Encrypt private connections over Express Connect circuits - VPN Gateway

After you establish a private connection between a data center and a virtual private cloud (VPC) through an Express Connect circuit and Cloud Enterprise Network (CEN), the private connection is not encrypted. This causes security risks. To improve network security, you can use a private VPN gateway to encrypt the private connection over the Express Connect circuit (hereafter referred to as the private connection). This topic describes the principle and configuration methods of encrypted private connections.

Important

If you want to establish encrypted tunnels over private networks, we recommend that you associate private IPsec-VPN connections with a transit router (TR). For more information, see Create multiple private IPsec-VPN connections to implement load balancing.

How it works

After you establish a private connection between a data center and a VPC through an Express Connect circuit and CEN, you can establish an encrypted tunnel between a private VPN gateway and an on-premises gateway device. You can configure routes to route network traffic between the data center and the VPC to the encrypted tunnel. This way, network traffic transmitted through the tunnel is encrypted.

私网连接方案概述

The following example describes how a private connection is encrypted. In this example, the private connection is used to access an Elastic Compute Service (ECS) instance in a VPC by a client in a data center.

流量传输说明

No.	Node	Description
1	Client	The client initiates a request. The client queries the route table and forwards the request packet to the on-premises gateway device.
2	On-premises gateway device	After the on-premises gateway device receives the request packet, the on-premises gateway device encrypts and encapsulates the request packet based on the destination IP address and IPsec configurations. After the request packet is encrypted and encapsulated, the destination IP address changes to the private IP address of the VPN gateway. The on-premises gateway device queries the route table and forwards the request packet to the virtual border router (VBR) based on the new destination IP address.
3	VBR	After the VBR receives the request packet, the VBR queries the route table and forwards the request packet to the CEN instance.
4	CEN instance	After the CEN instance receives the request packet, the CEN instance queries the route table and forwards the request packet to the VPC.
5	VPC	After the VPC receives the request packet, the VPC queries the route table and forwards the request packet to the VPN gateway.
Area 6	VPN gateway	After the VPN gateway receives the request packet, the VPN gateway decrypts and re-encapsulates the request packet. The VPN gateway queries the route table and forwards the request packet to the ECS instance based on the destination IP address of the request packet.
7	ECS instance	After the ECS instance receives the request packet, the ECS instance sends a response packet to the client. The ECS instance queries the route table and forwards the response packet to the VPN gateway based on the destination IP address of the response packet.
8	VPN gateway	After the VPN gateway receives the response packet, the VPN gateway encrypts and encapsulates the response packet. After the response packet is encrypted and encapsulated, its destination IP address changes to the VPN IP address of the on-premises gateway device. The VPN gateway queries the route table and forwards the response packet to the VPC based on the new destination IP address.
9	VPC	After the VPC receives the response packet, the VPC queries the route table and forwards the response packet to the CEN instance.
10	CEN instance	After the CEN instance receives the response packet, the CEN instance queries the route table and forwards the response packet to the VBR.
11	VBR	After the VBR receives the response packet, the VBR queries the route table and forwards the response packet to the on-premises gateway device.
12	On-premises gateway device	After the on-premises gateway device receives the response packet, the on-premises gateway device decrypts and re-encapsulates the response packet. The on-premises gateway device queries the route table and forwards the response packet to the client based on the destination IP address of the response packet.

Configuration methods

To encrypt a private connection by using a private VPN gateway, you can configure the VPN gateway and the VBR connected to the VPN gateway in different manners. The following table describes the differences between the configuration methods and provides links to the tutorials.

Configuration method	Description	Tutorial	Impact on communication after the VPN connection is interrupted
Method 1	Configure static routing for the VBR and VPN gateway.	Encrypt private connections by using static routes	The private connection is no longer encrypted. The private connection between the data center and the VPC is interrupted. You can manually withdraw the routes that are advertised on the VPN gateway. After you withdraw the routes, the VPC is connected to the data center through an Express Connect circuit and CEN.
Method 2	Configure static routing for the VBR. Configure Border Gateway Protocol (BGP) dynamic routing for the VPN gateway. Note You cannot configure BGP dynamic routing for the VBR if static routing is configured for the VPN gateway.	Encrypt private connections by using static routing and BGP routing	The private connection is no longer encrypted. The system automatically withdraws the BGP dynamic routes that are advertised on the VPN gateway. The VPC is connected to the data center through an Express Connect circuit and CEN.
Method 3	Configure BGP dynamic routing for the VBR and VPN gateway.	Encrypt private connections by using BGP routing	The private connection is no longer encrypted. The system automatically withdraws the BGP dynamic routes that are advertised on the VPN gateway. The VPC is connected to the data center through an Express Connect circuit and CEN.