All Products
Search

This Product

    VPN Gateway:Connect a VPC to a data center by using an IPsec-VPN connection in single-tunnel mode and enable BGP dynamic routing

    Document Center

    VPN Gateway:Connect a VPC to a data center by using an IPsec-VPN connection in single-tunnel mode and enable BGP dynamic routing

    Last Updated:Oct 21, 2024

    This topic describes how to establish an IPsec-VPN connection in single-tunnel mode between a virtual private cloud (VPC) and a data center by using a public VPN gateway, and how to configure Border Gateway Protocol (BGP) dynamic routing for the VPC and the data center to automatically learn routes. This way, the VPC and the data center can share resources with each other. This reduces network maintenance costs and network configuration errors.

    Prerequisites

    • A public IP address is assigned to the gateway device in the data center before you associate an IPsec-VPN connection with a public VPN gateway.

    • The gateway device in the data center must support the IKEv1 or IKEv2 protocol to establish an IPsec-VPN connection with a transit router.

    • The CIDR block of the data center does not overlap with the CIDR block of the network to be accessed.

    Regions that support BGP dynamic routing

    Area

    Region

    Asia Pacific

    China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Australia (Sydney) Closing Down, Malaysia (Kuala Lumpur), Indonesia (Jakarta)

    Europe and Americas

    Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)

    Middle East

    UAE (Dubai)

    Scenario

    The following figure shows the scenario that is used in this topic. An enterprise has created a VPC in the Germany (Frankfurt) region. The private CIDR block of the VPC is 10.0.0.0/8 and the autonomous system number (ASN) is 65530. The enterprise has a data center in Frankfurt. The public IP address of the data center is 2.XX.XX.2, the private CIDR block is 172.17.0.0/16, and the ASN is 65531. The enterprise wants to establish a connection between the VPC and the data center for business development.

    You can use IPsec-VPN to establish a connection between the VPC and the data center, and configure BGP dynamic routing. After the configuration is complete, the VPC and the data center can automatically learn routes and communicate with each other by using BGP dynamic routing. This reduces network maintenance costs and network configuration errors.

    Note

    An autonomous system (AS) is a small unit that independently determines the routing protocol to be used in the system. This unit is an independent and manageable network unit. It may consist of a simple network or a network group that is controlled by one or more network administrators. Each AS has a globally unique identifier called ASN.

    架构图

    Preparations

    • A VPC is created in the Germany (Frankfurt) region and cloud services are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

    • Before you use VPN Gateway, you must read and understand the security group rules that apply to the ECS instances in VPCs. Make sure that the security group rules allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.

    Procedure

    本地数据中心和VPC(BGP)-配置流程

    Step 1: Create a VPN gateway

    1. Log on to the VPN gateway console.

    2. On the VPN Gateways page, click Create VPN Gateway.

    3. On the buy page, configure the parameters that are described in the following table, click Buy Now, and then complete the payment.

      The following table describes only the parameters that are relevant to this topic. You can use the default values of other parameters or leave them empty. For more information, see Create and manage a VPN gateway.

      Parameter

      Description

      Region and Zone

      The region in which you want to create the VPN gateway.

      Make sure that the VPN gateway and the VPC reside in the same region. In this example, Germany (Frankfurt) is selected.

      Gateway Type

      The gateway type.

      Default value: Standard.

      Network Type

      The network type. In this example, Public is selected.

      Tunnels

      The system displays the tunnel modes that are supported in this region. Valid values:

      • Single-tunnel

      • Dual-tunnel

      For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

      VPC

      The VPC in which you want to create the VPN gateway. In this example, the VPC that is created in the Germany (Frankfurt) region is selected.

      VSwitch

      Select a vSwitch from the selected VPC.

      • If you select Single-tunnel, you need to specify only one vSwitch.

      • If you select Dual-tunnel, you need to specify two vSwitches.

        After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch.

      Note

      • The system selects a vSwitch by default. You can change or use the default vSwitch.

      • After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.

      vSwitch 2

      Ignore this parameter if you select Single-tunnel for the Tunnels parameter.

      IPsec-VPN

      Specifies whether to enable IPsec-VPN. In this example, Enable is selected.

      SSL-VPN

      Specifies whether to enable SSL-VPN. In this example, Disable is selected.

    The newly created VPN gateway is in the Preparing state and changes to the Normal state after about 1 to 5 minutes. After the state of the VPN gateway changes to Normal, the VPN gateway is ready for use. After the VPN gateway is created, a public IP address is automatically assigned to the gateway for establishing VPN connections.VPN网关公网IP地址

    Note

    If you want to use an existing VPN gateway, make sure that it is updated to the latest version. By default, if the existing VPN gateway i not of the latest version, you cannot use the BGP dynamic routing feature.

    You can check whether your VPN gateway is of the latest version by viewing the Upgrade button on the details page of the VPN gateway. If your VPN gateway is not of the latest version, you can click Upgrade to upgrade the VPN gateway. For more information, see Upgrade a VPN gateway.

    Step 2: Enable BGP dynamic routing

    BGP is used to exchange routing information between different ASs. To use the BGP dynamic routing feature, you must enable the BGP dynamic routing feature for the VPN gateway.

    1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

    2. In the top navigation bar, select the region in which the VPN gateway resides.

    3. On the VPN Gateways page, find the created VPN Gateway and turn on the switch in the Enable Automatic Route Advertisement column.

