All Products
Search
Document Center

VPN Gateway:Getting started for associating a VPN Gateway

Last Updated:Nov 28, 2024

You can create an IPsec-VPN connection that is associated with a VPN gateway to implement encrypted communication between a data center and a virtual private cloud (VPC).

Requirements

Before you create an IPsec-VPN connection between a VPC and a data center, make sure that the following requirements are met:

  • If the IPsec-VPN connection is associated with a VPN gateway, a public IP address must be assigned to the gateway device in the data center.

    For regions that support the dual-tunnel mode, we recommend that you configure two public IP addresses for the gateway device in the data center. Alternatively, you can deploy two gateway devices in the data center and configure a public IP address for each gateway device. This way, you can create high-availability IPsec-VPN connections. For more information about the regions that support the dual-tunnel mode, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

  • The gateway device in the data center must support the IKEv1 or IKEv2 protocol to establish an IPsec-VPN connection with a transit router.

  • The CIDR block of the data center does not overlap with the CIDR block of the VPC.

  • The security group rules that are applied to the Elastic Compute Service (ECS) instances in the VPC allow gateway devices in the data center to access cloud resources. For more information, see View security group rules and Add a security group rule.

Procedure

image

Step

References

Description

1

Create a VPN gateway

When you create a VPN gateway, you must enable IPsec-VPN for the VPN gateway.

2

Create and manage a customer gateway

You must create a customer gateway and add the information about the gateway device in the data center such as the IP address and the Border Gateway Protocol (BGP) autonomous system number (ASN) to the customer gateway on Alibaba Cloud.

3

An IPsec-VPN connection is an encrypted channel between a data center and a VPC.

When you create an IPsec-VPN connection, set the Associate Resource parameter to VPN Gateway.

4

Configure the gateway device in the data center

You must add VPN configurations to the gateway device in the data center so that it can negotiate with the peer to create an IPsec-VPN connection.

5

Configure a route for the VPN gateway

You must configure a route that points to the data center for the VPN gateway and advertise the route to the VPC route table. This way, the data center can be connected to the VPC.

6

Test the network connectivity

Log on to an ECS instance in the VPC and run the ping command to ping the private IP address of a server in the data center.

References