Use IPsec-VPN to connect Alibaba Cloud VPCs to Amazon VPCs - VPN Gateway

This topic describes how to establish IPsec-VPN connections to enable communication between Alibaba Cloud Virtual Private Cloud (VPC) and Amazon VPC.

Examples

The following figure shows an example. An enterprise creates a VPC in the Germany (Frankfurt) region of Alibaba Cloud and also a VPC in the Europe (Frankfurt) region of Amazon Web Services (AWS). The enterprise wants the Alibaba Cloud VPC and the Amazon VPC to communicate with each other.

The enterprise can use a public VPN gateway of Alibaba Cloud and AWS VPN to establish IPsec-VPN connections to enable encrypted communication between the two VPCs.

CIDR block plan

Important

You can plan the CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap each other.

VPC CIDR block plan

Resource	VPC CIDR block	Instance IP address
Alibaba Cloud VPC	Primary CIDR block: 10.0.0.0/16 vSwitch 1: 10.0.0.0/24 in Zone B vSwitch 2: 10.0.10.0/24 in Zone C	Elastic Compute Service (ECS) instance IP address: 10.0.0.223
AWS VPC	Primary CIDR block: 192.168.0.0/16. Subnet CIDR block: 192.168.10.0/24, in the Availability Zone (AZ) eu-central-1a	Amazon Elastic Compute Cloud (Amazon EC2) instance IP address: 192.168.10.113

BGP configurations

In addition to static routing, this topic also describes how to use BGP dynamic routing to enable communication between Alibaba Cloud VPCs and Amazon VPCs over IPsec-VPN connections. If you do not need to use BGP dynamic routing, skip this section. The following table describes the CIDR block plans for BGP dynamic routing

Note

When you configure BGP dynamic routing for an IPsec-VPN connection, make sure that the Local ASN are the same for the two tunnels on Alibaba Cloud. The peer BGP ASNs of the two tunnels can be different. We recommend that you use the same peer BGP ASNs.

Resource	IPsec-VPN connection name	Tunnel	BGP tunnel CIDR block	BGP IP address	BGP local ASN
Alibaba Cloud VPN gateway	IPsec-VPN Connection	Active Tunnel	169.254.116.208/30 Note On a VPN gateway, the CIDR block of each tunnel must be unique.	169.254.116.210	65530
		Standby Tunnel	169.254.214.96/30	169.254.214.98
AWS virtual private gateway	Site-to-Site VPN Connection 1	Tunnel 1	169.254.116.208/30	169.254.116.209	64512
		Tunnel 2	The standby tunnel is not used.
	Site-to-Site VPN Connection 2	Tunnel 1	169.254.214.96/30	169.254.214.97
		Tunnel 2	The standby tunnel is not used.

Prerequisites

A VPC is created in the Germany (Frankfurt) region of Alibaba Cloud. Resources are deployed on an Elastic Compute Service (ECS) instance in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
A VPC is created in the Europe (Frankfurt) region of AWS. Resources are deployed on an Amazon Elastic Compute Cloud (Amazon EC2) instance in the VPC. For more information, see AWS.

Procedure

Step 1: Create a VPN gateway on Alibaba Cloud

You must first create a VPN gateway on Alibaba Cloud. After the VPN gateway is created, the system assigns two IP addresses to the VPN gateway. The IP addresses are used to establish IPsec-VPN connections to AWS.

Log on to the VPN Gateway console.
In the top navigation bar, select the region where you want to create the VPN gateway.
The region of the VPN gateway must be the same as that of the VPC to be associated.
On the VPN Gateway page, click Create VPN Gateway.

On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

The following table describes only the key parameters that you must configure. For other parameters, use the default values or leave them empty. For more information, see Create and manage a VPN gateway.