      After the BGP dynamic routing feature is enabled, the VPN Gateway automatically advertises BGP routes to the VPC.路由自动传播

    Step 3: Create a customer gateway

    You can create a customer gateway to register the public IP address and BGP AS of the data center to Alibaba Cloud.

    1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

    2. In the top navigation bar, select the region in which you want to create the customer gateway.

      Note

      The customer gateway and the VPN gateway to be connected must be deployed in the same region.

    3. On the Customer Gateway page, click Create Customer Gateway.

    4. In the Create Customer Gateway panel, configure the parameters that are described in the following table and click OK.

      The following table describes only the parameters that are relevant to this topic. You can use the default values of other parameters or leave them empty. For more information, see Create and manage a customer gateway.

      Parameter

      Description

      IP Address

      The public IP address of the gateway device in the data center. In this example, 2.XX.XX.2 is used.

      ASN

      The ASN of the gateway device in the data center. In this example, 65531 is used.

    Step 4: Create an IPsec-VPN connection

    1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    2. In the top navigation bar, select the region in which you want to create the IPsec-VPN connection.

      Note

      The IPsec-VPN connections must be created in the same region as the VPN gateway created in Step 1.

    3. On the IPsec Connections page, click Create IPsec-VPN Connection.

    4. On the Create IPsec-VPN Connection page, configure the parameters that are described in the following table and click OK.

      The following table describes only the parameters that are relevant to this topic. You can use the default values of other parameters or leave them empty. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

      Parameter

      Description

      Associate Resource

      Select the type of network resource to be associated with the IPsec-VPN connection.

      In this example, VPN Gateway is selected.

      VPN Gateway

      The VPN gateway to be associated with the IPsec-VPN connection.

      In this example, the VPN gateway that is created in Step 1 is selected.

      Routing Mode

      The routing mode.

      Valid values: Destination Routing Mode or Protected Data Flows. If the IPsec-VPN connection uses BGP dynamic routing, we recommend that you select Destination Routing Mode. In this example, Destination Routing Mode is selected.

      Effective Immediately

      Specifies whether to immediately start negotiations for the connection. Valid values:

      • Yes: immediately starts IPsec-VPN negotiations after the IPsec-VPN connection is created.

      • No: starts IPsec-VPN negotiations when inbound traffic is detected.

      In this example, Yes is selected.

      Customer Gateway

      The customer gateway to be associated with the IPsec-VPN connection.

      In this example, the customer gateway that is created in Step 3 is selected.

      Pre-Shared Key

      The pre-shared key that is used for authentication.

      The pre-shared keys must be the same on both the VPN gateway associated with the IPsec-VPN connection and the gateway device in the data center. In this example, 123456**** is used.

      Enable BGP

      Specify whether to enable Border Gateway Protocol (BGP). If you want to use BGP routing for the IPsec-VPN connection, turn on Enable BGP. By default, Enable BGP is turned off.

      In this example, Enable BGP is turned on.

      Local ASN

      The local ASN of the tunnel. Default value: 45104.

      In this example, 65530 is used.

      Encryption Configuration

      Use the default values of parameters except for the following parameters.

      • Set the DH Group parameter in the IKE Configurations section to group14.

      • Set the DH Group parameter in the IPsec Configurations section to group14.

        Note

        You must configure parameters in the Encryption Configuration section based on the gateway device in the data center to ensure that the encryption configurations of the IPsec-VPN connection are consistent with those of the gateway device in the data center.

      BGP Configuration

      • Tunnel CIDR Block

        The CIDR block of the IPsec tunnel. In this example, 169.254.10.0/30 is used.

      • Local BGP IP address

        The BGP IP address on the VPC side. The IP address must fall within the CIDR block of the IPsec tunnel. In this example, 169.254.10.1 is used.

    5. In the Created message, click OK.

    Step 5: Add VPN configurations to the gateway device in the data center

    After you create an IPsec-VPN connection, you need to add the VPN configurations to the gateway device in the data center to establish a VPN connection between the VPC and the data center.

    1. Download the VPN configurations to be added to the gateway device in the data center. For more information, see the "Download the configurations of an IPsec-VPN connection" section of the Create and manage IPsec-VPN connections in single tunnel mode topic.

    2. Add the VPN configurations to the gateway device in the data center. For more information, see the Configure an IPsec-VPN configuration in single-tunnel mode section

      of the Load the IPsec-VPN configuration to a Cisco firewall device topic.

      After the IPsec-VPN connection is created, routes are automatically advertised based on BGP dynamic routing.

      • After you advertise the CIDR block of the data center by using BGP dynamic routing on the gateway device in the data center, the VPN gateway on Alibaba Cloud automatically advertises the routes that are learned from the data center to the system route table of the VPC. You can view route information about the system route table on the Dynamic Route tab.

      • The VPN Gateway on Alibaba Cloud automatically learns the system routes from the system route table of the VPC and automatically advertises the routes to the gateway device in the data center.本地网关路由表

    Step 6: Test the connectivity

    1. Log on to an Elastic Compute Service (ECS) instance in the VPC. For more information about how to log on to an ECS instance, see Connection method overview.

    2. Run the ping command to access a client in the data center and check the connectivity.

      The result shows that the ECS instance in the VPC can access the client in the data center.VPC 访问本地IDC

    3. Log on to the client in the data center.

    4. Run the ping command to access the ECS instance in the VPC and check the connectivity.

      The result shows that the client in the data center can access the ECS instance in the VPC.本地IDC访问VPC