This topic describes how to use an IPsec-VPN connection and an Express Connect circuit to establish an active/standby connection from an on-premises data center (IDC) to Alibaba Cloud. This setup allows the on-premises IDC to communicate with a virtual private cloud (VPC).
Scenario description
This topic uses the scenario shown in the following figure to describe how to use an IPsec-VPN connection and an Express Connect circuit to establish an active/standby connection to Alibaba Cloud. An enterprise has an on-premises IDC in Hangzhou and has deployed services in VPC1 in the China (Hangzhou) region. VPC1 contains application and data analytics services that are deployed on cloud products, such as Elastic Compute Service (ECS) instances, for business interaction and data analytics. The enterprise needs to deploy active/standby links to connect the on-premises IDC to VPC1. The links are described as follows:
An Express Connect circuit is used as the primary link. The on-premises IDC connects to VPC1 through the Express Connect circuit and a transit router.
A VPN Gateway is used as the standby link. The VPN Gateway is associated with a separate VPC (VPC2). No services are deployed in VPC2. VPC2 serves only as a transit VPC to establish an IPsec-VPN connection between the on-premises IDC and the cloud. The on-premises IDC connects to VPC1 through the IPsec-VPN connection and the transit router.
If both the Express Connect circuit and the IPsec-VPN connection work as expected, the transit router learns the CIDR block of the on-premises IDC from both connections. By default, the route learned from the Express Connect circuit has a higher priority than the route learned from the IPsec-VPN connection. Therefore, traffic from instances in VPC1 to the on-premises IDC is routed through the Express Connect circuit by default.
If the Express Connect circuit becomes abnormal, the route learned from the Express Connect circuit is automatically revoked. The route learned from the IPsec-VPN connection takes effect, and traffic from instances in VPC1 to the on-premises IDC is routed through the IPsec-VPN connection. After the Express Connect circuit recovers, traffic from instances in VPC1 to the on-premises IDC is routed through the Express Connect circuit again, and the IPsec-VPN connection reverts to being the standby link.
Preparations
Plan the routable protocols for your on-premises IDC and network instances. This topic uses the following protocol plan:
Static routing is configured between the on-premises gateway device in the IDC and the VPN Gateway.
The Border Gateway Protocol (BGP) dynamic routing protocol is used between the on-premises gateway device in the IDC and the virtual border router (VBR).
NoteIn a scenario where a VPN Gateway serves as a standby connection for an Express Connect circuit, the VBR must use the BGP dynamic routing protocol. The VPN Gateway can use either static routing or the BGP dynamic routing protocol.
Plan the CIDR blocks for your on-premises IDC and network instances. Make sure that the CIDR blocks do not overlap. This topic uses the following CIDR block plan.
Parameter
CIDR Block Planning
IP Address
VPC1
192.168.0.0/16
ECS instance address: 192.168.20.161
VPC2
10.0.0.0/16
Not applicable
VBR
10.1.0.0/30
VLAN ID: 0
Alibaba Cloud-side peer IPv4: 10.1.0.1/30
Customer-side peer IPv4: 10.1.0.2/30
In this topic, the customer side refers to the on-premises gateway device in the IDC.
On-premises IDC
172.16.0.0/16
Client address: 172.16.1.188
On-premises gateway device in the IDC
10.1.0.0/30
Public IP address: 211.XX.XX.68
IP address of the port connected to the Express Connect circuit: 10.1.0.2/30
BGP AS number: 65530
You have created VPC1 and VPC2 in the China (Hangzhou) region. Application and data analytics services are deployed in VPC1. No services are deployed in VPC2. VPC2 is associated with a VPN Gateway and serves as a transit VPC to establish a VPN connection between the on-premises IDC and the cloud. For more information, see Create and manage a VPC.
Check your on-premises gateway device to make sure that it supports the standard IKEv1 and IKEv2 protocols. This is required for the device to connect to an Alibaba Cloud VPN Gateway. Contact the gateway device vendor to confirm whether the device supports the standard IKEv1 and IKEv2 protocols.
You have configured a static public IP address for your on-premises gateway device.
You are familiar with the security group rules that are applied to the ECS instance in VPC1. Make sure that the rules allow the on-premises IDC to access the ECS instance. For more information, see Query security group rules and Add a security group rule.
Step 1: Deploy an Express Connect circuit
Create an Express Connect circuit.
Apply for an Express Connect circuit in the China (Hangzhou) region. For more information, see Apply for a dedicated connection or Procedure for connecting to a shared Express Connect circuit.
Create a VBR.
Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where you want to create the VBR.
This example uses the China (Hangzhou) region.
