Create multiple private IPsec-VPN connections to implement load balancing

This topic describes how to create multiple private IPsec-VPN connections between a data center and a virtual private cloud (VPC). You can use the connections to encrypt data transmission between the data center and the VPC and implement load balancing based on equal-cost multi-path (ECMP) routing.

Background information

IPsec连接绑定TR最佳实践-私网-场景图

The preceding scenario is used as an example in this topic. An enterprise owns a data center in Shanghai and created a VPC in the China (Hangzhou) region. Applications are deployed on an Elastic Compute Service (ECS) instance in the VPC. The enterprise wants to create private connections between the data center and the VPC. The enterprise also wants to encrypt the private connections and use the connections to implement load balancing based on ECMP routing.

Network design

Network settings

The following network settings are used in this topic:

The data center is connected to Alibaba Cloud through two Express Connect circuits, and communicates with the VPC through a Cloud Enterprise Network (CEN) instance. The two Express Connect circuits ensure network redundancy and forward traffic.
After the data center and the VPC are connected through Express Connect circuits, you can create IPsec-VPN connections over the Express Connect circuits. You can create two IPsec-VPN connections over each Express Connect circuit. The connections encrypt data transmission between the data center and the VPC, and balance the load of traffic based on ECMP routing.
- When you create the IPsec-VPN connections, set Gateway Type to Private.
- Set the Associate Resource parameter of the IPsec-VPN connections to CEN. This way, the IPsec-VPN connections are aggregated for ECMP routing.
  Note
  You can associate IPsec-VPN connections only with Enterprise Edition transit routers on CEN instances.
The data center, the virtual border routers (VBRs), and the IPsec-VPN connections use Border Gateway Protocol (BGP) to automatically learn and advertise routes. This facilitates routing configuration. When one of the IPsec-VPN connections fails, traffic is redirected to another IPsec-VPN connection. This ensures service reliability.

Network planning

Important

When you plan CIDR blocks, make sure that the CIDR blocks of the data center and the VPC do not overlap.

Item	CIDR block and IP address

Item	CIDR block and IP address
VPC	Primary CIDR block: 172.16.0.0/16. vSwitch 1 CIDR block: 172.16.10.0/24, deployed in Zone H. vSwitch 2 CIDR block: 172.16.20.0/24, deployed in Zone I. IP address of the ECS instance attached to vSwitch 1: 172.16.10.1.
IPsec-VPN connections	BGP configurations: IPsec-VPN Connection 1: The CIDR block of the tunnel, the BGP IP address, and the autonomous system number (ASN) on the Alibaba Cloud side are 169.254.10.0/30, 169.254.10.1, and 45104. 45104 is the default value. IPsec-VPN Connection 2: The CIDR block of the tunnel, the BGP IP address, and the ASN on the Alibaba Cloud side are 169.254.11.0/30, 169.254.11.1, and 45104, respectively. 45104 is the default value. IPsec-VPN Connection 3: The CIDR block of the tunnel, the BGP IP address, and the ASN on the Alibaba Cloud side are 169.254.12.0/30, 169.254.12.1, and 45104, respectively. 45104 is the default value. IPsec-VPN Connection 4: The CIDR block of the tunnel, the BGP IP address, and the ASN on the Alibaba Cloud side are 169.254.13.0/30, 169.254.13.1, and 45104, respectively. 45104 is the default value.
VBR	VBR1 configurations: VLAN ID: 201. IPv4 address on the Alibaba Cloud side: 10.0.0.2/30. IPv4 address on the user side: 10.0.0.1/30. In this example, the IPv4 address on the user side is the IPv4 address of On-premises Gateway Device 1. ASN: 45104. The ASN of the VBR is 45104 by default. VBR2 configurations: VLAN ID: 202. IPv4 address on the Alibaba Cloud side: 10.0.1.2/30. IPv4 address on the user side: 10.0.1.1/30. In this example, the IPv4 address on the user side is the IPv4 address of On-premises Gateway Device 2. ASN: 45104. The ASN of the VBR is 45104 by default.
On-premises gateway devices	VPN IP addresses of the on-premises gateway devices: On-premises Gateway 1 VPN IP Address 1: 192.168.0.1. VPN IP Address 2: 192.168.1.1. Gateway Device 2 VPN IP Address 1: 192.168.1.2. VPN IP Address 2: 192.168.2.2.
On-premises gateway devices	BGP configurations of premises gateway devices: On-premises Gateway Device 1: Tunnel CIDR Block 1, the BGP IP address, and the ASN on the data center side are 169.254.10.0/30, 169.254.10.2, and 65530, respectively. Tunnel CIDR Block 2, the BGP IP address, and the ASN on the data center side are 169.254.11.0/30, 169.254.11.2, and 65530, respectively. On-premises Gateway Device 2: Tunnel CIDR Block 1, the BGP IP address, and the ASN on the data center side are 169.254.12.0/30, 169.254.12.2, and 65530, respectively. Tunnel CIDR Block 2, the BGP IP address, and the ASN on the data center side are 169.254.13.0/30, 169.254.13.2, and 65530, respectively.
Data center	CIDR blocks to be connected to the VPC: 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24

Preparations

Make sure that the following prerequisites are met before you start:

A VPC is created in the China (Hangzhou) region. Applications are deployed on the ECS instance in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
A CEN instance is created. An Enterprise Edition transit router is created in the China (Hangzhou) and China (Shanghai) regions. For more information, see Create a CEN instance and Create a transit router.
Important
When you create a transit router, you must configure a CIDR block for the transit router. Otherwise, IPsec connections cannot be associated with the transit router.
If you have created a transit router, you can configure a CIDR block for the transit router. For more information, see Transit router CIDR blocks.

Procedure

IPsec连接绑定TR最佳实践-私网-流程图

Step 1: Deploy Express Connect circuits

You must deploy an Express Connect circuit to connect the data center to Alibaba Cloud.

