Elastic Desktop Service:Use IPsec-VPN to access a cloud computer from the Alibaba Cloud Workspace client over a private network

Preparations

Before you begin, read the Access a cloud computer over a private network topic and complete the following preparations:

• Create a Cloud Enterprise Network (CEN) instance. For more information, see Create a CEN instance.

• Create a VPC and attach it to the CEN instance. For more information, see Create a VPC and a vSwitch or Attach a network instance to a CEN instance.

• Create an office network and attach its VPC to the CEN instance. For more information, see Create and manage convenience office networks and Create and manage an enterprise AD office network.

  Important

  • Before you create an office network, you must plan the IPv4 CIDR block of the office network to prevent CIDR block conflicts between the office network and the CEN instance or between the office network and your data center. For more information, see Plan a CIDR block.

  • If you create a convenience office network, attach the convenience office network to the CEN instance.

  • If you deploy your AD system on an Elastic Compute Service (ECS) instance, you must attach the VPC of the AD server to the CEN instance. If you deploy your AD system on a local server, you must connect the local network to the cloud network. You can create an enterprise AD office network and implement connectivity between the local server and the cloud, and then configure the AD domain.

• Create a cloud computer and an account. Then, assign the cloud computer to the account.

  • For more information about how to create an account, see Create a convenience account or Create and manage an enterprise AD office network.

  • For more information about how to create and assign cloud computers, see Create cloud computers and Assign cloud computers to users.

• Obtain an Alibaba Cloud Workspace terminal to connect to and use the cloud computer. For more information, see Use a client.

  Note

  The following Alibaba Cloud Workspace terminals are supported if you want to use IPsec-VPN to connect to cloud computers: Windows client and macOS client.

Step 1: Configure IPsec-VPN

1. Create a VPN gateway and enable IPsec-VPN. For more information, see Create a VPN gateway.

   Parameters

   Parameter	Description
   Instance Name	The name of the VPN gateway.
   Resource Group	The resource group to which the VPN gateway belongs. If you leave this parameter empty, the VPN gateway belongs to the default resource group. You can manage the resource group to which the VPN gateway belongs and resource groups to which other cloud resources belong in the Resource Management console. For more information, see What is Resource Management?
   Region and Zone	The region in which you want to create the VPN gateway. Make sure that the VPN gateway resides in the same region as the VPC that you want to associate with the VPN gateway.
   Gateway Type	The type of VPN gateway that you want to create. Default value: Standard.
   Network Type	The network type of the VPN gateway. Valid values: Public: The VPN gateway can be used to establish VPN connections over the Internet. Private: The VPN gateway can be used to establish VPN connections over private networks. Note If you want to establish a VPN connection over a private network, you recommend that you associate a router with the private IPsec-VPN connection. For more information, see Create multiple private IPsec-VPN connections to implement load balancing.
   Tunnels	The tunnel mode of the VPN gateway. The system displays the tunnel modes that are supported in this region. Valid values: Single-tunnel Dual-tunnel For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.
   VPC	The VPC with which you want to associate the VPN gateway.
   vSwitch	The vSwitch with which you want to associate the VPN gateway. Select a vSwitch from the selected VPC. If you select Single-tunnel, you need to specify only one vSwitch. If you select Dual-tunnel, you need to specify two vSwitches. After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch. Note The system selects a vSwitch by default. You can change or use the default vSwitch. After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.
   vSwitch 2	The other vSwitch with which you want to associate the VPN gateway in the associated VPC if you select Dual-tunnel. Specify two vSwitches in different zones in the associated VPC to implement disaster recovery across zones for IPsec-VPN connections. For a region that supports only one zone, disaster recovery across zones is not supported. We recommend that you specify two vSwitches in the zone to implement high availability of IPsec-VPN connections. You can also select the same vSwitch as the first one. Regions that support only one zone China (Nanjing - Local Region), Thailand (Bangkok), South Korea (Seoul), Australia (Sydney) Closing Down, Philippines (Manila), and UAE (Dubai)
   Peak Bandwidth	The maximum bandwidth of the VPN gateway. Unit: Mbit/s.
   Traffic	The metering method of the VPN gateway. Default value: Pay-by-data-transfer.
   IPsec-VPN	Specifies whether to enable the IPsec-VPN feature for the VPN gateway. Default value: Enable. You must enable this feature if you want to establish an IPsec-VPN connection.
   SSL-VPN	Specifies whether to enable the SSL-VPN feature for the VPN gateway. Default value: Disable. You do not need to enable this feature for the VPN gateway to establish an IPsec-VPN connection.
   Billing Cycle	The billing cycle of the VPN gateway. Default value: By Hour.
   Service-linked Role	The service-linked role of VPN Gateway. Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn. The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created and you do not need to create it again.