Parameter	Description	Example
Name	The name of the VPN gateway.	Enter VPN Gateway.
Region	The region in which you want to create the VPN gateway.	Select Germany (Frankfurt).
Gateway Type	The type of the VPN gateway.	Select Standard.
Network Type	The network type of the VPN gateway.	Select Public.
Tunnels	The tunnel mode of the VPN gateway. The system displays the tunnel modes that are supported in this region. Valid values: Dual-tunnel Single-tunnel For more information about the single-tunnel mode and dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.	Use the default value Dual-tunnel.
VPC	The VPC with which you want to associate the VPN gateway.	Select a VPC in the Germany (Frankfurt) region.
vSwitch 1	The vSwitch with which you want to associate the VPN gateway in the associated VPC. If you select Single-tunnel, you need to specify only one vSwitch. If you select Dual-tunnel, you need to specify two vSwitches. After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch. Note The system selects a vSwitch by default. You can change or use the default vSwitch. After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.	Select a vSwitch in the associated VPC.
vSwitch 2	The other vSwitch with which you want to associate the VPN gateway in the associated VPC. Specify two vSwitches in different zones in the associated VPC to implement disaster recovery across zones for IPsec-VPN connections. For a region that supports only one zone, disaster recovery across zones is not supported. We recommend that you specify two vSwitches in the zone to implement high availability of IPsec-VPN connections. You can also select the same vSwitch as the first one. Note If only one vSwitch is deployed in the VPC, create a vSwitch. For more information, see Create and manage a vSwitch.	Select another vSwitch in the associated VPC.
IPsec-VPN	Specifies whether to enable IPsec-VPN for the VPN gateway. Default value: Enable.	Select Enable.
SSL-VPN	Specifies whether to enable SSL-VPN for the VPN gateway. Default value: Disable.	Select Disable.

After you create the VPN gateway, you can view the VPN gateway on the VPN Gateway page.

The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the status changes to Normal, the VPN gateway is ready for use.

The following table describes the two IP addresses allocated by the system to the VPN gateway.

VPN gateway name	VPN gateway ID	IP address
VPN Gateway	vpn-gw8dickm386d2qi2g****	IPsec Address 1: 8.XX.XX.146, which is the IP address of the active tunnel by default.
VPN Gateway	vpn-gw8dickm386d2qi2g****	IPsec Address 2: 8.XX.XX.74, which is the IP address of the standby tunnel by default.

Step 2: Deploy VPN resources on AWS

To establish IPsec-VPN connections between the Amazon VPC and the Alibaba Cloud VPC, you must deploy VPN resources on AWS based on the following information. Consult AWS for specific commands or operations.

Use static routing

Create customer gateways.
You must create two customer gateways on AWS and use the IP addresses of the Alibaba Cloud VPN gateway as the IP addresses of the customer gateways.
Create a virtual private gateway.
You must create a virtual private gateway on AWS and associate the virtual private gateway with the VPC that needs to communicate with Alibaba Cloud.

Create a Site-to-Site VPN connection.

Important

Alibaba Cloud and AWS IPsec-VPN connections support the dual-tunnel mode. By default, the two tunnels of an AWS IPsec-VPN connection are associated with the same gateway, and the two tunnels of an Alibaba Cloud IPsec-VPN connection have different IP addresses. Therefore, the two tunnels of AWS are connected to only one tunnel of Alibaba Cloud. To ensure that the two tunnels of the Alibaba Cloud IPsec-VPN connection are enabled at the same time, you must create two Site-to-Site VPN connections on AWS and associate the Site-to-Site VPN connections with different customer gateways.

The following figure shows the configuration of one of the Site-to-Site VPN connections. We recommend that you use the default values for the tunnel settings. Specify a different customer gateway when you configure the other Site-to-Site VPN connection. Use the same values for the other parameters. 隧道配置-静态-EN

Note

In the preceding figure, the Local IPv4 network CIDR parameter must be set to the CIDR block of Alibaba Cloud VPC. The Remote IPv4 network CIDR parameter must be set to the CIDR block of AWS VPC.

After the Site-to-Site VPN connections are created, you can view the tunnel addresses of the connections, which are used to create IPsec-VPN connections to Alibaba Cloud. 隧道1-静态

The following table describes the external IP addresses of Tunnel 1 of the two Site-to-Site VPN connections and the IP addresses of the associated customer gateways.

Site-to-Site VPN connection	Tunnel	External IP address	Associated customer gateway IP address
Site-to-Site VPN Connection 1	Tunnel 1	3.XX.XX.52	8.XX.XX.146
Site-to-Site VPN Connection 2	Tunnel 1	3.XX.XX.56	8.XX.XX.74

Configure route advertising.
You must enable route advertising for the route table of the VPC associated with the virtual private gateway to ensure that the routes of the Site-to-Site VPN connections are automatically advertised to the route table of the VPC.