Create dedicated connections over Express Connect circuits.
In this example, two dedicated connections over Express Connect circuits are created in the China (Shanghai) region. The Express Connect circuits are named Express Connect Circuit 1 and Express Connect Circuit 2. For more information, see Create and manage a dedicated connection over an Express Connect circuit.
When you apply for Express Connect Circuit 2, you may need to specify a redundant Express Connect circuit based on the access point.
- If you want to connect the two Express Connect circuits to the same access point, set Redundant Physical Connection ID to the ID of Express Connect Circuit 1. This way, the two Express Connect circuits are connected to different access devices.
- If the two Express Connect circuits are connected to different access points, you do not need to specify a redundant Express Connect circuit. In this case, you do not need to specify Redundant Physical Connection ID.
  In this example, the Express Connect circuits are connected to different access points.

Create VBRs.

Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where you want to create the VBR.
In this example, China (Shanghai) is selected.
On the Virtual Border Routers (VBRs) page, click Create VBR.

In the Create VBR panel, configure the following parameters and click OK.

Create two VBRs based on the following information. Associate the VBRs with different Express Connect circuits. The following table describes only the key parameters. The default values are used for other parameters. For more information, see Create and manage a VBR.

Parameter	Description	VBR1	VBR2

Parameter	Description	VBR1	VBR2
Account	Specify whether to create a VBR for the current or another Alibaba Cloud account.	In this example, Current account is selected.
Name	Specify a name for the VBR.	In this example, `VBR1` is used.	In this example, `VBR2` is used.
Express Connect Circuit	Select the Express Connect circuit that you want to associate with the VBR.	In this example, Dedicated Physical Connection is selected, and Express Connect Circuit 1 created in Step 1 is selected.	In this example, Dedicated Physical Connection is selected, and Express Connect Circuit 2 created in Step 1 is selected.
VLAN ID	Specify the VLAN ID of the VBR. Note Make sure that the VLAN ID of the VBR is the same as the VLAN ID of the interface that the on-premises gateway device uses to connect to the Express Connect circuit.	In this example, `201` is used.	In this example, `202` is used.
Set VBR Bandwidth Value	Specify a maximum bandwidth value for the VBR.	Select a maximum bandwidth value based on your business requirements.
Alibaba Cloud Side IPv4 Address	Specify an IPv4 address for the VBR to route network traffic from the VPC to the data center.	In this example, `10.0.0.2` is used.	In this example, `10.0.1.2` is used.
Data Center Side IPv4 Address	Specify an IPv4 address for the gateway device in the data center to route network traffic from the data center to the VPC.	In this example, `10.0.0.1` is used.	In this example, `10.0.1.1` is used.
IPv4 Subnet Mask	Specify the subnet mask of the specified IPv4 addresses.	In this example, `255.255.255.252` is used.	In this example, `255.255.255.252` is used.

Configure a BGP group for the VBR.

On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
On the details page, click the BGP Groups tab.

On the BGP Groups tab, click Create BGP Group, set the following parameters, and then click OK.

Configure the BGP groups based on the following information. The following table describes only the key parameters. The default values are used for other parameters. For more information, see Create a BGP group.

Parameter	Description	VBR1	VBR2

Parameter	Description	VBR1	VBR2
Name	Specify a name for the BGP group.	In this example, `VBR1-BGP` is used.	In this example, `VBR2-BGP` is used.
Peer ASN	Specify the ASN of the on-premises gateway device.	In this example, `65530` is used. This is the ASN of On-premises Gateway Device 1.	In this example, `65530` is used. This is the ASN of On-premises Gateway Device 2.
Local ASN	Specify the ASN of the VBR.	In this example, `45104` is used. This is the ASN of VBR1.	In this example, `45104` is used. This is the ASN of VBR2.

Configure a BGP peer for each VBR.

On the VBR details page, click the BGP Peers tab.
On the BGP Peers tab, click Create BGP Peer.

In the Create BGP Peer panel, set the following parameters and click OK.

Configure the BGP peers based on the following information. The following table describes only the key parameters. The default values are used for other parameters. For more information, see Create a BGP peer.

Parameter	Description	VBR1	VBR2

Parameter	Description	VBR1	VBR2
BGP Group	The BGP group to which you want to add the BGP peer.	In this example, `VBR1-BGP` is selected.	In this example, `VBR2-BGP` is selected.
BGP Peer IP Address	The IP address of the BGP peer.	In this example, the IP address `10.0.0.1` is used. This is the IP address of the interface that On-premises Gateway Device 1 uses to connect to Express Connect Circuit 1.	In this example, the IP address `10.0.1.1` is used. This is the IP address of the interface that On-premises Gateway Device 2 uses to connect to Express Connect Circuit 2.

Configure BGP routing for the on-premises gateway devices.

After you configure BGP routing for the on-premises gateway devices, the on-premises gateway devices and the VBRs establish peering connections, and automatically learn and advertise routes.

Note

In this example, the software Adaptive Security Appliance (ASA) 9.19.1 is used to describe how to configure a Cisco firewall. The commands may vary with software versions. Consult the documentation or your vendor based on your actual environment during operations. For more information, see Configure local gateways.

The following content contains third-party product information, which is only for reference. Alibaba Cloud does not make guarantees or other forms of commitments for the performance and reliability of third-party products, or the potential impacts of operations performed by using these products.

# Configure On-premises Gateway Device 1
interface GigabitEthernet0/3                
 nameif VBR1                             # The name of the interface that is connected to VBR1. 
 security-level 0
 ip address 10.0.0.1 255.255.255.0       # The private IP address of the GigabitEthernet 0/3 interface. 
 no shutdown                             # Enable the interface. 
!

router bgp 65530                         # Enable BGP and configure the ASN of the data center. In this example, 65530 is used. 
bgp router-id 10.0.0.1                   # Enter the ID of the BGP router. In this example, 10.0.0.1 is used. 

address-family ipv4 unicast
neighbor 10.0.0.2 remote-as 45104        # Establish a peering connection to VBR1. 
neighbor 10.0.0.2 activate               # Activate the BGP peer. 
network 192.168.0.0 mask 255.255.255.0   # Advertise the CIDR block of the data center. 
network 192.168.1.0 mask 255.255.255.0
network 192.168.2.0 mask 255.255.255.0 
exit-address-family
!
# Configure On-premises Gateway Device 2.
interface GigabitEthernet0/3                
 nameif VBR2                             # The name of the interface that is connected to VBR2. 
 security-level 0
 ip address 10.0.1.1 255.255.255.0       # The private IP address of the GigabitEthernet 0/3 interface. 
 no shutdown                             # Enable the interface. 
!

router bgp 65530                         // Enable BGP and configure the ASN of the data center. In this example, 65530 is used. 
bgp router-id 10.0.1.1                   // Enter the ID of the BGP router. In this example, 10.0.1.1 is used. 

address-family ipv4  unicast
neighbor 10.0.1.2 remote-as 45104        // Establish a peering connection to VBR2. 
neighbor 10.0.1.2 activate               // Activate the BGP peer. 
network 192.168.0.0 mask 255.255.255.0   // Advertise the CIDR block of the data center. 
network 192.168.1.0 mask 255.255.255.0
network 192.168.2.0 mask 255.255.255.0 
exit-address-family
!

