gateways page, click the ID of the VPN gateway that you want to manage.
In the upper-right corner of the details page, click Enable Zone Redundancy.
In the Enable Zone Redundancy dialog box, specify a vSwitch and enable environment verification. Make sure that the requirements are met and click Enable.
- If the environment verification failed, refer to the Prerequisites section of this topic for troubleshooting.
- After you click Enable, the system starts the upgrade.

What to do next

In scenarios where the VPC that is associated with the VPN gateway is connected to Cloud Enterprise Network (CEN), if a custom route that points to the VPN gateway exists in the route table of the VPC and has been advertised to CEN, this route becomes unadvertised after the upgrade is complete. In this case, you need to advertise this route to CEN again. For more information, see Advertise routes to a transit router.
If the IPsec-VPN feature remains enabled, the standby tunnel of an IPsec-VPN connection is unavailable by default after the upgrade is complete. You need to configure the peer gateway device to enable the standby tunnel. For more information, see Connect a VPC to a data center in dual-tunnel mode and Connect a VPC to a data center in dual-tunnel and BGP routing mode.
- After the upgrade is complete, the VPN gateway has two IP addresses, one of which is the IP address owned by the VPN gateway before the upgrade. The other is allocated by the system. The two IP addresses are used to establish encrypted tunnels.
- After the upgrade is complete, each IPsec-VPN connection has an active tunnel and a standby tunnel. By default, the tunnels are associated with the same customer gateway. By default, the tunnel that already exists before the upgrade serves as the active tunnel and its configurations remain unchanged. By default, the standby tunnel is unavailable.
If the SSL-VPN feature remains enabled, the SSL-VPN configurations remain unchanged after the upgrade is complete. You can enable the IPsec-VPN feature and create an IPsec-VPN connection in dual-tunnel mode. For more information, see the Procedure section of the "Enable IPsec-VPN" topic and Create and manage IPsec-VPN connections in dual-tunnel mode.

After the upgrade is complete, the IP address of the VPN gateway is used only by the SSL-VPN feature. After you enable the IPsec-VPN feature, the system reallocates two IP addresses to the VPN gateway and allows you to establish an IPsec-VPN connection in dual-tunnel mode.

Important

When you use a dual-tunnel IPsec-VPN connection, make sure that the active tunnel and standby tunnel are available. If you configure or use only one of the tunnels, IPsec-VPN connection redundancy based on active/standby tunnels and zone-disaster recovery are not supported.

Feedback

Previous: Configure BGP dynamic routingNext: Use an IPsec-VPN connection that is associated with a transit router

On this page （1, T）

Background information

Supported regions and zones

Prerequisites

Usage notes on the upgrade process

Procedure

What to do next

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

Background information

Supported regions and zones

Prerequisites

Usage notes on the upgrade process

Procedure

What to do next

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Lingma

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)