All Products
Search

This Product

    VPN Gateway:Configure BGP dynamic routing

    Document Center

    VPN Gateway:Configure BGP dynamic routing

    Last Updated:Jan 08, 2025

    VPN gateways support Border Gateway Protocol (BGP) dynamic routing. After you establish an IPsec-VPN connection between a data center and Alibaba Cloud, they can automatically learn routes from each other and communicate through BGP. This reduces network maintenance costs and network configuration errors.

    Support for BGP dynamic routing

    By default, VPN gateways that are created after December 26, 2024 and support dual-tunnel IPsec-VPN connections support BGP dynamic routing. Some existing VPN gateways may not support BGP dynamic routing due to region limits or outdated versions. You can call the DescribeVpnGateway or DescribeVpnGateways API operation to query whether an existing VPN gateway supports BGP dynamic routing. If the VpnEnableBgp parameter in Tag returns true, the VPN gateway supports BGP dynamic routing.

    If the VPN gateway does not support BGP dynamic routing, perform the following steps:

    How BGP dynamic routes are advertised

    After BGP dynamic routing is configured for a VPN gateway and a data center, BGP routes are advertised in the following ways:

    • To Alibaba Cloud

      After the data center advertises its routes in BGP routing configuration, these routes are automatically advertised to the VPN gateway on Alibaba Cloud by using BGP dynamic routing. If you enable automatic BGP advertising for the VPN gateway on Alibaba Cloud, the VPN gateway automatically advertises the learned routes to the system route table of the associated virtual private cloud (VPC). No route is advertised to the custom route tables.

    • To the data center

      The VPN gateway on Alibaba Cloud automatically learns system routes in the system route table of the VPC through BGP and automatically advertises these routes to the data center instead of learning the system routes in the custom route tables of the VPC.

    Limits on BGP dynamic routing

    • The BGP route table of a VPN gateway can receive up to 50 routes from a BGP peer. To increase the quota limit, submit a ticket. The maximum quota limit is 200.

    • A VPN gateway cannot receive routes that point to 0.0.0.0/0 from a BGP peer.

    • Do not propagate routes that point to 100.64.0.0/10 or its subnets to VPN gateways that support only single-tunnel IPsec-VPN connections through BGP dynamic routing. Otherwise, the status of IPsec-VPN connections cannot be displayed in the VPN Gateway console or IPsec-VPN connection negotiation will fail. To avoid this issue, upgrade to dual-tunnel IPsec-VPN connections.

    • If BGP dynamic routing is enabled for multiple IPsec-VPN connections in the same VPN gateway, local autonomous system numbers (ASNs) of these connections must be the same.

    • If IPsec-VPN connections are established between the same VPN gateway and different data centers, you cannot advertise routes for different IPsec-VPN connections to each other.

    • If a VPC is associated with multiple VPN gateways, you cannot set the VPN gateways as BGP peers or advertise routes of different VPN gateways to each other.

    • In the scenario where a VPC is associated with multiple VPN gateways and BGP dynamic routing is enabled for these VPN gateways, if these VPN gateways are associated with the same customer gateway, make sure that the IPsec-VPN connections of the VPN gateways use the same local ASN. Otherwise, routing loops may occur.

    • When you connect a data center to a VPC by using an Express Connect circuit and a VPN gateway for connection resilience, make sure that you specify the same data center ASN for the virtual border router (VBR) and VPN gateway. This prevents route flapping in the data center.

    • After you enable BGP dynamic routing for a VPN gateway that is attached to a Cloud Enterprise Network (CEN) instance, you must enable overlapping routing for the CEN instance.

      Note

      By default, overlapping routing is enabled for CEN instances that are created after March 1, 2019 (UTC+8). For more information, see Enable overlapping routing.

    • If multiple VPCs are associated with the same CEN instance, make sure that the VPN gateways associated with the VPCs are not connected to the data center by using BGP. This prevents route flapping in Alibaba Cloud.

    • In the scenario where multiple IPsec-VPN connections in dual-tunnel mode exist on a VPN gateway and BGP dynamic routing is configured for these connections, the destination CIDR blocks of the routes that are learned by the VPN gateway through these connections cannot conflict with each other. Otherwise, the routes do not take effect.

    Recommendation on BGP dynamic routing configuration

    • We recommend that you set Routing Mode to Destination Routing Mode for IPsec-VPN connections.

    • If BGP dynamic routing is configured for an IPsec-VPN connection in dual-tunnel mode, the ASN of the tunnels must be the same. In addition, we recommend that you specify the same BGP ASN for the tunnel peers.

    Procedure

    1. Specify the ASN of the data center in a customer gateway. For more information, see Create and manage a customer gateway.

      • If you do not specify the ASN of the data center when you create a customer gateway, you must delete the current customer gateway and create another one.

      • After the customer gateway is created, you cannot edit it. If you want to change the ASN, delete the current customer gateway and create another one.

    2. Enable BGP for the IPsec-VPN connection and add BGP dynamic routing configurations. For more information, see Create and manage IPsec-VPN connections in dual-tunnel mode.

      The following table lists only the content that is strongly correlated to BGP dynamic routing.

      Note

      • When you enable BGP for an IPsec-VPN connection in dual-tunnel mode, the sequence of the configuration items varies from that in the following table. You need to select customer gateways for the primary and secondary tunnels and add BGP configuration. For more information, check the VPN Gateway console.

      • If the system prompts that the current VPN gateway version is not supported when you configure BGP dynamic routing, refer to Support for BGP dynamic routing.

      Parameter

      Description

      Customer Gateway

      Select the customer gateway with the ASN of the data center.

      Enable BGP

      Select Enable BGP.

      Local ASN

      Enter the ASN of the tunnel. Default value: 45104. Valid values: 1 to 4294967295.

      Tunnel CIDR Block

      The CIDR block of the tunnel.

      The CIDR block must fall into 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30.

      Note

      In a VPN gateway, the CIDR block of each tunnel must be unique.

      Local BGP IP address

      Enter the BGP IP address of the tunnel.

      This IP address must fall within the CIDR block of the tunnel.

    3. Enable automatic BGP route advertisement for the VPN gateway.

      After this feature is enabled, the learned BGP routes are automatically advertised to the system route table of the VPC.

      1. Log on to the VPN Gateway console.

      2. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

      3. On the VPN Gateway page, find the VPN gateway that you want to manage and enable the automatic route advertisement feature in the Enable Automatic Route Advertisement column. 路由自动传播

    Tutorials on BGP dynamic routing

    Connect a VPC to a data center in dual-tunnel mode and enable BGP dynamic routing