Step 2: Configure a CEN instance

After you deploy the Express Connect circuits, the data center is connected to Alibaba Cloud through the Express Connect circuits. However, the data center and the VPC cannot communicate with each other. To enable communication between the data center and the VPC, you must connect the virtual border routers (VBRs) and the VPC to a CEN instance.

Create a VPC connection.

Log on to the CEN console.
On the Instances page, find the CEN instance that you created and click its ID.
On the Basic Information > Transit Router tab, find the transit router that you want to manage in the China (Hangzhou) region and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure the following parameters and click OK.

The following table describes only the key parameters. The default values are used for other parameters. For more information, see Create a VPC connection.

Parameter	Description	VPC connection

Parameter	Description	VPC connection
Instance Type	Select the type of network instance.	In this example, Virtual Private Cloud (VPC) is selected.
Region	Select the region of the network instance.	In this example, China (Hangzhou) is selected.
Transit Router	The system automatically displays the transit router in the current region.
Resource Owner ID	Specify whether the network instance belongs to the current Alibaba Cloud account.	In this example, Your Account is selected.
Billing Method	Select a billing method for the VPC connection. Default value: Pay-As-You-Go. For more information about the billing rules for transit routers, see Billing rules.
Attachment Name	Enter a name for the VPC connection.	In this example, `VPC-Attachment` is used.
Network Instance	Select a network instance.	In this example, the VPC created in the Preparations section is selected.
vSwitch	Select the vSwitches that are deployed in the zones of the transit router. If the transit router (TR) supports only one zone in the current region, you need to select a vSwitch in the zone. If the TR supports multiple zones in the current region, you need to select at least two vSwitches that reside in different zones. When the VPC and TR communicate, the vSwitches are used to implement zone-disaster recovery. We recommend that you select a vSwitch in each zone to reduce the network latency and improve network performance because data can be transmitted over a shorter distance. Make sure that each selected vSwitch has at least one idle IP address. If the VPC does not have a vSwitch in the zone supported by the TR or the vSwitch does not have an idle IP address, create a new vSwitch in the zone. For more information, see Create and manage a vSwitch.	In this example, vSwitch 1 is selected in Zone H and vSwitch 2 is selected in Zone I.
Advanced configurations	Specify whether to enable the advanced features. By default, all advanced features are enabled.	In this example, the default settings are used.

Attach the VBR to the CEN instance.

On the Basic Information > Transit Router tab, find the transit router in the China (Shanghai) region and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure the following parameters and click OK.

Create a VBR connection for VBR1 and VBR2 based on the following information. The following table describes only the key parameters. The default values are used for other parameters. For more information, see Connect a VBR to an Enterprise Edition transit router.

Parameter	Description	VBR1	VBR2

Parameter	Description	VBR1	VBR2
Instance Type	Select the type of network instance.	In this example, Virtual Border Router (VBR) is selected.
Region	Select the region of the network instance.	In this example, China (Shanghai) is selected.
Transit Router	The system automatically displays the transit router in the selected region.
Resource Owner ID	Specify whether the network instance belongs to the current Alibaba Cloud account.	In this example, Your Account is selected.
Attachment Name	Specify a name for the network connection.	In this example, `VBR1-Attachment` is used.	In this example, `VBR2-Attachment` is used.
Network Instance	Select a network instance.	In this example, VBR1 is selected.	In this example, VBR2 is selected.
Advanced Settings	Specify whether to enable the advanced features. By default, all advanced features are enabled.	In this example, the default settings are used.

Create an inter-region connection.

The transit router associated with the VBRs and the transit router associated with the VPC are deployed in different regions. By default, the VBRs cannot communicate with the VPC in this scenario. To allow the VBRs to communicate with the VPC across regions, you need to create an inter-region connection between the transit router in the China (Hangzhou) region and the transit router in the China (Shanghai) region.

On the Instances page, find the CEN instance that you want to manage and click its ID.
Navigate to the Basic Settings > Bandwidth Plans tab and click Set Region Connection.

On the Connection with Peer Network Instance page, set the following parameters and click OK.

Create an inter-region connection based on the following table. Use the default values for the other parameters. For more information, see Create an inter-region connection.

Parameter	Description

Parameter	Description
Instance Type	In this example, Inter-region Connection is selected.
Region	Select one of the regions to be connected. In this example, China (Hangzhou) is selected.
Transit Router	The ID of the transit router in the selected region is automatically displayed.
Attachment Name	Enter a name for the inter-region connection. In this example, `Cross-Region-test` is used.
Peer Region	Select the other region to be connected. In this example, China (Shanghai) is selected.
Transit Router	The ID of the transit router in the selected region is automatically displayed.
Bandwidth Allocation Mode	The following modes are supported: Allocate from Bandwidth Plan: Bandwidth is allocated from a bandwidth plan. Pay-By-Data-Transfer: You are charged for data transfer over the inter-region connection. In this example, Pay-By-Data-Transfer is selected.
Bandwidth	Specify a maximum bandwidth value for the inter-region connection. Unit: Mbit/s.
Default Line Type	Select a line type for the inter-region connection.
Advanced Settings	Use the default settings. All advanced features are enabled.

Step 3: Create IPsec-VPN connections

After you complete the preceding steps, the data center can communicate with the VPC over private connections. However, data transmission between the data center and the VPC is not encrypted. To encrypt data transmission, you must create IPsec-VPN connections between the data center and Alibaba Cloud.