2. Creates a customer gateway. For more information, see Create and manage a customer gateway.

   Parameters

   Parameter	Description
   Name	The name of the customer gateway.
   IP Address	The static IP address of the gateway device in your data center. If you want to create a public IPsec-VPN connection, enter a public IP address. If you want to create a private IPsec-VPN connection, enter a private IP address. You cannot enter an IP address in the following IP address ranges in the IP Address field. Otherwise, no IPsec-VPN connection can be established. 100.64.0.0 to 100.127.255.255 127.0.0.0 to 127.255.255.255 169.254.0.0 to 169.254.255.255 224.0.0.0 to 239.255.255.255 255.0.0.0 to 255.255.255.255
   ASN	The autonomous system number (ASN) of the gateway device in your data center. This parameter is required If you want to use Border Gateway Protocol (BGP) for the IPsec-VPN connection. Valid values: 1 to 4294967295. You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in decimal format. For example, if you enter 123.456, the ASN is 123 × 65536 + 456 = 8061384. Note We recommend that you use a private ASN to establish a connection to Alibaba Cloud over BGP. Refer to the relevant documentation for the valid range of a private ASN.
   Description	The description of the customer gateway.
   Resource Group	The resource group to which the customer gateway belongs. You can manage the resource groups to which customer gateways and other cloud service resources belong in the Resource Management console. For more information, see What is Resource Management?
   Tags	The tags to be added to the customer gateway. You can use tags to mark and classify customer gateways to facilitate resource search and aggregation. For more information, see What is Tag?. Tag Key: the tag key of the customer gateway. You can select an existing tag key or enter a new tag key. Tag Value: the tag value of the customer gateway. You can select an existing tag value or enter a new tag value. You can leave the Tag Value parameter empty.

3. Create an IPsec-VPN connection. For more information, see Create an IPsec-VPN connection.

   Parameters

   Parameter	Description
   Name	The name of the IPsec-VPN connection.
   Resource Group	The resource group to which the VPN gateway belongs. If you leave this parameter empty, the system displays the VPN gateways in all resource groups.
   Associate Resource	The type of network resource to be associated with the IPsec-VPN connection. In this example, VPN Gateway is selected.
   VPN Gateway	The VPN gateway to be associated with the IPsec-VPN connection.
   Routing Mode	The routing mode of the IPsec-VPN connection. Default value: Destination Routing Mode. Valid values: Destination Routing Mode: routes and forwards traffic based on the destination IP address. Protected Data Flows: routes and forwards traffic based on the source and destination IP addresses. If you select Protected Data Flows, you must configure the Local Network and Remote Network parameters. After the IPsec-VPN connection is configured, the system automatically adds policy-based routes to the route table of the VPN gateway. By default, the policy-based routes are not advertised. You can determine whether to advertise the routes to the route table of the VPC based on your requirements. For more information, see the "Advertise a policy-based route" section of the Configure policy-based routes topic. Note If the IPsec-VPN connection is associated with a VPN gateway and the VPN gateway is not of the latest version, you do not need to specify the routing mode.
   Local Network	The CIDR block of the VPC to be connected to your data center. This CIDR block is used in Phase 2 negotiations. Click next to the field to add multiple CIDR blocks on the VPC side. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.
   Remote Network	The CIDR block of the data center to be connected to the VPC. This CIDR block is used in Phase 2 negotiations. Click next to the field to add multiple CIDR blocks on the data center side. Note If you specify multiple CIDR blocks, you must set the IKE version to ikev2.
   Effective Immediately	Specifies whether to immediately start IPsec-VPN negotiations. Default value: Yes. Valid values: Yes: immediately starts IPsec-VPN negotiations after the IPsec-VPN connection is created. No: starts IPsec-VPN negotiations when inbound traffic is detected.
   Customer Gateway	The customer gateway to be associated with the IPsec-VPN connection.
   Pre-Shared Key	The pre-shared key that is used for authentication between the VPN gateway and the data center. The pre-shared key must be 1 to 100 characters in length and can contain digits, letters, and the following characters: ~ ' ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : , . < > / ?. The pre-shared key cannot contain spaces. If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After an IPsec-VPN connection is created, you can click Edit in the Actions column of the IPsec-VPN connection to view the pre-shared key that is generated for the IPsec-VPN connection. For more information, see the Modify an IPsec-VPN connection section of this topic. Important The pre-shared keys must be the same on both sides. Otherwise, the system cannot establish an IPsec-VPN connection.
   Enable BGP	Specifies whether to enable the BGP dynamic routing feature for the IPsec-VPN connection. By default, Enable BGP is turned off. Before you use the BGP dynamic routing feature, we recommend that you understand how it works and its limits. For more information, see the Configure BGP dynamic routing.
   Local ASN	The autonomous system number (ASN) of the IPsec-VPN connection on the Alibaba Cloud side. Default value: 45104. Valid values: 1 to 4294967295. You can enter the ASN in two segments and separate the first 16 bits from the following 16 bits with a period (.). Enter the number in each segment in decimal format. For example, if you enter 123.456, the ASN is 123 × 65536 + 456 = 8061384. Note We recommend that you use a private ASN to establish a connection to Alibaba Cloud over BGP. For more information about the valid values of a private ASN, see the relevant documentation.

