All Products
Search
Document Center

VPN Gateway:Configure routes of a VPN Gateway

Last Updated:Nov 28, 2024

After you create an IPsec-VPN connection, you must configure routes for the data center in the VPN gateway that is associated with the IPsec-VPN connection. After the traffic destined for the data center from the associated virtual private cloud (VPC) is transferred to the VPN gateway, the VPN gateway forwards the traffic to the data center by querying the routing information.

Background information

When you connect your data center to a VPC by using an IPsec-VPN connection, you must add routes for the VPC, VPN gateway, and data center to enable data transmission between the data center and the VPC.

When you configure routes, you can configure static routes or enable automatic route learning by using Border Gateway Protocol (BGP) dynamic routing. The following table lists the routing configurations in different scenarios.

Routing method

Traffic direction

VPC

VPN gateway

Data center

Static routing

Destined for the data center

You need to specify routes in the data center.

Both manual configuration and automatic advertising are supported.

You need to add routes destined for the data center.

The following management methods are supported:

  • Management of destination-based routes

  • Management of policy-based routes

No configuration is required.

Destined for the VPC

No configuration is required.

No configuration is required.

The VPN gateway automatically learns the routes destined for the associated VPC. No additional operation is required.

You need to add routes whose next hop points to the IPsec-VPN connection from the VPC.

BGP dynamic routing

Destined for the data center

No configuration is required.

After you enable automatic route advertising for the VPN gateway, the VPN gateway automatically advertises routes from the data center to the VPC.

You must configure BGP dynamic routing.

After BGP dynamic routing is configured, the VPN gateway automatically learns the routes destined for the data center and the VPC. It also automatically advertises the routes from the VPC to the data center.

You must configure BGP dynamic routing.

After BGP dynamic routing is configured, the data center can advertise the routes in the data center to the VPN gateway and also automatically learn the routes destined for the VPC.

Destined for the VPC

No configuration is required.

Configure VPN gateway routing

Important

This topic focuses on the routing configuration for VPN gateways and does not describe the routing configuration for VPCs or data centers.

Static routing

  • Destination-based routes

    When you configure a destination-based route, you must specify the destination CIDR block and the next hop. The VPN gateway identifies the destination-based route that matches the destination IP address of the traffic, and then forwards the traffic based on the next hop of the matched destination-based route. For more information, see Configure destination-based routes.

  • Policy-based routes

    When you configure a policy-based route, you must specify the source CIDR block, destination CIDR block, and next hop. The VPN gateway identifies the policy-based route that matches the source IP address and destination IP address of the traffic, and then forwards the traffic based on the next hop of the matched policy-based route. For more information, see Manage policy-based routes.

BGP dynamic routing

BGP is a dynamic routing protocol based on Transmission Control Protocol (TCP). BGP is used to exchange routing and network accessibility information across autonomous systems (AS). You need to add BGP configuration to the VPN gateway and data center to specify the VPN gateway and data center as BGP peers. After that, they can learn the configured routes from each other, which reduces network maintenance costs and network configuration errors. For more information, see Configure BGP dynamic routing.

Select a routing method

  1. Check whether the region where the VPN gateway resides supports BGP dynamic routing. If no, you must select static routing.

    Click here to view the regions that support BGP dynamic routing.

    Area

    Region

    Asia Pacific

    China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta)

    Europe and Americas

    Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)

    Middle East

    UAE (Dubai)

  2. Check whether the gateway devices in the data center support BGP dynamic routing. If yes, you can select BGP dynamic routing. If no, you must select static routing.

  3. If both static routing and BGP dynamic routing are supported in your scenario, you can select a routing method based on the information in the following table.

    Routing method

    Scenario

    Configuration difficulty

    Route maintenance cost

    High availability mode

    Static routing

    The number of routes in the data center is small, and route changes are infrequent.

    Easy

    Medium

    You must complete routing configuration for the VPC, data center, and VPN gateway. If routes in the data center are changed, you must manually change the routing configuration for the VPN gateway.

    If multiple IPsec-VPN connections are established between the data center and Alibaba Cloud by using one VPN gateway, these connections can be in active/standby mode through static routing. This ensures high availability.

    BGP dynamic routing

    The number of routes in the data center is great, and route changes are frequent.

    Easy

    Low

    You must add BGP configuration to the VPN gateway and data center. If routes in the data center are changed, no operation is required on the VPN gateway. Automatic route advertising and learning are enabled by using BGP dynamic routing based on the advertising principles of BGP dynamic routing.

    If multiple IPsec-VPN connections are established between the data center and Alibaba Cloud by using one VPN gateway, you can use these connections to configure equal-cost multi-path (ECMP) routing through BGP dynamic routing. If one of the IPsec-VPN connections fails, route switching is automatically implemented by using BGP dynamic routing. This ensures high availability.

Recommendations on routing configuration

If multiple IPsec-VPN connections are created in a VPN gateway, we recommend that you use the same routing method for all these connections. Mixed use of destination-based routing, policy-based routing, and BGP dynamic routing at the same time is not recommended.

Route priority

The following table lists the route priority if route conflicts occur in the VPN gateway route table or the VPC route table.

Note

The route priority in descending order is as follows: P0 > P1 > P2 > P3.

Route type

Route priority on the VPN gateway

Route priority within the VPC

Specific route

P0

P0

System route

P1

P1

Static route

P2

Note

A policy-based route takes precedence over a destination-based route.

P2

Dynamic route

P3

P3