Log on to the VPN Gateway console.

Create a customer gateway.

Before you create an IPsec-VPN connection, you need to create a customer gateway to provide information about the on-premises gateway device to Alibaba Cloud.

In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
In the top navigation bar, select the region of the customer gateway.
VPN gateways do not support cross-border IPsec-VPN connections. Therefore, you need to follow the nearby access principle and select a region that is closest to your data center when you choose the region in which your customer gateway is deployed. In this example, China (Shanghai) is selected.
For more information about cross-border connections, see What is VPN Gateway?.
On the Customer Gateway page, click Create Customer Gateway.

In the Create Customer Gateway panel, configure the following parameters and click OK.

Create four customer gateways in the China (Shanghai) region based on the following information. The following table describes only the key parameters. The default values are used for other parameters. For more information, see Create a customer gateway.

Parameter	Description	Customer Gateway 1	Customer Gateway 2	Customer Gateway 3	Customer Gateway 4

Parameter	Description	Customer Gateway 1	Customer Gateway 2	Customer Gateway 3	Customer Gateway 4
Name	Specify a name for the customer gateway.	In this example, `Customer-Gateway1` is used.	In this example, `Customer-Gateway2` is used.	In this example, `Customer-Gateway3` is used.	In this example, `Customer-Gateway4` is used.
IP Address	Specify the public IP address of the on-premises gateway device to be connected to Alibaba Cloud.	In this example, `192.168.0.1` is used. This is the first VPN IP address of On-premises Gateway Device 1.	In this example, `192.168.1.1` is used. This is the second VPN IP address of On-premises Gateway Device 1.	In this example, `192.168.1.2` is used. This is the first VPN IP address of On-premises Gateway Device 2.	In this example, `192.168.2.2` is used. This is the second VPN IP address of On-premises Gateway Device 2.
ASN	Specify the BGP ASN of the on-premises gateway device.	In this example, `65530` is used.

Create an IPsec-VPN connection.

After you create customer gateways, you need to create IPsec-VPN connections between Alibaba Cloud and the data center.

In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region where you want to create the IPsec-VPN connection.
The IPsec-VPN connections and the customer gateways must be created in the same region. In this example, China (Shanghai) is selected.
On the IPsec-VPN connection page, click Create IPsec-VPN Connection.

On the Create IPsec-VPN Connection page, set the parameters for the IPsec-VPN connection and click OK.

Create four IPsec-VPN connections in the China (Shanghai) region based on the following information. You are charged for using IPsec-VPN connections. For more information, see Billing.

Parameter	Description	IPsec-VPN Connection 1	IPsec-VPN Connection 2	IPsec-VPN Connection 3	IPsec-VPN Connection 4

Parameter	Description	IPsec-VPN Connection 1	IPsec-VPN Connection 2	IPsec-VPN Connection 3	IPsec-VPN Connection 4
Name	Specify a name for the IPsec-VPN connection.	In this example, `IPsec-VPN Connection 1` is used.	In this example, `IPsec-VPN Connection 2` is used.	In this example, `IPsec-VPN Connection 3` is used.	In this example, `IPsec-VPN Connection 4` is used.
Associate Resource	Select the type of network resource to be associated with the IPsec-VPN connection.	In this example, CEN is selected.
Gateway Type	Select the network type of the IPsec-VPN connection.	In this example, Private is selected.
CEN Instance ID	Select a CEN instance.	In this example, the CEN instance created in the Preparations section is selected.
Transit Router	The transit router to be associated with the IPsec-VPN connection.	The system automatically selects the transit router in the region in which the IPsec-VPN connection is created.
Zone	Select the zone in which the IPsec-VPN connection is created. Make sure that the IPsec-VPN connection is created in a zone that supports transit routers.	In this example, Shanghai Zone F is selected. Note In this scenario, we recommend that you deploy IPsec-VPN connections in different zones to implement disaster recovery.		In this example, Shanghai Zone G is selected.
Routing Mode	The routing mode.	In this example, Destination Routing Mode is selected.
Effective Immediately	Select whether to immediately apply the settings of the IPsec-VPN connection. Valid values: If you set the Effective Immediately parameter to Yes when you create an IPsec-VPN connection, the negotiations immediately start after the configuration is complete. If you set the Effective Immediately parameter to No when you create an IPsec-VPN connection, the negotiations start when inbound traffic is detected.	In this example, Yes is selected.
Customer Gateway	Select the customer gateway that you want to associate with the IPsec-VPN connection.	In this example, Customer-Gateway1 is selected.	In this example, Customer-Gateway2 is selected.	In this example, Customer-Gateway3 is selected.	In this example, Customer-Gateway4 is selected.
Pre-Shared Key	Specify a pre-shared key that is used to authenticate the on-premises gateway device. The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ \| ; : ' , . < > / ?. The key cannot contain spaces. If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After an IPsec-VPN connection is created, you can click Edit in the Actions column of the IPsec-VPN connection to view the pre-shared key that is generated for the IPsec-VPN connection. For more information, see the Modify an IPsec-VPN connection section of this topic. Important The IPsec-VPN connection and peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.	In this example, `fddsFF123****` is used.	In this example, `fddsFF456****` is used.	In this example, `fddsFF789****` is used.	In this example, `fddsFF901****` is used.
Enable BGP	Specify whether to enable BGP. By default, BGP is disabled.	In this example, BGP is enabled.
Local ASN	Specify the ASN of the IPsec-VPN connection.	In this example, `45104` is used.	In this example, `45104` is used.	In this example, `45104` is used.	In this example, `45104` is used.
Encryption Configuration	Set encryption configurations, including IKE configurations and IPsec configurations.	Use the default settings except for the following parameters. For more information, see Create and manage IPsec-VPN connections associated with transit routers. Set the DH Group parameter in the IKE Configurations section to group14. Set the DH Group parameter in the IPsec Configurations section to group14. Note You need to select encryption parameters based on the on-premises gateway device to ensure that the encryption configurations for the IPsec connection are the same as those for the on-premises gateway device.
BGP Configuration
Tunnel CIDR Block	Specify the CIDR block that is used for IPsec tunneling. The CIDR block must fall into 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.	In this example, `169.254.10.0/30` is used.	In this example, `169.254.11.0/30` is used.	In this example, `169.254.12.0/30` is used.	In this example, `169.254.13.0/30` is used.
Local BGP IP address	Specify a BGP IP address for the IPsec-VPN connection. The IP address must fall within the CIDR block of the IPsec tunnel.	In this example, `169.254.10.1` is used.	In this example, `169.254.11.1` is used.	In this example, `169.254.12.1` is used.	In this example, `169.254.13.1` is used.
Advanced Configuration	Specify whether to enable the advanced features to enable the IPsec-VPN connection to automatically advertise and learn routes. By default, the advanced features are enabled.	In this example, the advanced features are enabled.