On the Virtual Border Routers (VBRs) page, click Create VBR.
In the Create VBR panel, configure the parameters and click OK.
Account: Select Current Account.
Name: Enter VBR.
Physical Connection Interface: Select the Express Connect circuit that you applied for.
VLAN ID: Enter 0.
VBR Bandwidth: Select a bandwidth cap for the VBR instance.
Alibaba Cloud-Side IPv4: Enter 10.1.0.1.
Customer-Side IPv4: Enter 10.1.0.2.
IPv4 Subnet Mask: Enter 255.255.255.252.
Configure a BGP group.
On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
On the details page, click the BGP Groups tab.
Click Create BGP Group, configure the BGP group, and then click OK.
Name: Enter a name for the BGP group. In this example, enter test.
Peer AS Number: The autonomous system (AS) number of the gateway device in the on-premises IDC. In this example, enter 65530.
BGP Key: The key of the BGP group. This parameter is not configured in this example.
Description: Enter a description for the BGP group. In this example, enter test.
Configure a BGP peer.
On the VBR details page, click the BGP Peers tab.
On the BGP Peers tab, click Create BGP Peer.
In the Create BGP Peer panel, configure the BGP peer and click OK.
BGP Group: Select the BGP group to which you want to add the BGP peer. In this example, select the BGP group that you created.
BGP Peer IP: The IP address of the BGP peer. In this example, enter 10.1.0.2. This is the IP address of the port on the on-premises gateway device.
Step 2: Deploy a VPN Gateway
Create a VPN Gateway.
Log on to the VPN Gateway console.
In the top navigation bar, select the China (Hangzhou) region.
On the VPN Gateways page, click Create VPN Gateway.
On the purchase page, configure the VPN Gateway, click Buy Now, and then complete the payment.
Instance Name: Enter a name for the VPN Gateway instance.
Region: Select the region of the VPN Gateway.
In this example, the VPN Gateway is associated with VPC2. Make sure that VPC2 and the VPN Gateway are in the same region. This example uses China (Hangzhou).
Gateway Type: Select the type of VPN gateway that you want to create. This example uses Standard.
Network Type: Select the network type of the VPN Gateway instance. This example uses Public.
Tunnel: The system displays the tunnel mode of the IPsec-VPN connection that is supported in the current region.
VPC: Select the VPC to which you want to connect. This example uses VPC2.
VSwitch 1: Select a vSwitch from the VPC instance.
If the tunnel mode of the IPsec-VPN connection is single-tunnel, you need to specify only one vSwitch.
If the tunnel mode of the IPsec-VPN connection is dual-tunnel, you need to specify two vSwitches.
After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) in each of the two vSwitches. The ENIs are used as interfaces for traffic between the IPsec-VPN connection and the VPC. Each ENI occupies an IP address in its vSwitch.
NoteBy default, the system selects the first vSwitch for you. You can manually change the vSwitch or use the default one.
After you create a VPN Gateway instance, you cannot change its associated vSwitches. You can view information about the associated vSwitches, the zones where they reside, and the ENIs in the vSwitches on the details page of the VPN Gateway instance.
vSwitch 2: Select a second vSwitch from the VPC instance.
If the tunnel mode of the IPsec-VPN connection is single-tunnel, you do not need to configure this parameter.
Peak Bandwidth: Select the bandwidth of the VPN Gateway. This is the public bandwidth of the VPN Gateway.
Traffic: By default, a VPN Gateway uses the pay-by-traffic billing method. For more information, see Billing.
IPsec-VPN: Select whether to enable the IPsec-VPN feature. The IPsec-VPN feature can be used to establish a connection between an on-premises IDC and a VPC, or between different VPCs. This example uses Enable.
SSL-VPN: Select whether to enable the SSL-VPN feature. The SSL-VPN feature lets you connect to a VPC from a single computer at any location. This example uses Disable.
Subscription Duration: By default, a VPN Gateway is billed on an hourly basis.
Service-linked Role: Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn.
For more information, see AliyunServiceRoleForVpn. If this configuration item is displayed as Created, the role has been created for your account and you do not need to create it again.
Return to the VPN Gateways page. View the VPN Gateway that you created and record its public IP address. You will use this IP address later to configure routes in the on-premises IDC.
A newly created VPN Gateway is in the Preparing state. After about 1 to 5 minutes, it enters the Normal state. The Normal state indicates that the VPN Gateway is initialized and ready for use.
Create a customer gateway.
In the navigation pane on the left, choose .
On the Customer Gateway page, click Create Customer Gateway.
In the Create Customer Gateway panel, configure the customer gateway and click OK.
