Encrypt private connections by using static routes - VPN Gateway

This topic describes how to encrypt the private connection between a data center and a virtual private cloud (VPC) by using a private VPN gateway (hereafter referred to as "VPN gateway"). To encrypt the private connection between a data center and a VPC, you can configure static routes for the VPN gateway and the virtual border router (VBR) that connects the data center to the VPC.

Background information

Before you encrypt private connections by using static routing and BGP routing, we recommend that you understand how private connections are encrypted and the configuration methods. For more information, see Overview of configuration methods.

Sample scenario

私网VPN网关--静态+静态---场景图

The preceding scenario is used as an example in this topic. An enterprise owns a data center in Hangzhou and has a VPC (VPC1) deployed in the China (Hangzhou) region. Applications are deployed on Elastic Compute Service (ECS) instances in VPC1. Due to business growth, the enterprise wants to connect VPC1 to the data center through Express Connect circuits and Cloud Enterprise Network (CEN). In addition, the enterprise wants to encrypt the connection between the data center and VPC1 due to security concerns.

After VPC1 is connected to the data center through CEN and Express Connect circuits, the enterprise can create a VPN gateway in VPC1 and establish an IPsec-VPN connection between the VPN gateway and an on-premises gateway device. Then, the enterprise can configure static routes for the VBR and the VPN gateway to encrypt the private connection.

Preparations

Before you use private VPN gateways, you must apply for the required permissions from your account manager or submit a ticket to obtain the permissions.

You must plan networks for the data center and network instances. Make sure that the CIDR block of the data center does not overlap with the CIDR blocks of the network instances. The following table describes the CIDR blocks in this example.

Item	CIDR block	IP address
VPC1	Primary CIDR block: 10.0.0.0/16 CIDR block of vSwitch1: 10.0.0.0/24 CIDR block of vSwitch2: 10.0.1.0/24	ECS1: 10.0.1.1 ECS2: 10.0.1.2
VBR	10.0.0.0/30	VLAN ID: 0 IPv4 address on the Alibaba Cloud side: 10.0.0.2/30 IPv4 address on the user side: 10.0.0.1/30 In this example, the IPv4 address on the user side is the IPv4 address of the gateway device in the data center.
Data center	Primary CIDR block: 192.168.0.0/16 Subnet1: 192.168.0.0/24 Subnet2:192.168.1.0/24	Client: 192.168.1.1
On-premises gateway device	10.0.0.0/30 192.168.0.0/24	VPN IP address: 192.168.0.251 The VPN IP address refers to the IP address of the interface of the on-premises gateway device to be connected to the VPN gateway. IP address of the interface connected to the Express Connect circuit: 10.0.0.1

VPC1 is deployed in the China (Hangzhou) region and applications are deployed on the ECS instances in VPC1. For more information, see Create and manage a VPC.
Make sure that VPC1 in the China (Hangzhou) region contains at least two vSwitches in different zones that support Enterprise Edition transit routers. In addition, each vSwitch must have at least one idle IP address. This way, VPC1 can be attached to a CEN instance. For more information, see Connect VPCs.
In this example, VPC1 contains two vSwitches (vSwitch1 and vSwitch2). vSwitch1 is deployed in Zone H and vSwitch2 is deployed in Zone I. ECS instances are deployed on vSwitch2. vSwitch1 is used only to associate the VPN gateway.
Note
When you create a VPC, we recommend that you create a dedicated vSwitch in the VPC for the VPN gateway. This way, the vSwitch can allocate a private IP address to the VPN gateway.
Check the gateway device in the data center. Make sure that it supports standard IKEv1 and IKEv2 protocols. To check whether the gateway device supports the IKEv1 and IKEv2 protocols, contact the gateway vendor.
Take note of the security group rules that apply to the ECS instances in VPC1 and the access control list (ACL) rules that apply to the client in the data center. Make sure that the rules allow the ECS instances in VPC1 to communicate with the client in the data center. For more information, see View security group rules and Add a security group rule.

Procedure

私网VPN-静态+静态-配置流程

Step 1: Deploy an Express Connect circuit

You must deploy an Express Connect circuit to connect the data center to Alibaba Cloud.

Create an Express Connect circuit.
You must apply for an Express Connect circuit in the China (Hangzhou) region. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview of hosted connections.
In this example, a dedicated connection over an Express Connect circuit is created.

Create a VBR.

Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where you want to create a VBR.
In this example, the China (Hangzhou) region is selected.
On the Virtual Border Routers (VBRs) page, click Create VBR.