After the IPsec-VPN connections are created, the system assigns a private gateway IP address to each IPsec-VPN connection. The gateway IP address is an endpoint on the Alibaba Cloud side of the IPsec-VPN connection. You can view the gateway IP address of the IPsec-VPN connection on the details page, as shown in the following figure. 查看私网IP地址

The following table describes the gateway IP addresses that are assigned to IPsec-VPN Connection 1, IPsec-VPN Connection 2, IPsec-VPN Connection 3, and IPsec-VPN Connection 4.

IPsec-VPN connection	Gateway IP address

IPsec-VPN connection	Gateway IP address
IPsec-VPN Connection 1	192.168.168.1
IPsec-VPN Connection 2	192.168.168.2
IPsec-VPN Connection 3	192.168.168.3
IPsec-VPN Connection 4	192.168.168.4

Note

The system assigns gateway IP addresses to IPsec-VPN connections only after you associate the IPsec-VPN connections with transit routers. When you create an IPsec-VPN connection, if you set Associate Resource to Do Not Associate or VPN Gateway, the system does not assign a gateway IP address to the IPsec-VPN connection.
After a private IPsec-VPN connection is associated with a transit router, the system automatically advertises the gateway IP address of the IPsec-VPN connection to the route table of the transit router.

Download the configuration of the IPsec-VPN connection peer.
Return to the IPsec-VPN connection page, find the IPsec-VPN connection that you created, and then click Generate Peer Configuration in the Actions column.
Download the peer configurations of the four IPsec-VPN connections to your on-premises machine so that you can use the configurations when you add VPN configurations to the on-premises gateway devices.

Add VPN configurations and BGP configurations to the on-premises gateway device.

After the IPsec-VPN connections are created, perform the following steps to add the VPN and BGP configurations in the peer configurations that you downloaded to the On-premises Gateway Device 1 and On-premises Gateway Device 2. This way, the data center can communicate with Alibaba Cloud over the IPsec-VPN connections.

Note

Configure On-premises Gateway Device 1

Configure On-premises Gateway Device 2

Log on to the CLI of the Cisco firewall and enter the configuration mode.

ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

View the interface configurations and routing configurations for Internet access.

Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used:

ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 192.168.0.1 255.255.255.0       # The private IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/1                
 nameif outside2                             # The name of the GigabitEthernet 0/1 interface. 
 security-level 0                         
 ip address 192.168.1.1 255.255.255.0        # The private IP address of the GigabitEthernet 0/1 interface. 
!
interface GigabitEthernet0/2                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/2 interface. 
 security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.2.215 255.255.255.0     #  The private IP address of the GigabitEthernet 0/2 interface. 
!

route private 192.168.0.0 255.255.0.0 192.168.2.216          # The route that points to the data center.

Enable IKEv2 for the public interfaces.

crypto ikev2 enable outside1
crypto ikev2 enable outside2

Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
Important
When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
```
crypto ikev2 policy 10     
 encryption aes             # Specify the encryption algorithm. 
 integrity sha              # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on the Alibaba Cloud side. 
 lifetime seconds 86400     # Specify the SA lifetime.
```

Create an IPsec proposal and profile, and specify the encryption algorithm, authentication algorithm, DH group, and SA lifetime in the IPsec phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.

Important

When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IPsec phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.

crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
 protocol esp encryption aes                         # Specify the encryption algorithm. The Encapsulating Security Payload (ESP) protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. 
 protocol esp integrity sha-1                        # Specify the authentication algorithm. The ESP protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. 
crypto ipsec profile ALIYUN-PROFILE                  
 set ikev2 ipsec-proposal ALIYUN-PROPOSAL            # Create an IPsec profile and apply the proposal that is created.  
 set ikev2 local-identity address                    # Set the format of the local ID to IP address, which is the same as the format of the remote ID on the Alibaba Cloud side. 
 set pfs group14                                     # Specify the Perfect Forward Secrecy (PFS) and DH group. 
 set security-association lifetime seconds 86400     # Specify the time-based SA lifetime. 
 set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.

Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on the Alibaba Cloud side.

tunnel-group 192.168.168.1 type ipsec-l2l                  # Specify the encapsulation mode l2l for Tunnel 1. 
tunnel-group 192.168.168.1 ipsec-attributes             
 ikev2 remote-authentication pre-shared-key fddsFF123****  # Specify the peer pre-shared key for Tunnel 1, which is the pre-shared key on the Alibaba Cloud side. 
 ikev2 local-authentication pre-shared-key fddsFF123****   # Specify the local pre-shared key for Tunnel 1, which must be the same as that on the Alibaba Cloud side. 
!
tunnel-group 192.168.168.2 type ipsec-l2l                  # Specify the encapsulation mode l2l for Tunnel 2. 
tunnel-group 192.168.168.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key fddsFF456****  # Specify the peer pre-shared key for Tunnel 2, which is the pre-shared key on the Alibaba Cloud side. 
 ikev2 local-authentication pre-shared-key fddsFF456****   # Specify the local pre-shared key for Tunnel 2, which must be the same as that on the Alibaba Cloud side. 
!