4. Publish the peer CIDR block to CEN.

   1. Log on to the VPC console.

   2. In the left-side navigation pane, click Route Tables.

   3. On the Route Tables page, find the route table of the user VPC and click the ID of the route table.

   4. On the route table details page, select the Route Entry List tab and click the Custom Route tab.

   5. Find the peer CIDR block (the CIDR block of the private network used by the data center) that you configured and click Publish in the Actions column.

      If the value in the Status column of the CIDR block is Published, the CIDR block is published.

Step 2: Load the VPN configurations to the data center gateway

1. Log on to the VPC console.

2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

3. In the top navigation bar, select the region of the IPsec-VPN connection.

4. On the IPsec Connections page, find the IPsec-VPN connection and click Generate Peer Configuration in the Actions column.

5. Load the IPsec-VPN connection configurations that you downloaded to the data center gateway.

   For more information, see Configure an H3C firewall.

Step 3: Configure the route and DNS settings for cloud services

1. Configure routing for cloud services.

   The CIDR block of the cloud services in Alibaba Cloud that can be accessed over a VPC is 100.64.0.0/10. This CIDR block is a reserved CIDR block defined in RFC 6598. To ensure that you can call the EDS API from the Alibaba Cloud Workspace client as expected, configure a route for the CIDR block 100.64.0.0/10 in the data center network to forward requests destined for the CIDR block to the user VPC in the cloud

2. (Optional) Before you configure Domain Name System (DNS), run the following command to test whether the domain name can be resolved:

   nslookup ecd-vpc.cn-hangzhou.aliyuncs.com

   If an IP address is returned, the domain name can be resolved. In this case, you can skip the next step. If no IP address is returned, perform the following step to configure DNS.

3. (Optional) Configure DNS.

   To access cloud computers over a private network, DNS is required to resolve the domain names involved in the EDS API and streaming gateways that reside in the private network. In this example, use the following IP addresses for your DNS server:

   • 100.100.2.136

   • 100.100.2.138

   You can use one of the following methods to configure DNS addresses:

   • Add the preceding DNS addresses to the Dynamic Host Configuration Protocol (DHCP) service of the data center.

   • Configure transit routers on the DNS server of the data center to route domain name resolution requests that end with aliyuncs.com to 100.100.2.136 or 100.100.2.138.

Step 4: Check whether the cloud computer can be connected over the private network

1. Launch the Windows client.

2. In the lower part of the logon page, choose More > Connection Type and select Alibaba Cloud VPC.

3. Enter the logon credentials, including an office network ID or organization ID, username, and password, sent to your email address. Then, click the Next icon to proceed.

   

4. Find the cloud computer from the resource list. Then, start and connect to it.

   Note

   If errors such as network request timeout occur, network connectivity is not established. Check whether the preceding network settings are correctly configured. Then, re-log on to the client and connect to the cloud computer.