In the Create VBR panel, configure the following parameters and click OK.

The following table describes only the key parameters. For more information, see Create and manage VBRs.

Parameter	Description
Account	In this example, Current Account is selected.
Name	In this example, `VBR` is used.
Physical Connection Information	In this example, Dedicated Physical Connection is selected, and the Express Connect circuit created in Step 1 is selected.
VLAN ID	In this example, `0` is used.
Set VBR Bandwidth Value	Select a maximum bandwidth value for the VBR.
IPv4 Address (Alibaba Cloud Gateway)	In this example, `10.0.0.2` is entered.
IPv4 Address (Data Center Gateway)	In this example, `10.0.0.1` is entered.
Subnet Mask (IPv4)	In this example, `255.255.255.252` is entered.

Add a custom route to the VBR.

Add a custom route to advertise the on-premises CIDR block to Alibaba Cloud.

On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
Click the Routes tab and click Add Route.

In the Add Route panel, configure the following parameters and click OK.

Parameter	Description
Next Hop Type	Select Physical Connection Interface.
Destination CIDR Block	Enter the CIDR block of the data center. `192.168.0.0/16` is used in this example.
Next Hop	Select the Express Connect circuit created in Step 1.

Configure the on-premises gateway device.
You must add the following route to the on-premises gateway to route traffic destined for VPC1 from the data center to the Express Connect circuit.
The following configurations are for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.
```
ip route 10.0.0.0 255.255.0.0 10.0.0.2
```

Step 2: Configure a CEN instance

You must attach VPC1 and the VBR to a CEN instance. Then, the data center and VPC1 can communicate with each other through CEN.

Create a CEN instance.
1. Log on to the CEN console.
2. On the Instances page, click Create CEN Instance.
3. In the Create CEN Instance dialog box, configure the following parameters and click OK.
  - Name: Enter a name for the CEN instance.
    In this example, CEN is used.
  - Description: Enter a description for the CEN instance.
    In this example, CEN-for-test-private-VPN-Gateway is used.

Attach VPC1 to the CEN instance.

On the Instances page, click the ID of the CEN instance created in Step 1.
In the VPC section of the Basic Settings tab, click the icon.

On the Connection with Peer Network Instance page, configure the following parameters and click OK:

Parameter	Description
Network Type	Select the type of network instance that you want to attach. In this example, VPC is selected.
Region	Select the region where the network instance is deployed. In this example, the China (Hangzhou) region is selected.
Transit Router	The system automatically creates a transit router in the selected region.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Current Account is selected.
Billing Method	In this example, the default value Pay-As-You-Go is selected. For more information, see Billing.
Attachment Name	Enter a name for the network connection. In this example, `VPC1-test` is used.
Network Instance	Select the ID of the network instance that you want to attach. In this example, VPC1 is selected.
VSwitch	Select vSwitches that are deployed in zones supported by the transit router. If the Enterprise Edition transit router is deployed in a region that supports only one zone, select a vSwitch in the zone. If the Enterprise Edition transit router is deployed in a region that supports multiple zones, select at least two vSwitches. The two vSwitches must be in different zones. The two vSwitches support zone-disaster recovery to ensure uninterrupted data transmission between the VPC and the transit router. We recommend that you select a vSwitch in each zone to reduce network latency and improve network performance because data can be transmitted over a shorter distance. For more information, see Create a VPC connection.
Advanced Settings	By default, the system automatically enables the following advanced features. Associate with Default Route Table of Transit Router After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table. Propagate System Routes to Default Route Table of Transit Router After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router. Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs. Important If such a route is already in the route table of the VPC, the system cannot advertise this route. You must manually add a route that points to the VPC connection to the route table of the VPC. Otherwise, network communication cannot be established between the VPC and the transit router. To check whether such routes exist, click Check Route below Advanced Settings. The default settings are used in this example.

Click Create More Connections to return to the Connection with Peer Network Instance page.

Attach the VBR to the CEN instance.

On the Connection with Peer Network Instance page, configure the following parameters and click OK:

Parameter	Description
Network Type	Select the type of network instance that you want to attach. In this example, Virtual Border Router (VBR) is selected.
Region	Select the region where the network instance is deployed. In this example, the China (Hangzhou) region is selected.
Transit Router	The transit router in the selected region is displayed.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Current Account is selected.
Attachment Name	Enter a name for the network connection. In this example, `VBR-test` is used.
Network Instance	Select the ID of the network instance that you want to attach. In this example, the VBR created in Step 1 is selected.
Advanced Settings	By default, the system automatically enables the following advanced features. Associate with Default Route Table of Transit Router After this feature is enabled, the VBR connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VBR based on the default route table. Propagate System Routes to Default Route Table of Transit Router After this feature is enabled, the system routes of the VBR are advertised to the default route table of the transit router. This way, the VBR can communicate with other network instances that are connected to the transit router. Propagate Routes to VBR After this feature is enabled, the system automatically advertises the routes in the transit router route table that is associated with the VBR connection to the VBR. The default settings are used in this example.