Create tunnel interfaces.

interface Tunnel1                                  # Create an interface for Tunnel 1. 
 nameif ALIYUN1
 ip address 169.254.10.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 1. 
 tunnel destination 192.168.168.1                  # Specify the private IP address of IPsec-VPN Connection 1 on the Alibaba Cloud side as the destination address of Tunnel 1. 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ALIYUN-PROFILE    # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 1. 
 no shutdown                                       # Enable the interface for Tunnel 1. 
!
interface Tunnel2                                  # Create an interface for Tunnel 2. 
 nameif ALIYUN2                
 ip address 169.254.11.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside2                  # Specify the IP address of the GigabitEthernet 0/2 interface as the source address of Tunnel 2. 
 tunnel destination 192.168.168.2                   # Specify the private IP address of IPsec-VPN Connection 2 on the Alibaba Cloud side as the destination address of Tunnel 2. 
 tunnel mode ipsec ipv4                            
 tunnel protection ipsec profile ALIYUN-PROFILE # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 2. 
 no shutdown                                       # Enable the interface for Tunnel 2. 
!

Add BGP configurations to configure IPsec-VPN Connection 1 and IPsec-VPN Connection 2 as BGP peers for On-premises Gateway Device 1.

router bgp 65530
 address-family ipv4 unicast
  neighbor 169.254.10.1 remote-as 45104       # Specify the BGP peer, which is the IP address of Tunnel 1 on the Alibaba Cloud side. 
  neighbor 169.254.10.1 ebgp-multihop 255
  neighbor 169.254.10.1 activate              # Activate the BGP peer. 
  neighbor 169.254.11.1 remote-as 45104       # Specify the BGP peer, which is the IP address of Tunnel 2 on the Alibaba Cloud side. 
  neighbor 169.254.11.1 ebgp-multihop 255
  neighbor 169.254.11.1 activate              # Activate the BGP peer. 
  maximum-paths ebgp  5                       # Increase the number of ECMP route entries. 
 exit-address-family

Log on to the CLI of the Cisco firewall and enter the configuration mode.

ciscoasa> enable
Password: ********             # Enter the password for entering the enable mode. 
ciscoasa# configure terminal   # Enter the configuration mode. 
ciscoasa(config)#

View the interface configurations and routing configurations for Internet access.

Verify that the interfaces are configured and enabled on the Cisco firewall. In this example, the following interface configurations are used:

ciscoasa(config)# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside1                            # The name of the GigabitEthernet 0/0 interface. 
 security-level 0
 ip address 192.168.1.2 255.255.255.0     #  The private IP address of the GigabitEthernet 0/0 interface. 
!
interface GigabitEthernet0/1                
 nameif outside2                            # The name of the GigabitEthernet 0/1 interface. 
 security-level 0                         
 ip address 192.168.2.2 255.255.255.0       # The private IP address of the GigabitEthernet 0/1 interface. 
!
interface GigabitEthernet0/2                # The interface that connects to the data center. 
 nameif private                             # The name of the GigabitEthernet 0/2 interface. 
 security-level 100                         # The security level of the private interface that connects to the data center, which is lower than that of a public interface. 
 ip address 192.168.0.217 255.255.255.0   #  The private IP address of the GigabitEthernet 0/2 interface. 
!
route private 192.168.0.0 255.255.0.0 192.168.0.218          # The route that points to the data center.

Enable IKEv2 for the public interfaces.

crypto ikev2 enable outside1
crypto ikev2 enable outside2

Create an IKEv2 policy and specify the authentication algorithm, encryption algorithm, DH group, and SA lifetime in the IKE phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
Important
When you configure an IPsec-VPN connection on Alibaba Cloud, you can specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase. We recommend that you specify only one value for the encryption algorithm, authentication algorithm, and DH group in the IKE phase on the Cisco firewall. The values must be the same as those on the Alibaba Cloud side.
```
crypto ikev2 policy 10     
 encryption aes             # Specify the encryption algorithm. 
 integrity sha              # Specify the authentication algorithm. 
 group 14                   # Specify the DH group. 
 prf sha                    # The value of the prf parameter must be the same as that of the integrity parameter. By default, these values are the same on the Alibaba Cloud side. 
 lifetime seconds 86400     # Specify the SA lifetime.
```

Important

crypto ipsec ikev2 ipsec-proposal ALIYUN-PROPOSAL    # Create an IPsec proposal. 
 protocol esp encryption aes                         # Specify the encryption algorithm. The ESP protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. 
 protocol esp integrity sha-1                        # Specify the authentication algorithm. The ESP protocol is used on the Alibaba Cloud side. Therefore, use the ESP protocol. 
crypto ipsec profile ALIYUN-PROFILE                  
 set ikev2 ipsec-proposal ALIYUN-PROPOSAL            # Create an IPsec profile and apply the proposal that is created.  
 set ikev2 local-identity address                    # Set the format of the local ID to IP address, which is the same as the format of the remote ID on the Alibaba Cloud side. 
 set pfs group14                                     # Specify the PFS and DH group. 
 set security-association lifetime seconds 86400     # Specify the time-based SA lifetime. 
 set security-association lifetime kilobytes unlimited # Disable the traffic-based SA lifetime.

Create tunnel groups and specify the pre-shared keys for tunnels, which must be the same as those on the Alibaba Cloud side.

tunnel-group 192.168.168.3 type ipsec-l2l                  # Specify the encapsulation mode l2l for Tunnel 3. 
tunnel-group 192.168.168.3 ipsec-attributes             
 ikev2 remote-authentication pre-shared-key fddsFF789****  # Specify the peer pre-shared key for Tunnel 3, which is the pre-shared key on the Alibaba Cloud side. 
 ikev2 local-authentication pre-shared-key fddsFF789****   # Specify the local pre-shared key for Tunnel 3, which must be the same as that on the Alibaba Cloud side. 
!
tunnel-group 192.168.168.4 type ipsec-l2l                  # Specify the encapsulation mode l2l for Tunnel 4. 
tunnel-group 192.168.168.4 ipsec-attributes
 ikev2 remote-authentication pre-shared-key fddsFF901****  # Specify the peer pre-shared key for Tunnel 4, which is the pre-shared key on the Alibaba Cloud side. 
 ikev2 local-authentication pre-shared-key fddsFF901****   # Specify the local pre-shared key for Tunnel 4, which must be the same as that on the Alibaba Cloud side. 
!

