IPsec-VPN connections support the dual-tunnel mode - VPN Gateway

If an IPsec-VPN connection has only one encrypted tunnel, it may be interrupted. To improve the availability of IPsec-VPN connections, IPsec-VPN connections in dual-tunnel mode are now supported by VPN Gateway. In dual-tunnel mode, an IPsec-VPN connection has an active tunnel and a standby tunnel that are deployed in different zones. If the active tunnel fails, the standby tunnel takes over. This implements disaster recovery across zones.

Limits

The following regions and zones support dual-tunnel IPsec-VPN connections.

Show the supported regions and zones

Region	Zone
China (Hangzhou)	Zone K, Zone J, Zone I, Zone H, and Zone G
China (Shanghai)	Zone K, Zone L, Zone M, Zone N, Zone B, Zone D, Zone E, Zone F, and Zone G
China (Nanjing - Local Region)	Zone A
China (Shenzhen)	Zone A, Zone E, Zone D, and Zone F
China (Heyuan)	Zone A and Zone B
China (Guangzhou)	Zone A and Zone B
China (Qingdao)	Zone B and Zone C
China (Beijing)	Zone F, Zone E, Zone H, Zone G, Zone A, Zone C, Zone J, Zone I, Zone L, and Zone K
China (Zhangjiakou)	Zone A, Zone B, and Zone C
China (Hohhot)	Zone A and Zone B
China (Ulanqab)	Zone A, Zone B, and Zone C
China (Chengdu)	Zone A and Zone B
China (Hong Kong)	Zone B, Zone C, and Zone D
Singapore	Zone A, Zone B, and Zone C
Thailand (Bangkok)	Zone A
Japan (Tokyo)	Zone A, Zone B, and Zone C
South Korea (Seoul)	Zone A
Philippines (Manila)	Zone A
Indonesia (Jakarta)	Zone A, Zone B, and Zone C
Malaysia (Kuala Lumpur)	Zone A and Zone B
UK (London)	Zone A and Zone B
Germany (Frankfurt)	Zone A, Zone B, and Zone C
US (Silicon Valley)	Zone A and Zone B
US (Virginia)	Zone A and Zone B
Australia (Sydney) Closing Down	Zone B
SAU (Riyadh - Partner Region)	Zone A and Zone B
UAE (Dubai)	Zone A

By default, after you purchase a VPN gateway, you can create only dual-tunnel IPsec-VPN connections.
However, IPsec-VPN connections on existing VPN gateways in the supported regions support only the single-tunnel mode. We recommend that you upgrade existing VPN gateways to use the dual-tunnel mode at the earliest opportunity. After a VPN gateway is upgraded, you can no longer create single-tunnel IPsec-VPN connections on the VPN gateway. For more information, see Upgrade a VPN gateway to enable the dual-tunnel mode.
In scenarios where an IPsec-VPN connection is associated with a transit router, the dual-tunnel mode is not supported.

Networking in dual-tunnel mode

A single-tunnel IPsec-VPN connection may be interrupted when the tunnel fails. In dual-tunnel mode, an IPsec-VPN connection has an active tunnel and a standby tunnel that are deployed in different zones. If the active tunnel fails, the standby tunnel takes over.

When you create a dual-tunnel VPN gateway, you need to specify two vSwitches in different zones from the virtual private cloud (VPC) to which the VPN gateway belongs. The vSwitches are used to create dual-tunnel IPsec-VPN connections, which implement disaster recovery across zones.
Note
If only one zone in a region supports the dual-tunnel mode, disaster recovery across zones is not supported. We recommend that you specify two vSwitches in the zone to implement high availability. You can specify the same vSwitch.
After you create a VPN gateway, the system assigns two IP addresses to create two tunnels.
After you enable SSL-VPN for a public VPN gateway, the system allocates an additional IP address that is used to establish an SSL-VPN connection between a client and the VPN gateway. An SSL-VPN connection and an IPsec-VPN connection use different IP addresses.
When you create a dual-tunnel IPsec-VPN connection in the VPN Gateway console, you need to separately configure two tunnels and associate each tunnel with a customer gateway. You can associate the two tunnels with the same customer gateway.
After you configure the tunnels, you need to add VPN configurations to the on-premises gateway device to establish a dual-tunnel IPsec-VPN connection.
Important
When you create a dual-tunnel IPsec-VPN connection, you must configure two tunnels and ensure that they are available. If you configure or use only one of the tunnels, IPsec-VPN connection redundancy based on active/standby tunnels and zone-disaster recovery are not supported.