Step 3: Deploy a VPN gateway

After you complete the preceding steps, the data center is connected to VPC1 over a private connection. However, the private connection is not encrypted. To encrypt the private connection, you must deploy a VPN gateway in VPC1.

Create a VPN gateway.

Log on to the VPN Gateway console.
In the top navigation bar, select the region where you want to create the VPN gateway.
The VPN gateway and the VPC to be associated must belong to the same region. In this example, the China (Hangzhou) region is selected.
On the VPN Gateways page, click Create VPN Gateway.

On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

Parameter	Description
Name	Enter a name for the VPN gateway. In this example, `VPNGateway1` is entered.
Region	Select the region where you want to deploy the VPN gateway. In this example, the China (Hangzhou) region is selected.
Gateway Type	Select the type of the VPN gateway. In this example, Standard is selected.
Network Type	Select the network type of the VPN gateway. Private is selected in this example.
Tunnels	The tunnel mode supported by IPsec-VPN connections in the region is displayed.
VPC	Select the VPC with which you want to associate the VPN gateway. In this example, VPC1 is selected.
VSwitch	Select a vSwitch from VPC1. If you select Single-tunnel, you need to specify one vSwitch. If you select Dual-tunnel, you need to specify two vSwitches. Note The system selects a vSwitch by default. You can change or use the default vSwitch. After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone in which the vSwitch resides on the details page of the VPN gateway.
vSwitch 2	Select another vSwitch from VPC1. Ignore this parameter if you select Single-tunnel.
Maximum Bandwidth	Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
Traffic	Select a billing method for the VPN gateway. Default value: Pay-by-data-transfer. For more information, see Billing.
IPsec-VPN	Private VPN gateways support only the IPsec-VPN feature. In this example, the default value Enable is selected for the IPsec-VPN feature.
Duration	Select a billing cycle. Default value: By Hour.
Service-linked Role	Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn. The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created and you do not need to create it again.

Return to the VPN Gateways page, check and record the private IP address of the VPN gateway that you created. The IP address is used when you configure IPsec-VPN connections.
A newly created VPN gateway is in the Preparing state. After about 1 to 5 minutes, it enters the Active state. The Active state indicates that the VPN gateway is initialized and ready for use.

Create a customer gateway.
1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
2. On the Customer Gateway page, click Create Customer Gateway.
3. In the Create Customer Gateway panel, configure the following parameters and click OK.
  The following content describes only the key parameters. For more information, see Create a customer gateway.
  - Name: Enter a name for the customer gateway.
    In this example, Customer-Gateway is used.
  - IP Address: Enter the VPN IP address of the on-premises gateway device to be connected to the VPN gateway.
    In this example, 192.168.0.251 is used.

Create an IPsec-VPN connection.

In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
On the IPsec-VPN connection page, click Create IPsec-VPN Connection.

On the Create IPsec-VPN Connection page, configure the parameters and click OK.

The following content describes only the key parameters. For more information, see Create and manage an IPsec-VPN connection in single-tunnel mode.

Parameter	Description
Parameter	Enter a name for the IPsec-VPN connection. In this example, `IPsecConnection1` is used.
VPN Gateway	Select the VPN gateway that you created. In this example, VPNGateway1 is selected.
Customer Gateway	Select the customer gateway that you created. In this example, Customer-Gateway is selected.
Routing Mode	Select a routing mode. In this example, Destination Routing Mode is selected.
Effective Immediately	Specify whether to start connection negotiations immediately. Valid values: Yes: immediately starts IPsec negotiations after the configuration takes effect. No: starts negotiations when inbound traffic is detected. Yes is selected in this example.
Pre-Shared Key	Enter a pre-shared key. If you do not enter a value, the system generates a random 16-bit string as the pre-shared key. Important Make sure that the on-premises gateway device and the IPsec-VPN connection use the same pre-shared key. In this example, `fddsFF123****` is used.
Encryption Configuration	Configure the IKE, IPsec, DPD, and NAT traversal features. In this example, IKEv1 is used and the other parameters use the default values.

