By Lin En Shu, Solutions Architect
A Virtual Private Network (VPN) provides a means for securely communicating among remote hosts and private networks across a public WAN such as the Internet. Two private networks can be securely connected through site-to-site VPN. To secure VPN communication while passing through the WAN, the two sites create an IP Security (IPsec) VPN tunnel.
IPSec VPN tunnel protects IP packets exchanged between remote networks or hosts and VPN gateway located at the edge of private network. IPSec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session.
This solution guide aims to provide a walkthrough on how to establish an IPSec Tunnel between Microsoft Azure and Alibaba Cloud using VPN Gateway.
In this guide, the IPSec VPN Tunnel setup between Microsoft Azure and Alibaba Cloud using VPN Gateway will be based upon the following solution architecture.
Reference: Azure IPSec/IKE parameters for Site to Site VPN Gateway https://docs.microsoft.com/en-gb/azure/vpn-gateway/vpn-gateway-about-vpn-devices
Go to Products -> Virtual Private Cloud -> VPN Gateway and click the Create VPN Gateway button
Choose the region, peak bandwidth and VPC (which has been created) and press Buy Now.
Go back to VPN Gateway console to find the VPN Gateway IP address.
Customer Gateway is the VPN gateway IP in Microsoft Azure.
Go to Virtual Private Cloud -> Customer Gateway and press Create Customer Gateway button
Enter Azure's VPN Gateway IP into the IP Address field.
Go back to the Customer Gateway console to verify Customer Gateway IP has been registered correctly.
Once the VPN Gateway in Alibaba Cloud and Customer Gateway for Azure has been configured, next is to setup the VPN connection.
Go to Virtual Private Cloud -> VPN Connection and press Create VPN Connection button
Fill in the information for the advanced configuration based on this table. It is a must to use the same values highlighted in Green (Azure's IPSec/IKE configuration) otherwise the IPSec tunnel cannot be established.
In order for the ECS within this Alibaba Cloud VPC to reach the VMs in Azure Virtual Network, a route entry needs to be added to route the traffic to remote private network (Azure) through this VPN Gateway.
Once the VPN connection has been created, select the VPC and go to VRouters to add a route entry.
Enter the CIDR (Address Space) of Azure Virtual Network to destination CIDR Block, choose VPN Gateway as the next hop type and select the VPN Gateway created.
The IPSec VPN Tunnel setup in Alibaba Cloud side is now completed!
The steps here are similar as Azure Virtual Network is Alibaba Cloud's VPC equivalent. The first step is to setup Azure Virtual Network by pressing New -> Networking -> Virtual Network.
Enter the all the required information and most important information here is Address Space, which is the CIDR of Azure's private network.
Go to Virtual Networks to verify that it has been created successfully.
Similarly, Azure Virtual Network Gateway is Alibaba Cloud's VPN Gateway equivalent.
Create Azure Virtual Network Gateway by pressing New -> Networking -> Virtual Network Gateway.
Enter the all the required information and most important information here is to choose the Virtual Network created earlier.
Azure Local Network Gateway is Alibaba Cloud's Customer Gateway equivalent.
Create Azure Local Network Gateway by pressing New -> Networking -> Local Network Gateway.
Enter the all the required information and most important information here are:
Create an Azure VPN Connection by going to Virtual Network Gateway -> Connections -> +Add
Enter the all the required information and most important information here are:
Verify both side's VPN connection status. Alibaba Cloud side's VPN Connection should have the status of "Phase 2 of IKE Tunnel Negotiation Succeeded".
Microsoft Azure side's VPN Connection should have the status of "Connected".
In Alibaba Cloud, setup an ECS server in the same region and same VPC of VPN gateway.
Refer to this guide to setup a Linux ECS server.
In Microsoft Azure, setup a virtual machine in the same region and same virtual network of Virtual Network Gateway.
Refer to this guide to setup an Azure Virtual Machine.
As a summary, here are the server information of test servers provisioned
Site | Server Private IP |
Alibaba Cloud | 172.21.223.245 |
Microsoft Azure | 10.1.0.4 |
Login to Alibaba Cloud server and telnet to Azure server's private IP and SSH port 22. The result should show "Connected to < Azure VM's private IP > ".
Login to Azure server and telnet to Alibaba Cloud server's private IP and SSH port 22. The result should show "Connected to < Alibaba Cloud ECS private IP > ".
This site-to-site IPSec VPN Tunnel solution allows customer who are consuming services in both Alibaba Cloud and Microsoft Azure to be able have a secure connectivity between both sites over internet.
2,599 posts | 762 followers
FollowJames Lee - February 28, 2024
Alibaba Clouder - January 23, 2018
Sabith - July 27, 2018
James Lee - February 27, 2024
Hironobu Ohara - May 18, 2023
JJ Lim - September 15, 2021
2,599 posts | 762 followers
FollowVPN Gateway is an Internet-based service that establishes a connection between a VPC and your on-premise data center.
Learn MoreA dedicated network connection between different cloud environments
Learn MoreA virtual private cloud service that provides an isolated cloud network to operate resources in a secure environment.
Learn MoreMore Posts by Alibaba Clouder
Raja_KT February 20, 2019 at 12:10 am
Nice one for multi-cloud and it serves as reference