IPsec-VPN establishes an encrypted tunnel to enable secure communication between on-premises networks, such as enterprise data centers or office networks, and VPCs in the cloud.
Alibaba Cloud VPN Gateway complies with relevant Chinese national policies and regulations. It supports only non-cross-border connections. If you require cross-border connections, use TransitRouter.
Scenarios
Alibaba Cloud IPsec-VPN establishes site-to-site encrypted connections. It offers two types:
Attach to a VPN gateway: Connects your on-premises network to a single VPC.
Attach to a transit router (TR): Connects your on-premises network to multiple VPCs.
Components
Attached to a VPN Gateway
Component Name | Description |
When connecting on-premises networks to a single VPC in the cloud, the VPN Gateway instance serves as the cloud-side entry and exit point for communication. VPN Gateway offers two types: enhanced instance families and traditional instance families. For more information on the differences between them, see Select VPN Gateway Type. | |
A logical object on the Alibaba Cloud side that records the public IP address of the on-premises gateway device. Use it when creating an IPsec-VPN connection. | |
Defines an encrypted tunnel from the VPN Gateway to the on-premises gateway device. Configure parameters such as the encryption algorithm, authentication algorithm, and pre-shared key (PSK) for both ends in this connection. | |
A physical device (usually a gateway device) or application in your data center. The on-premises gateway device must support VPN functionality to negotiate and establish an IPsec-VPN connection with the cloud-side gateway device. For simplicity, this document uses data center as an example to refer to enterprise data centers, enterprise office networks, and other networks or sites that require an IPsec-VPN connection with Alibaba Cloud. |
Attached to a TransitRouter
Component Name | Description |
When connecting on-premises networks to multiple VPCs in the cloud, TransitRouter serves as the cloud-side entry and exit point for communication. When using it, create a VPN connection on the TransitRouter and attach an IPsec-VPN connection instance. | |
A logical object on the Alibaba Cloud side that records the public IP address of the on-premises gateway device. Use it when creating an IPsec-VPN connection. | |
Defines an encrypted tunnel from the TransitRouter to the on-premises gateway device. Configure parameters such as the encryption algorithm, authentication algorithm, and pre-shared key (PSK) for both ends in this connection. | |
on-premises gateway device | A physical device (usually a gateway device) or application in your data center. The on-premises gateway device must support VPN functionality to negotiate and establish an IPsec-VPN connection with the cloud-side gateway device. For simplicity, this document uses data center as an example to refer to enterprise data centers, enterprise office networks, and other networks or sites that require an IPsec-VPN connection with Alibaba Cloud. |
Dual-Tunnel Mode
An IPsec-VPN connection includes two encrypted tunnels by default. In regions that support multiple zones, the two tunnels are deployed in different zones to provide zone-level disaster recovery. In regions that support only one zone, such as China (Wuhan - Local Region), both tunnels are deployed in the same zone. This configuration does not provide zone-level disaster recovery but still offers link redundancy.
Attached to a VPN Gateway: The two encrypted tunnels act as active/standby links. By default, traffic is transmitted only through the active tunnel. If the active tunnel fails, traffic is transmitted through the standby tunnel. For more information, see Attached to a VPN Gateway.
Attached to a TransitRouter: The two tunnels automatically form equal-cost multi-path (ECMP) links. Both tunnels transmit traffic. If one tunnel fails, traffic from that tunnel switches to the other tunnel. For more information, see Attached to a TransitRouter.
When you create an IPsec-VPN connection, you must configure both tunnels as active. If you configure or use only one tunnel, you cannot benefit from the link redundancy and zone-level disaster recovery capabilities of the IPsec-VPN connection. In addition, the VPN Gateway is not covered by the SLA.
Feature Comparison
Comparison Item | Attached to a VPN Gateway | Attached to a TransitRouter |
Scenarios | Connects on-premises networks to a single VPC in the cloud. | Connects on-premises networks to multiple VPCs in the cloud. |
Supported encryption algorithms | International standard commercial cryptographic algorithms | International standard commercial cryptographic algorithms |
IPsec-VPN connection tunnel mode | dual-tunnel mode Some existing VPN Gateway instances only support creating single-tunnel IPsec-VPN connections. Upgrade to dual-tunnel mode. | dual-tunnel mode Existing single-tunnel IPsec-VPN connections do not inherently offer high availability. Delete and recreate the IPsec-VPN connection without affecting network connectivity. Newly created IPsec-VPN connections default to dual-tunnel mode. |
High-availability mechanism | Active/standby tunnels: Traffic defaults to the active tunnel. If the active tunnel fails, it automatically switches to the standby tunnel. | ECMP (equal-cost multi-path): Both tunnels share the load and provide redundancy for each other. |
Bandwidth specifications supported by a single IPsec-VPN connection |
|
For existing single-tunnel mode, an IPsec-VPN connection supports a maximum bandwidth of 1000 Mbps. |
Packets per second (PPS) supported | A VPN Gateway instance supports a total of 120,000 PPS (256 bytes per packet) in both directions. If a VPN Gateway instance has multiple IPsec-VPN connections, the total PPS in both directions for all connections cannot exceed 120,000 PPS (256 bytes per packet). | In dual-tunnel mode, each tunnel supports a total of 120,000 PPS (256 bytes per packet) in both directions. For existing single-tunnel mode, an IPsec-VPN connection supports a total of 120,000 PPS (256 bytes per packet) in both directions. |
Billing
For more information, see IPsec-VPN billing documentation.