Name: Enter a name for the customer gateway.
IP Address: Enter the public IP address of the gateway device in the on-premises IDC to which VPC2 will connect. In this example, enter 211.XX.XX.68.
ASN: The autonomous system number of the on-premises gateway device. You do not need to configure this parameter in this example.
Description: Enter a description for the customer gateway.
Create an IPsec-VPN connection.
In the navigation pane on the left, go to .
On the IPsec Connections page, click Bind VPN Gateway.
On the Create IPsec-VPN Connection page, configure the IPsec-VPN connection and click OK.
IPsec Connection Name: Enter a name for the IPsec-VPN connection.
Region: Select the region of the VPN Gateway instance to which you want to attach the IPsec-VPN connection.
Attach VPN Gateway: Select the VPN Gateway that you created.
Routing Mode: Select a routing mode. This example uses Destination-based Routing Mode.
Effective Immediately: Select whether to immediately negotiate the connection. This example uses No.
Yes: Negotiation starts immediately after the configuration is complete.
No: Negotiation starts when traffic is detected.
Customer Gateway: Select the customer gateway that you created.
Pre-Shared Key: Enter a shared key. The pre-shared key of the on-premises gateway device must be the same as this value. This example uses the default, randomly generated value.
Encryption Configurations: This example uses IKEv1. The other options use the default configurations.
For more information, see Create an IPsec-VPN connection in single-tunnel mode.
Configure routes for the VPN Gateway.
You need to advertise the route from the VPN Gateway to VPC2 for the on-premises IDC.
After the IPsec-VPN connection is created, click OK in the Created dialog box to advertise routes from the VPN Gateway instance.
In the navigation pane on the left, choose .
On the VPN Gateways page, find the destination VPN Gateway and click its ID.
On the Destination-based Route Table tab, click Add Route Entry.
In the Add Route Entry panel, configure the destination-based route and click OK.
Destination CIDR Block: Enter the CIDR block of the on-premises IDC. In this example, enter 172.16.0.0/16.
Next Hop Type: Select IPsec-VPN connection.
Next Hop: Select the IPsec-VPN connection instance that you created.
Advertise to VPC: Select whether to advertise the new route to the route table of VPC2. This example uses Yes.
Weight: Select a weight for the route. This example uses the default value 100, which indicates a high priority.
NoteIf the VPN Gateway has destination-based routes with the same destination CIDR block, you cannot set the weight of both routes to 100.
Load the VPN configurations onto the on-premises gateway device.
In the navigation pane on the left, go to .
On the IPsec Connections page, find the destination IPsec-VPN connection and click Generate Peer Configuration in the Actions column.
Add the downloaded configurations to your on-premises gateway device based on its configuration requirements. For more information, see Examples of on-premises gateway device configurations.
Step 3: Configure CEN
After you configure the VBR and the VPN Gateway, you must connect VPC1, VPC2, and the VBR to a transit router. The transit router enables communication between the on-premises IDC and VPC1.
Create a CEN instance. Select Create CEN Instance Only.
Create a transit router instance.
On the Instances page, find the destination CEN instance and click its ID.
On the tab, click Create Transit Router.
In the Create Transit Router dialog box, configure the transit router instance and click OK.
Create a transit router instance in China (Hangzhou) based on the information in the following table.
Configuration Item
Description
China (Hangzhou)
Region
Select the region where the transit router instance resides.
This example uses the China (Hangzhou) region.
Edition
The edition of the transit router instance.
The system automatically determines and displays the edition of the transit router instance in the current region.
Enable Multicast
Select whether to enable the multicast feature for the transit router instance.
This example uses the default value, which does not enable the multicast feature.
Name
Enter a name for the transit router instance.
Enter a custom name for the transit router instance.
Description
Enter a description for the transit router instance.
Enter a custom description for the transit router instance.
Transit Router CIDR
Enter a CIDR block for the transit router.
For more information, see Transit router CIDR blocks.
This example does not specify a CIDR block for the transit router.
Connect VPC1 and VPC2 to the transit router.
On the Instances page, find the destination CEN instance and click its ID.
On the tab, find the transit router instance in the China (Hangzhou) region and click Create Connection in the Actions column.
On the Connection with Peer Network Instance page, configure the parameters and click OK.
The following table describes the configuration items and the parameter values for VPC1 and VPC2. Use the data in the table to connect VPC1 and VPC2 to the transit router instance.
NoteWhen you connect a VPC instance for the first time, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router instance to create an ENI on a vSwitch in the VPC. For more information, see AliyunServiceRoleForCEN.
Parameter
Description
VPC1
VPC2
Network Type
Select the type of network instance to connect.
