All Products
Search

This Product

    VPN Gateway:Configure BGP dynamic routing

    Document Center

    VPN Gateway:Configure BGP dynamic routing

    Last Updated:Mar 14, 2024

    VPN gateways support Border Gateway Protocol (BGP) dynamic routing. After you establish an IPsec-VPN connection between a data center and Alibaba Cloud, they can automatically learn routes from and communicate with each other by using BGP. This reduces network maintenance costs and network configuration errors.

    Regions that support BGP dynamic routing

    Area

    Region

    Asia Pacific

    China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and India (Mumbai)

    Europe and Americas

    Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)

    Middle East and India

    UAE (Dubai)

    Advertising principles of BGP dynamic routing

    After BGP dynamic routing is configured for a VPN gateway and a data center, BGP routes are advertised in the following ways:

    • To Alibaba Cloud

      After the data center advertises its routes in BGP routing configuration, these routes are automatically advertised to the VPN gateway on Alibaba Cloud by using BGP dynamic routing. If you enable automatic BGP advertising for the VPN gateway on Alibaba Cloud, the VPN gateway automatically advertises the learned routes to the system route table of the associated virtual private cloud (VPC). No route is advertised to the custom route tables.

    • To the data center

      The VPN gateway on Alibaba Cloud automatically learns system routes and custom routes in the system route table of the VPC by using BGP and automatically advertises these routes to the data center instead of learning the system routes and custom routes in the custom route tables of the VPC.

    Limits on BGP dynamic routing

    • By default, the BGP route table of a VPN gateway supports up to 50 routes. If you want to increase the quota limit, submit a ticket.

    • A VPN gateway cannot receive 0.0.0.0/0 routes that are advertised by a BGP peer.

    • Do not advertise a route whose destination CIDR block is 100.64.0.0/10, a subset of 100.64.0.0/10, or a CIDR block that contains 100.64.0.0/10 to a VPN gateway by using BGP dynamic routing. If such a route is advertised, the status of the IPsec-VPN connection involved cannot be displayed in the VPN Gateway console, or IPsec-VPN negotiations fail.

    • If BGP dynamic routing is enabled for multiple IPsec-VPN connections in the same VPN gateway, local autonomous system numbers (ASNs) of these connections must be the same.

    • If IPsec-VPN connections are established between the same VPN gateway and different data centers, you cannot advertise routes for different IPsec-VPN connections to each other.

    • If a VPC is associated with multiple VPN gateways, you cannot set the VPN gateways as BGP peers or advertise routes of different VPN gateways to each other.

    • In the scenario where a VPC is associated with multiple VPN gateways and BGP dynamic routing is enabled for these VPN gateways, if these VPN gateways are associated with the same customer gateway, make sure that the IPsec-VPN connections of the VPN gateways use the same local ASN. Otherwise, routing loops may occur.

    • When you connect a data center to a VPC by using an Express Connect circuit and a VPN gateway for connection resilience, make sure that you specify the same data center ASN for the virtual border router (VBR) and VPN gateway. This prevents route flapping in the data center.

    • After you enable BGP dynamic routing for a VPN gateway that is attached to a Cloud Enterprise Network (CEN) instance, you must enable overlapping routing for the CEN instance.

      Note

      By default, overlapping routing is enabled for CEN instances that are created after March 1, 2019 (UTC+8). For more information, see Enable overlapping routing.

    • If multiple VPCs are associated with the same CEN instance, make sure that the VPN gateways associated with the VPCs are not connected to the data center by using BGP. This prevents route flapping in Alibaba Cloud.

    • In the scenario where multiple IPsec-VPN connections in dual-tunnel mode exist on a VPN gateway and BGP dynamic routing is configured for these connections, the destination CIDR blocks of the routes that are learned by the VPN gateway through these connections cannot conflict with each other. Otherwise, the routes do not take effect.

    Recommendation on BGP dynamic routing configuration

    • We recommend that you set Routing Mode to Destination Routing Mode for IPsec-VPN connections.

    • If BGP dynamic routing is configured for an IPsec-VPN connection in dual-tunnel mode, the ASN of the tunnels must be the same. In addition, we recommend that you specify the same BGP ASN for the tunnel peers.

    Procedure

    1. Specify the ASN of your data center in a customer gateway. For more information, see Create and manage a customer gateway.

      • If you do not specify the ASN of the data center when you create a customer gateway, you must delete the current customer gateway and create another one.

      • After the customer gateway is created, you cannot edit it. If you want to change the ASN, delete the current customer gateway and create another one.

    2. Enable BGP for the IPsec connection and add BGP dynamic routing configuration. For more information, see Create and manage an IPsec-VPN connection in dual-tunnel mode or Create and manage IPsec-VPN connections in single-tunnel mode.

      The following table lists only the content that is strongly correlated to BGP dynamic routing.

      Note

      • When you enable BGP for an IPsec-VPN connection in dual-tunnel mode, the sequence of the configuration items varies from that in the following table. You need to select customer gateways for the primary and secondary tunnels and add BGP configuration. For more information, check the VPN Gateway console.

      • If a message indicating that the current VPN gateway version is not supported is displayed when you configure BGP dynamic routing, upgrade the version of the VPN gateway instance first. For more information, see Upgrade a VPN gateway.

      Parameter/Option

      Description

      Customer Gateway

      Select the customer gateway with the ASN of the data center.

      Enable BGP

      Select Enable BGP.

      Local ASN

      Enter the ASN of the tunnel. Default value: 45104. Valid values: 1 to 4294967295.

      Tunnel CIDR Block

      Enter the CIDR block of the tunnel.

      The CIDR block must fall into 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.

      Note

      In a VPN gateway, the CIDR block of each tunnel must be unique.

      Local BGP IP address

      Enter the BGP IP address of the tunnel.

      This IP address must fall within the CIDR block of the IPsec tunnel.

    3. Enable automatic BGP route advertising for the VPN gateway.

      After this feature is enabled, the learned BGP routes are automatically advertised to the system route table of the VPC.

      1. Log on to the VPN Gateway console.

      2. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

      3. On the VPN Gateway page, find the VPN gateway that you want to manage and click Enable Automatic BGP Propagation in the Actions column.

      4. In the Enable Automatic BGP Propagation message, click OK.

    Tutorials on BGP dynamic routing