Data transfer in dual-tunnel mode

From the VPN gateway to the data center (displayed in green in the figure)
- If you configure only one tunnel when you create an IPsec-VPN connection, data is transferred from the VPN gateway to the data center through this tunnel. If the tunnel fails, data transfer is interrupted.
- If you configure two tunnels, data is transferred from the VPN gateway to the data center through the active tunnel by default. If the active tunnel fails, the standby tunnel takes over. If the active tunnel recovers, the active tunnel takes over.
From the data center to the VPN gateway (displayed in black in the figure)
The traffic path from the data center to the VPN gateway depends on the route configuration of the on-premises gateway device.
For example, in scenarios where a data center is connected to a VPC through an IPsec-VPN connection, you can add route configurations to the on-premises gateway device so that data can be transferred between the data center and the VPC through the active tunnel. You can also specify the active tunnel to transfer data from the VPC to the data center and specify the standby tunnel to transfer data from the data center to the VPC.

Guides on route configurations for the dual-tunnel mode

We recommend that you configure routes for dual-tunnel IPsec-VPN connections based on the following suggestions:

We recommend that you configure the same routing protocol (static or BGP) for the two tunnels of an IPsec-VPN connection.
If an IPsec-VPN connection uses Border Gateway Protocol (BGP) dynamic routing, the Local ASN of the two tunnels must be the same. The peer ASNs of the two tunnels can be different, but we recommend that you use the same peer ASN.
In scenarios where multiple IPsec-VPN connections are established on a VPN gateway:
- If you configure static routes for the IPsec-VPN connections, the destination CIDR blocks of the policy-based or destination-based routes for different connections cannot overlap with each other. Otherwise, the routes may not take effect.
- If you configure BGP dynamic routing for the IPsec-VPN connections, the destination CIDR blocks of the routes advertised to the VPN gateway through the IPsec-VPN connections cannot overlap. Otherwise, the routes may not take effect.

Comparison between the single-tunnel mode and the dual-tunnel mode

Note

After a single-tunnel IPsec-VPN connection is upgraded to a dual-tunnel IPsec-VPN connection, the billing method does not change and no additional fees are charged.

Item	Single-tunnel mode	Dual-tunnel mode
Number of tunnels for each IPsec-VPN connection	1	2
Number of vSwitches required	You need to specify only one vSwitch when you create a VPN gateway.	You need to specify two vSwitches in different zones when you create a VPN gateway.
High availability	You need to create multiple IPsec-VPN connections on a VPN gateway or create multiple VPN gateways to implement high availability.	Two tunnels of one IPsec-VPN connection can implement high availability.
Route weights	Supported	Not supported
Health check	Supported	Not supported
Number of IP addresses assigned to the VPN gateway	After a VPN gateway is created, it is assigned only one IP address. The IP address is used to create an IPsec-VPN or SSL-VPN connection.	If a VPN gateway that supports both IPsec-VPN and SSL-VPN is created, the VPN gateway is assigned three different IP addresses. An IPsec-VPN connection uses two IP addresses to create two tunnels. An SSL-VPN connection uses one IP address to connect to the client. The three IP addresses are unique.

References

Enable communication between two VPCs by using an IPsec-VPN connection in dual-tunnel mode