Use the default settings for other parameters.

After you create the IPsec-VPN connection, click OK in the Created message.

Add the VPN configuration to the on-premises gateway device.
1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
2. On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Generate Peer Configuration in the Actions column.
3. Load the peer configuration of the IPsec-VPN connection to the gateway device in the data center. For more information, see Configure an on-premises gateway device.

Step 4: Configure routes for the VPC, VBR, and VPN gateway

After you complete the preceding steps, an encrypted tunnel can be established between the on-premises gateway device and the VPN gateway. You must configure routes for the VPC, VBR, and VPN gateway to route traffic to the encrypted tunnel when the data center communicates with Alibaba Cloud.

Add a custom route to VPC1.

Log on to the VPC console.
In the left-side navigation pane, click Route Tables.
In the top navigation bar, select the region to which the route table belongs.
In this example, the China (Hangzhou) region is selected.
On the Route Tables page, find the route table that you want to manage and click its ID.
In this example, the ID of the system route table of VPC1 is clicked.
On the Route Entry List tab, click the Custom Route tab, and then click Add Route Entry.

In the Add Route Entry panel, configure the following parameters and click OK.

Parameter	Description
Name	Enter a name for the custom route.
Destination CIDR Block	Enter the destination CIDR block of the custom route. In this example, IPv4 CIDR Block is selected and the VPN IP address of the on-premises gateway device is used, which is `192.168.0.251/32`.
Next Hop Type	Select the type of the next hop. In this example, Transit Router is selected.
Transit Router	Select the next hop of the custom route. In this example, VPC1-test is selected.

Add a custom route to the VBR.

Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where the VBR is deployed.
In this example, the China (Hangzhou) region is selected.
On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
Click the Routes tab and click Add Route.

In the Add Route panel, configure the following parameters and click OK.

Parameter	Description
Next Hop Type	Select Physical Connection Interface.
Destination CIDR Block	Enter the VPN IP address of the on-premises gateway device. In this example, `192.168.0.251/32` is used.
Next Hop	Select the Express Connect circuit created in Step 1.

Add a route to the VPN gateway.

Important

To route traffic destined for the data center from VPC1 to the encrypted tunnel, you must add a route whose destination CIDR block is more specific than the CIDR block of the data center. This means that the destination CIDR block must be a subset of the CIDR block of the data center. Then, you must advertise the route to VPC1.

In this example, the CIDR block of the data center is 192.168.0.0/16. The destination CIDR block of the route configured for the VPN gateway is 192.168.1.0/24, which is more specific than 192.168.0.0/16.

Log on to the VPN Gateway console.
In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.
In the top navigation bar, select the region where the VPN gateway is deployed.
In this example, the China (Hangzhou) region is selected.
On the VPN Gateways page, find the VPN gateway that you created and click the ID.
On the Destination-based Route Table tab, click Add Route Entry.

In the Add Route Entry panel, configure the following parameters and click OK.

Parameter	Description
Destination CIDR Block	Enter the CIDR block of the data center. In this example, `192.168.1.0/24` is used.
Next Hop Type	Select IPsec-VPN connection.
Next Hop	Select the IPsec-VPN connection that you created in Step 3.
Advertise to VPC	Specify whether to advertise the route to the route table of the VPC. In this example, Yes is selected. The route is advertised to the route table of VPC1.
Weight	Specify a weight for the route. In this example, the default value 100 is used, which specifies a high priority.

Step 5: Check the network connectivity

After you complete the preceding steps, the data center can communicate with VPC1 over private and encrypted connections. The following content describes how to check the connectivity between the data center and VPC1, and check whether the private connection is encrypted by the VPN gateway.

Check the network connectivity.
1. Log on to ECS 1. For more information, see Connect to an ECS instance.
2. Run the ping command to ping a client in the data center to check the network connectivity between the data center and VPC1.
```
ping <the IP address of a client in the data center>
```
  If an echo reply packet is returned, the data center is connected to VPC1.
Check whether the private connection is encrypted.
If you can view the monitoring data of data transfer on the details page of the IPsec-VPN connection, the private connection is encrypted.
1. Log on to the VPN Gateway console.
2. In the top navigation bar, select the region where the VPN gateway is deployed.
  In this example, the China (Hangzhou) region is selected.
3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
4. On the IPsec Connections page, find the IPsec-VPN connection that you created in Step 3 and click the connection ID.
  Go to the details page of the IPsec-VPN connection to view the monitoring data of data transfer.