Create tunnel interfaces.

interface Tunnel1                                  # Create an interface for Tunnel 3. 
 nameif ALIYUN1
 ip address 169.254.12.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside1                  # Specify the IP address of the GigabitEthernet 0/0 interface as the source address of Tunnel 3. 
 tunnel destination 192.168.168.3                  # Specify the private IP address of IPsec-VPN Connection 3 on the Alibaba Cloud side as the destination address of Tunnel 3. 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ALIYUN-PROFILE    # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 3. 
 no shutdown                                       # Enable the interface for Tunnel 3. 
!
interface Tunnel2                                  # Create an interface for Tunnel 4. 
 nameif ALIYUN2                
 ip address 169.254.13.2 255.255.255.252           # Specify the IP address of the interface. 
 tunnel source interface outside2                  # Specify the IP address of the GigabitEthernet 0/2 interface as the source address of Tunnel 4. 
 tunnel destination 192.168.168.4                  # Specify the private IP address of IPsec-VPN Connection 4 on the Alibaba Cloud side as the destination address of Tunnel 4. 
 tunnel mode ipsec ipv4                            
 tunnel protection ipsec profile ALIYUN-PROFILE    # Apply the IPsec profile ALIYUN-PROFILE on Tunnel 4. 
 no shutdown                                       # Enable the interface for Tunnel 4. 
!

Add BGP configurations to configure IPsec-VPN Connection 3 and IPsec-VPN Connection 4 as BGP peers for On-premises Gateway Device 2.

router bgp 65530
 address-family ipv4 unicast
  neighbor 169.254.12.1 remote-as 45104       # Specify the BGP peer, which is the IP address of IPsec-VPN Connection 3 on the Alibaba Cloud side. 
  neighbor 169.254.12.1 ebgp-multihop 255
  neighbor 169.254.12.1 activate              # Activate the BGP peer. 
  neighbor 169.254.13.1 remote-as 45104       # Specify the BGP peer, which is the IP address of IPsec-VPN Connection 4 on the Alibaba Cloud side. 
  neighbor 169.254.13.1 ebgp-multihop 255
  neighbor 169.254.13.1 activate              # Activate the BGP peer. 
  maximum-paths ebgp  5                       # Increase the number of ECMP route entries. 
 exit-address-family

Add routes to the data center based on your network environment. The routes must allow network traffic to be transmitted from the data center to the VPC over On-premises Gateway Device 1 and On-premises Gateway Device 2 at the same time. If On-premises Gateway Device 1 is down, On-premises Gateway Device 2 automatically takes over. This ensures that ECMP is used to route traffic from the data center to the VPC. Contact your vendor to obtain the information about specific commands.

Step 4: Configure routes and routing policies

After you complete the preceding configurations, you must add routes and routing policies on Alibaba Cloud so that the IPsec-VPN connections can work as expected. You must also route traffic between the data center and Alibaba Cloud to encrypted tunnels.

Add custom routes to the VBRs.

Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where the VBR is deployed.
In this example, China (Shanghai) is selected.
On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
Click the Routes tab and click Add Route.

In the Add Route panel, configure the following parameters and click OK.

Add Route 1 and Route 2 to VBR1. Add Route 3 and Route 4 to VBR2.

Parameter	Description	Route 1	Route 2	Route 3	Route 4

Parameter	Description	Route 1	Route 2	Route 3	Route 4
Next Hop Type	The next hop type. Select Physical Connection Interface.
Destination CIDR block	Specify the VPN IP address of the on-premises gateway device.	In this example, the first VPN IP address of On-premises Gateway Device 1 is used: `192.168.0.1/32`.	In this example, the second VPN IP address of On-premises Gateway Device 1 is used: `192.168.1.1/32`.	In this example, the first VPN IP address of On-premises Gateway Device 2 is used: `192.168.1.2/32`.	In this example, the first VPN IP address of On-premises Gateway Device 2 is used: `192.168.2.2/32`.
Next Hop	Select an Express Connect circuit.	Select Express Connect Circuit 1.	Select Express Connect Circuit 1.	Select Express Connect Circuit 2.	Select Express Connect Circuit 2.

Add routing policies to the CEN instance.

Log on to the CEN console.
On the Instances page of the CEN console, click the ID of the CEN instance that you created.
On the Basic Information > Transit Router tab, find the transit router in the China (Shanghai) region and click its ID.
On the details page of the transit router, click the Route Table tab and click Routing Policies.

On the Route Maps tab, click Add Route Map. In the Add Route Map panel, set the following parameters and click OK.

Add four routing policies to CEN based on the information in the following table. The following section describes the four routing policies:

Routing Policy 1: The data center learns CIDR blocks from the VPC through the VBRs and the IPsec-VPN connections. To ensure that traffic destined for the VPC is routed to the IPsec-VPN connections, you must create Routing Policy 1 so that the priority of the CIDR blocks advertised by the VBRs is lower than the priority of the CIDR blocks advertised by the IPsec-VPN connections.
Routing Policy 2: When the CEN instance learns the same CIDR block through the VBRs and the IPsec-VPN connections, the CIDR block advertised by the VBRs has a higher priority. You must create Routing Policy 2 to reject data center routes advertised by the VBRs. This ensures that traffic destined for the data center is routed to the IPsec-VPN connections.

The following table describes only the key parameters. For more information, see Routing policy overview.

Parameter	Description	Routing Policy 1	Routing Policy 2

Parameter	Description	Routing Policy 1	Routing Policy 2
Policy Priority	Specify a priority value for the routing policy.	In this example, `5` is used.	In this example, `10` is used.
Region	Select the region in which the routing policy applies.	In this example, China (Shanghai) is selected.
Associated Route Table	Select a route table to associate with the routing policy.	In this example, the default route table of the current transit router is selected.
Policy Direction	Select the direction in which the routing policy applies.	In this example, Egress Regional Gateway is selected.	In this example, Ingress Regional Gateway is selected.
Match Conditions	Configure match conditions for the routing policy.	Configure the following match conditions: Source Instance IDs: Specify the ID of the VPC. Destination Instance IDs: Specify the IDs of VBR1 and VBR2. Route Prefix: Enter `172.16.10.0/24` and `172.16.20.0/24`, and select Exact Match.	Configure the following match conditions: Source Instance IDs: Specify the IDs of VBR1 and VBR2. Route Prefix: Enter `192.168.0.0/24`, `192.168.10.0/24`, and `192.168.20.0/24`, and select Exact Match.
Action Policy	Select an action for the routing policy.	In this example, Allow is selected.	In this example, Deny is selected.
Add Policy Entry	Specify a priority for the routes that are permitted.	In this example, Prepend AS Path is selected and `65525`, `65526`, and `65527` are specified. This reduces the priority of the VPC CIDR block that the VBRs advertise to the data center.	N/A.