Use BGP dynamic routing

Create customer gateways.
You must create two customer gateways on AWS, use the two IP addresses of the Alibaba Cloud VPN gateway as the IP addresses of the customer gateways, and then register the BGP ASN of the Alibaba Cloud IPsec-VPN connection with AWS.
Create a virtual private gateway.
You must create a virtual private gateway on AWS and associate the virtual private gateway with the Amazon VPC that needs to communicate with the Alibaba Cloud VPC. When you create the virtual private gateway, you must specify the BGP ASN of AWS.
Create a Site-to-Site VPN connection.
Important
Alibaba Cloud and AWS IPsec-VPN connections support the dual-tunnel mode. By default, the two tunnels of an AWS IPsec-VPN connection are associated with the same gateway, and the two tunnels of an Alibaba Cloud IPsec-VPN connection have different IP addresses. Therefore, the two tunnels of AWS are connected to only one tunnel of Alibaba Cloud. To ensure that the two tunnels of the Alibaba Cloud IPsec-VPN connection are enabled at the same time, you must create two Site-to-Site VPN connections on AWS and associate the Site-to-Site VPN connections with different customer gateways.
The following figure shows the configuration for one of the Site-to-Site VPN connections.Use the default values for other parameters. Associate the other Site-to-Site VPN connection with a different customer gateway. Set the Inside IPv4 CIDR for Tunnel 1 parameter to 169.254.214.96/30. The other configurations are the same as those of the current Site-to-Site connection.
Note
In the preceding figure, the Local IPv4 network CIDR parameter must be set to the CIDR block of Alibaba Cloud VPC. The Remote IPv4 network CIDR parameter must be set to the CIDR block of AWS VPC.
After the Site-to-Site VPN connections are created, you can view the tunnel address information of the Site-to-Site VPN connections.

View the pre-shared keys of the tunnels and the BGP IP addresses to be configured on Alibaba Cloud.

After the Site-to-Site VPN connections are created, you must download the VPN configuration file for the peer device, which is the Alibaba Cloud VPN gateway. In the VPN configuration file, you can view the pre-shared keys and BGP IP addresses to be configured on Alibaba Cloud. For more information about how to download a configuration file, see Step 6: Download the configuration file. In this example, you must set the Vendor parameter to Generic and the IKE version parameter to IKEv2.

Note

If you have specified pre-shared keys when you create the Site-to-Site VPN connections, you do not need to view the pre-shared keys in the VPN configuration file. If you use pre-shared keys that are automatically generated by the system, you can view the pre-shared keys generated by the system in the VPN configuration file. The pre-shared keys for the tunnels on Alibaba Cloud must be the same as those on AWS.

View pre-shared keys

View BGP IP addresses for Alibaba Cloud

The following table describes the external IP addresses of Tunnel 1 of the two Site-to-Site VPN connections, the BGP IP addresses, and the IP addresses of the associated customer gateways.

Site-to-Site VPN connection	Tunnel	External IP address	BGP IP address on AWS	BGP IP address on Alibaba Cloud	Associated customer gateway IP address
Site-to-Site VPN Connection 1	Tunnel 1	3.XX.XX.52	169.254.116.209	169.254.116.210	8.XX.XX.146
Site-to-Site VPN Connection 2	Tunnel 1	3.XX.XX.56	169.254.214.97	169.254.214.98	8.XX.XX.74

Configure route advertising.
You must enable route advertising for the route table of the Amazon VPC that is associated with the virtual private gateway to ensure that the routes of the Site-to-Site VPN connections are automatically advertised to the route table of the Amazon VPC.

Step 3: Deploy the VPN gateway on Alibaba Cloud

After you configure VPN resources on AWS, deploy a VPN gateway on Alibaba Cloud based on the following information to establish an IPsec-VPN connection between the Amazon VPC and the Alibaba Cloud VPC.

Create customer gateways.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
In the top navigation bar, select the region in which you want to create the customer gateway.
Make sure that the customer gateway and the VPN gateway to be connected are deployed in the same region.
On the Customer Gateways page, click Create Customer Gateway.

In the Create Customer Gateway panel, configure the following parameters and click OK.

You must create two customer gateways and use the external IP addresses of the tunnels of the AWS Site-to-Site VPN connections as the customer gateway IP addresses. The following table describes only the parameters that are relevant to this topic. You can use the default values of other parameters or leave them empty. For more information, see Create and manage a customer gateway.

