VPN Gateway provides a secure and stable private connection for scenarios that require high data transmission security without exposing NAS traffic to the public internet. Use a VPN to mount a NAS file system on an on-premises server or on an ECS instance in a different region.
Use cases
Alibaba Cloud VPN Gateway connects your data center to an Alibaba Cloud VPC and connects VPCs across regions. Mount a file system in the following ways:
Mount a file system on an ECS instance across regions
If a VPN gateway is already deployed on an ECS instance in one VPC, create another VPN gateway in the other VPC. For more information, see Mount a file system across regions when one VPN gateway is deployed.
Without an existing VPN gateway, create VPN gateways in both VPCs. For more information, see Mount a file system across regions when no VPN gateway is deployed.
Mount a file system on an on-premises server
Create a file system and a mount target.
Log on to the NAS console.
Create a file system. For more information, see Create a General-purpose NAS file system using the console.
Create a mount target in the VPC. For more information, see Create a mount target.
Establish a connection between the VPC and your data center. For more information, see Establish a connection between a VPC and a data center.
Verify that servers in the on-premises data center can connect to ECS instances or file system mount targets in the VPC.
Log on to an ECS instance that is in the Alibaba Cloud VPC and does not have a public IP address. Run the ping command to ping the private IP address of a server in your data center to verify the connection.
After verification, mount the VPC file system on the on-premises server. For more information, see Mount a file system.
Mount a file system on an ECS instance across regions
Mount a file system across regions when one VPN gateway is deployed
This section uses two VPCs, VPC1 and VPC2, in different regions as an example.
Create a file system and a mount target.
Log on to the NAS console.
Create a file system. For more information, see Create a General-purpose NAS file system using the console.
Create a mount target in a VPC. For more information, see Create a mount target.
The mount target is added to VPC1.
In VPC2, set up a VPN gateway on an ECS instance to serve as the customer gateway.
NoteThe ECS instance requires a public IP address to connect to the VPN gateway in VPC1.
For more information about how to set up a VPN gateway on an ECS server, see Install a strongSwan IPsec-VPN Server on CentOS 7.
Establish a connection between the VPN gateways in VPC1 and VPC2.
Log on to the VPC console.
Create a VPN connection between the VPN gateways in VPC1 and VPC2 (the customer gateways that you created in Step 2). For more information, see Create an IPsec-VPN connection.
Add a route to the route table of VPC2. For more information, see Configure routes for a VPN gateway.
Set Destination CIDR Block to the private CIDR block of VPC1, and set Next Hop to the ECS instance in VPC2 that is acting as the VPN gateway.
Verify connectivity for the ECS instances or file system mount targets in VPC1 and VPC2.
Log on to an ECS instance in VPC1 and run the ping command to ping the IP address of an ECS instance in VPC2 to verify the connection.
After verification, mount the VPC1 file system on the ECS instances in VPC2. For more information, see Mount a file system.
Mount a file system across regions when no VPN gateway is deployed
This section uses two VPCs, VPC1 and VPC2, in different regions as an example.
Create a file system and a mount target.
Log on to the NAS console.
Create a file system. For more information, see Create a General-purpose NAS file system using the console.
Create a mount target in a VPC. For more information, see Create a mount target.
The mount target has been added to VPC1.
Establish a connection between the VPN gateways in VPC1 and VPC2.
Log on to the VPC console.
Create VPN gateways in VPC1 and VPC2. For more information, see Create a VPN gateway.
Create customer gateways in VPC1 and VPC2. For more information, see Create a customer gateway.
IP Address refers to the IP addresses of the VPN gateways in VPC1 and VPC2.
Add routes to the route tables of VPC1 and VPC2. For more information, see Configure routes for a VPN gateway.
When adding a route for the VPN Gateway in VPC1, set Destination CIDR Block to the private CIDR block of VPC2, and set Next Hop to the customer gateway in VPC1.
When adding a route for the VPN Gateway in VPC 2, set the Destination CIDR Block to the private CIDR block of VPC 1 and the Next Hop to the customer gateway in VPC 2.
Verify the connectivity between the ECS instances or file system mount targets in VPC1 and those in VPC2.
Log on to an ECS instance in VPC1 and run the ping command to ping the IP address of an ECS instance in VPC2 to verify the connection.
After verification, mount the VPC1 file system on the ECS instances in VPC2. For more information, see Mount a file system.