Step 5: Test the network connectivity

After you configure the routes, the data center can communicate with the VPC through private and encrypted connections. The traffic between the data center and VPC is load-balanced based on ECMP routing by using the four IPsec-VPN connections. This section describes how to test the network connectivity and how to check whether the four IPsec-VPN connections are used to load-balance the traffic.

Note

Before the test, make sure that you understand the security group rules applied to the ECS instance in the VPC and the access control list (ACL) rules applied to the data center. Make sure that the rules allow mutual access between the VPC and the data center. For more information about ECS security group rules, see View security group rules and Add a security group rule.

Test the network connectivity.
1. Log on to an ECS instance in the connected VPC. For more information, see Connect to an ECS instance.
2. Run the ping command on the ECS instance to access a client in the data center.
```
ping <IP address of the client in the data center>
```
  If the ECS instance receives echo reply messages, the data center can communicate with the VPC.
Check whether loads are balanced.
Send requests to the ECS instance from multiple clients in the data center or use iPerf3 to send requests to the ECS instance. If you can view traffic monitoring data on the details pages of IPsec-VPN Connection 1, IPsec-VPN Connection 2, IPsec-VPN Connection 3, and IPsec-VPN Connection 4, traffic between the data center and the VPC is load-balanced through the four IPsec-VPN connections. For more information about how to install and use Iperf3, see Test the performance of an Express Connect circuit.
1. Log on to the VPN Gateway console.
2. In the top navigation bar, select the region in which the IPsec-VPN connection is created.
3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
4. On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click its ID.
  Go to the details page of the IPsec-VPN connection and view the traffic monitoring data on the Monitor tab.

Routing configuration

In this topic, the default routing configuration is used to create the IPsec-VPN connections, VPC connection, VBR connections, and inter-region connection. When the default routing configuration is used, CEN automatically learns and distributes routes to enable the data center to communicate with the VPC. The following sections describe the default routing configuration.

IPsec-VPN connection

If you associate an IPsec-VPN connection with a transit router when you create the IPsec-VPN connection, the system automatically applies the following routing configuration to the IPsec-VPN connection:

The IPsec-VPN connection is associated with the default route table of the transit router. The transit router forwards traffic from the IPsec-VPN connection based on the default route table.
The destination-based routes that you configure for the IPsec-VPN connection and the routes learned from the data center through the IPsec-VPN connection by using BGP dynamic routing are automatically propagated to the default route table of the transit router.
The transit router automatically propagates the routes in the default route table to the BGP route table associated with the IPsec-VPN connection.
The routes learned from the VPC through the IPsec-VPN connection by using BGP dynamic routing are automatically propagated to the data center.

VPC connection

If you use the default routing configuration (with all advanced features enabled) when you create a VPC, the system automatically applies the following routing configuration to the VPC:

Associate with Default Route Table of Transit Router
After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.
Automatically Create Route That Points to Transit Router and Adds to All Route Tables of Current VPC
After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the VPC connection.
Important
If such a route is already in the route table of the VPC, the system cannot advertise this route. You must manually add a route that points to the VPC connection to the route table of the VPC. Otherwise, network communication cannot be established between the VPC and the transit router.
To check whether such routes exist, click Check Route below Advanced Settings.

VBR connection

If you use the default routing configuration (with all advanced features enabled) when you create a VBR connection, the system automatically applies the following routing configuration to the VBR:

Associate with Default Route Table of Transit Router
After this feature is enabled, the VBR connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VBR based on the default route table.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the system routes of the VBR are advertised to the default route table of the transit router. This way, the VBR can communicate with other network instances that are connected to the transit router.
Propagate Routes to VBR
After this feature is enabled, the system automatically advertises the routes in the transit router route table that is associated with the VBR connection to the VBR.

Inter-region connection

If you use the default routing configuration (with all advanced features enabled) when you create an inter-region connection, the system automatically applies the following routing configuration to the inter-region connection:

Associate with Default Route Table of Transit Router
After this feature is enabled, the inter-region connection is automatically associated with the default route table of the transit router. The transit router uses the default route table to forward network traffic across regions.
Propagate System Routes to Default Route Table of Transit Router
After this feature is enabled, the inter-region connection is associated with the default route tables of the transit routers in the connected regions.
Automatically Advertise Routes to Peer Region
After this feature is enabled, the routes in the route table of the transit router in the current region are automatically advertised to the route table of the peer transit router for cross-region communication. The route tables of the transit routers refer to the route tables that are associated with the inter-region connection.

View routes

You can check the routes in the Alibaba Cloud Management Console.

For more information about routes of transit routers, see View routes of an Enterprise Edition transit router.
For more information about routes of VPCs, see Create and manage a route table.
For more information about routes of VBRs, perform the following steps:
1. Log on to the Express Connect console.
2. In the left-side navigation pane, click Virtual Border Routers (VBRs).
3. In the top navigation bar, select the region where the VBR is deployed.
4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
  On the details page of the VBR, view the custom routes, BGP routes, and CEN routes of the VBR on the Routes tab.
To view the routes of an IPsec-VPN connection, go to the details page of the IPsec-VPN connection:
1. Log on to the VPN Gateway console.
2. In the top navigation bar, select the region in which the IPsec-VPN connection is created.
3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.
  Go to the details page of the IPsec-VPN connection and view the route entries on the BGP Route Table tab.

Background information

Network design

Network settings

Network planning

Preparations

Procedure

Step 1: Deploy Express Connect circuits

Step 2: Configure a CEN instance

Step 3: Create IPsec-VPN connections

Step 4: Configure routes and routing policies

Step 5: Test the network connectivity

Routing configuration

IPsec-VPN connection

VPC connection

VBR connection

Inter-region connection

View routes

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

China Gateway Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic Desktop Service (EDS) Featured

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)