Important

Use only the external IP address of Tunnel 1 of each Site-to-Site VPN connection as the customer gateway IP address. By default, the external IP address of Tunnel 2 of each Site-to-Site VPN connection is not used. After the IPsec-VPN connections are created, Tunnel 2 of each Site-to-Site VPN connection is unavailable.

Parameter	Description	Customer gateway 1	Customer gateway 2
Name	The name of the customer gateway.	Enter Customer Gateway 1.	Enter Customer Gateway 2.
IP Address	Enter the external IP address of the AWS tunnel.	Enter 3.XX.XX.52.	Enter 3.XX.XX.56.
ASN	The BGP ASN of the AWS virtual private gateway. Note If you use the BGP dynamic routing mode, you must configure this parameter.	Enter 64512.	Enter 64512.

Create an IPsec-VPN connection.

In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region in which you want to create the IPsec-VPN connection.
Make sure that the IPsec-VPN connection and the VPN gateway are in the same region.
On the IPsec Connections page, click Create IPsec-VPN Connection.

On the Create IPsec-VPN Connection page, configure the IPsec-VPN connection based on the following information and click OK.

Parameter	Description	Example
Name	The name of the IPsec-VPN connection.	Enter IPsec Connection.
Associate Resource	Select the type of network resource to be associated with the IPsec-VPN connection.	In this example, VPN Gateway is selected.
VPN Gateway	The VPN gateway that you want to associate with the IPsec-VPN connection.	Select VPN Gateway.
Routing Mode	Select a routing mode. Destination Routing Mode: Traffic is forwarded based on the destination IP address. Protected Data Flows: Traffic is forwarded based on the source and destination IP addresses.	If you use the static routing mode, we recommend that you select Protected Data Flows. Local Network: Enter 10.0.0.0/16. Remote Network: Enter 192.168.0.0/16. If you use the BGP dynamic routing mode, we recommend that you select Destination Routing Mode.
Effective Immediately	Specify whether to immediately start negotiations for the connection. Valid value: Yes: starts negotiations after the configuration is complete. No: starts negotiations when inbound traffic is detected.	In this example, Yes is selected.
Enable BGP	Specify whether to enable Border Gateway Protocol (BGP). If you want to use BGP routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.	In this example, turn off Enable BGP to use the static routing mode by default. If you want to use BGP dynamic routing after the IPsec-VPN connection is created, you can separately add BGP configurations.
Tunnel 1	Configure VPN parameters for the active tunnel. By default, Tunnel 1 serves as the active tunnel and Tunnel 2 serves as the standby tunnel. You cannot modify this configuration.
Customer Gateway	The customer gateway that you want to associate with the active tunnel.	Select Customer Gateway 1.
Pre-Shared Key	The pre-shared key of the active tunnel that is used to verify identities. The pre-shared key must be 1 to 100 characters in length, and can contain digits, letters, and the following characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ \| ; : ' , . < > / ? If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. Important The tunnel and the peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.	The pre-shared key of the current tunnel must be the same as the key of the AWS tunnel to be connected.
Encryption Configuration	Configure the parameters for the IKE, IPsec, dead peer detection (DPD), and NAT traversal features.	The value of SA Life Cycle (seconds) in IKE Configurations must be the same as the value specified on AWS. In this example, the value is set to 28800. The value of SA Life Cycle (seconds) in IPsec Configurations must be the same as the value specified on AWS. In this example, the value is set to 3600. Use the default values for the other parameters. For more information, see Create and manage IPsec-VPN connections in dual-tunnel mode.
Tunnel 2	Configure VPN parameters for the standby tunnel.
Customer Gateway	The customer gateway that you want to associate with the standby tunnel.	Select Customer Gateway 2.
Pre-Shared Key	The pre-shared key of the standby tunnel that is used to verify identities.	The pre-shared key of the current tunnel must be the same as the key of the AWS tunnel to be connected.
Encryption Configuration	Configure the parameters for the IKE, IPsec, dead peer detection (DPD), and NAT traversal features.	The value of SA Life Cycle (seconds) in IKE Configurations must be the same as the value specified on AWS. In this example, the value is set to 28800. The value of SA Life Cycle (seconds) in IPsec Configurations must be the same as the value specified on AWS. In this example, the value is set to 3600. Use the default values for the other parameters. For more information, see Create and manage IPsec-VPN connections in dual-tunnel mode.