VPC
VPC
Region
Select the region where the network instance to connect is located.
China (Hangzhou)
China (Hangzhou)
Transit Router
The system automatically displays the ID of the transit router instance created in the region.
Resource Owner ID
Select the account type to which the network instance to connect belongs.
Your Account
Your Account
Billing Method
The default value is Pay-As-You-Go.
For information about billing rules, see Billing.
Attachment Name
Enter a name for the network instance connection.
VPC1-test
VPC2-test
Networks
Select the network instance to connect.
Select VPC1
Select VPC2
VSwitch
Select a vSwitch in a zone supported by the transit router.
If the transit router supports only one zone in the current region, you must select a vSwitch in that zone.
If the transit router supports multiple zones in the current region, you must select vSwitches in at least two different zones. This provides disaster recovery across zones for traffic between the VPC and the transit router.
Select a vSwitch in each zone to reduce traffic detours and transmission delays, and to improve performance.
Make sure that each selected vSwitch has an idle IP address. If the VPC does not have a vSwitch in the zones supported by the transit router, or if the vSwitches do not have idle IP addresses, you must create a vSwitch. For more information, see Create and manage vSwitches.
For more information, see Create a VPC connection.
Select one vSwitch in Zone H and one in Zone I of the China (Hangzhou) region.
Select one vSwitch in Zone H and one in Zone I of the China (Hangzhou) region.
Advanced Settings
For both VPC1 and VPC2, keep the default configurations. This means all advanced configuration items are selected.
Connect the VBR instance to the transit router.
On the Instances page, find the destination CEN instance and click its ID.
On the tab, find the transit router instance in the China (Hangzhou) region and click Create Connection in the Actions column.
On the Connection with Peer Network Instance page, configure the parameters and click OK.
Network Type: Select Virtual Border Router (VBR).
Region: Select the region where the network instance to be connected is located. This example uses China (Hangzhou).
Transit Router: The system automatically displays the ID of the transit router instance that is created in the current region.
Resource Owner ID: Select the account type to which the network instance to be connected belongs. This example uses the default value Your Account.
Attachment Name: Enter a name for the network instance connection. In this example, enter VBR.
Networks: Select the ID of the network instance to be connected. This example uses the VBR instance.
Advanced Settings: Keep the default configurations. This means that all advanced configuration items are selected.
Advertise the route from VPC2 to CEN for the on-premises IDC.
After you advertise the route from the VPN Gateway to VPC2 for the on-premises IDC, the route's status in VPC2 is Not Advertised by default. You must manually advertise the route from VPC2 to CEN so that the transit router can also learn the route to the on-premises IDC from VPC2.
Log on to the Cloud Enterprise Network console.
On the Instances page, find the destination CEN instance and click its ID.
On the CEN instance details page, find the transit router instance in the China (Hangzhou) region and click its ID.
On the transit router instance details page, click the Network Instance Route Table tab.
On the Network Instance Route Table tab, select to view the route entries of the VPC2 network instance. Find the route to the on-premises IDC and click Advertise in the Advertise Status column.
In the PublishRoute dialog box, click OK.
Step 4: Configure the on-premises gateway device
The following sample configurations are for reference only. The commands may vary based on the device vendor. For more information, contact your device vendor.
#Configure BGP, establish a BGP peer connection with the VBR, and advertise the private CIDR block of the on-premises IDC to the cloud.
interface GigabitEthernet 0/12 #This is the port that connects the on-premises gateway device to the Express Connect circuit.
no switchport
ip address 10.1.0.2 255.255.255.252 #The IP address of the port. This IP address must be the same as the customer-side peer IPv4 address of the VBR.
router bgp 65530
bgp router-id 10.1.0.2
network 172.16.0.0 mask 255.255.0.0 #Advertise the private CIDR block of the on-premises IDC.
neighbor 10.1.0.1 remote-as 45104 #Establish a BGP peer connection with the VBR.
exit
#Configure a static route to VPC1 through the VPN Gateway and set its priority lower than the BGP route.
ip route 192.168.0.0 255.255.0.0 <Public IP address of the VPN Gateway> preference 255
Step 5: Test the connection
In the on-premises IDC, open the command-line window on a client.
Run the
pingcommand to access the IP address of the ECS instance in the 192.168.0.0/16 CIDR block of VPC1. If you receive a reply message, the on-premises IDC is connected to VPC1.On the on-premises gateway device, shut down the port that is connected to the Express Connect circuit to disconnect the circuit. On the client, run the
pingcommand again to test the connectivity between the on-premises IDC and VPC1. If you receive a reply message, the standby VPN link is active.