In the Created message, click OK.

Advertise the route of the VPN gateway.

Use static routing

After you create the IPsec-VPN connection, you must advertise the route of the VPN gateway. If you select Protected Data Flows as Routing Mode, the system creates a policy-based route for the VPN gateway after the IPsec-VPN connection is created. The route is in the Unpublished state. You must advertise the policy-based route of the VPN gateway to the VPC.

In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.
In the top navigation bar, select the region in which the VPN gateway resides.
On the VPN Gateways page, find the VPN gateway that you want to manage and click its ID.
On the details page of the VPN gateway, click the Policy-based Route Table tab, find the route that you want to manage, and then click Advertise in the Actions column.
In the Advertise Route message, click OK.

Use BGP dynamic routing

Configure BGP dynamic routing for the IPsec-VPN connection.

In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
On the IPsec Connections page, find the IPsec-VPN connection and click its ID.

In the IPsec Connections section, click Edit next to Enable BGP. In the BGP Configuration dialog box, configure the following parameters and click OK.

Parameter	Description	IPsec-VPN connection configuration
Local ASN	The ASN of the IPsec-VPN connection.	Enter `65530`.
Tunnel 1	The BGP configuration added for the active tunnel.	Add the BGP configuration for the active tunnel of the IPsec-VPN connection.
Tunnel CIDR Block	The CIDR block that is used for IPsec tunneling.	Enter `169.254.116.208/30`.
Local BGP IP address	The BGP IP address for the IPsec-VPN connection. This IP address must fall within the CIDR block for IPsec tunneling.	Enter `169.254.116.210`.
Tunnel 2	The BGP configuration added for the standby tunnel.	Add the BGP configuration for the standby tunnel of the IPsec-VPN connection.
Tunnel CIDR Block	The CIDR block that is used for IPsec tunneling.	Enter `169.254.214.96/30`.
Local BGP IP address	The BGP IP address for the IPsec-VPN connection. This IP address must fall within the CIDR block for IPsec tunneling.	Enter `169.254.214.98`.

To enable automatic BGP route propagation for the VPN gateway, perform the following steps:
1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.
2. On the VPN Gateways page, find the VPN gateway, move the pointer over the icon, and then click Enable Automatic BGP Propagation in the Actions column.
3. In the Enable Automatic BGP Propagation message, click OK.

Step 4: Test network connectivity

After the configuration is complete, an IPsec-VPN connection is established between the Alibaba Cloud VPC and the Amazon VPC. The following example uses an ECS instance to access an AWS EC2 instance to test the connectivity between the VPCs.

Note

Before you test the connectivity, check the access control policies applied to resources in the VPCs, such as network access control lists (ACLs) and security group rules. Make sure that the access control policies allow resources in the VPCs to access each other.

Log on to an ECS instance in the Alibaba Cloud VPC. For more information about how to log on to an ECS instance, see Connection method overview.
Run the ping command on the ECS instance to access the Amazon EC2 instance and check the connectivity.
If the ECS instance receives a response from the Amazon EC2 instance, the VPCs can communicate with each other.
```
ping <Private IP address of the Amazon EC2 instance>
```
Test the high availability of the IPsec-VPN connection.
An IPsec-VPN connection in dual-tunnel mode provides high service availability. If the active tunnel is down, the standby tunnel automatically takes over to ensure the data transfer. The following section describes how to verify the high availability of an IPsec-VPN connection in dual-tunnel mode.
1. Log on to the ECS instance in the Alibaba Cloud VPC.
2. Run the following command on the ECS instance to access the Amazon EC2 instance:
```
ping <Private IP address of the Amazon EC2 instance> -c 10000
```
3. Interrupt the active tunnel of the IPsec-VPN connection.
  In this example, the pre-shared key of the active tunnel on the Alibaba Cloud side is modified to terminate the active tunnel. If the pre-shared keys of the two sides of an active tunnel are inconsistent, the active tunnel is interrupted.
4. Check the traffic of the ECS instance. In this example, the traffic of the ECS instance is temporarily terminated and then restored, which indicates that the standby tunnel takes over when the active tunnel is terminated.
  You can view the monitoring data of the tunnels on the Monitor tab of the IPsec-VPN connection. For more information, see Monitor an IPsec-VPN connection.