All Products
Search
Document Center

Cloud Enterprise Network:Connect a third-party SD-WAN appliance to a transit router to establish communication between data centers and VPCs

更新時間:Oct 21, 2024

This topic describes how to connect a third-party SD-WAN appliance to a transit router to establish network communication between data centers and virtual private clouds (VPCs).

Example

Note

A third-party SD-WAN appliance is used in this topic. The information about the third-party SD-WAN appliance is for reference only. Alibaba Cloud does not guarantee or make other form of commitments to the performance and reliability of the third-party tools, or the potential impacts of using these tools.

A company has two data centers (IDC1 and IDC2) and a VPC (VPC1) in the China (Shanghai) region, and another VPC (VPC2) in the China (Hangzhou) region. It now needs to enable communication among IDC1, IDC2, VPC1, and VPC2. A solution that the company proposes is to use a third-party SD-WAN appliance to connect IDC1 and IDC2 to Alibaba Cloud, and implement access control on the third-party SD-WAN appliance to ensure security. In addition, it wants to enable automatic route advertisement and learning between Alibaba Cloud and the data centers to reduce O&M workload.

To achieve these goals, the company can connect the third-party SD-WAN appliance to a transit router by creating a VPN attachment. The data centers can use the third-party SD-WAN appliance and transit router to communicate with the VPCs that are connected to the transit router. Furthermore, Border Gateway Protocol (BGP) is enabled for the transit routers, the third-party SD-WAN appliance, IDC1, and IDC2, which allows for automatic route advertisement and learning.

SD-WAN场景示例

Network planning

Network requirements

  • Create an Elastic Compute Service (ECS) instance in a VPC, such as the security VPC in this topic. Then, deploy a third-party SD-WAN appliance on the ECS instance by installing the corresponding image.

    In this example, the image FortiGate V6.2.4 is installed on the ECS instance in the security VPC.

  • Connect the third-party SD-WAN appliance to the transit router by creating a VPN attachment that uses a Private VPN gateway.

  • Enable BGP between the third-party SD-WAN appliance and transit router to allow automatic route advertisement and learning.

  • Create an IPsec-VPN connection between the third-party SD-WAN appliance and IDC1 and between the third-party SD-WAN appliance and IDC2. This way, IDC1 and IDC2 can connect to Alibaba Cloud.

    Use Auto Discovery VPN (ADVPN) to create a full mesh of IPsec-VPN connections between the third-party SD-WAN appliance and IDC1 and IDC2. For more information about ADVPN, see Fortinet Documents Library.

  • The third-party SD-WAN appliance and the two on-premises gateway devices (On-premises Gateway 1 and On-premises Gateway 2) all use BGP. After an internal BGP (iBGP) neighbor relationship is established, routes are automatically advertised and learned.

    Both On-premises Gateway 1 and On-premises Gateway 2 are from Fortinet and have the image FortiGate V6.2.4 installed.

CIDR blocks

Important

Make sure that the CIDR blocks do not overlap with each other.

Table 1. Basic CIDR block configurations

Resource

CIDR block and IP address

Service VPC (VPC1)

  • Primary CIDR block: 10.2.0.0/16

  • vSwitch 1 CIDR block: 10.2.1.0/24 (deployed in Zone F)

  • vSwitch 2 CIDR block: 10.2.2.0/24 (deployed in Zone G)

  • ECS1 IP address: 10.2.1.10 (deployed in vSwitch 1)

  • ECS2 IP address: 10.2.2.190 (deployed in vSwitch 2)

Service VPC (VPC2)

  • Primary CIDR block: 10.1.0.0/16

  • vSwitch 1 CIDR block: 10.1.1.0/24 (deployed in Zone I)

  • vSwitch 2 CIDR block: 10.1.2.0/24 (deployed in Zone H)

  • ECS1 IP address: 10.1.1.10 (deployed in vSwitch 1)

  • ECS2 IP address: 10.1.2.191 (deployed in vSwitch 2)

Security VPC

  • Primary CIDR block: 172.16.0.0/16

  • vSwitch 1 CIDR block: 172.16.0.0/24 (deployed in Zone F)

  • vSwitch 2 CIDR block: 172.16.1.0/24 (deployed in Zone G)

  • ECS IP address (third-party SD-WAN appliance): 172.16.0.15 (deployed in vSwitch 1)

  • ECS public IP address: 42.XX.XX.129.

IDC1

  • Public IP address of on-premises Gateway 1: 121.XX.XX.211.

  • Interfaces of on-premises Gateway 1:

    • port1 interface: IP address 192.168.100.5 and subnet mask 255.255.255.0. Establish BGP neighbor relationship with the third-party SD-WAN appliance.

    • loopback interface: IP address 192.168.254.100 and subnet mask 255.255.255.0. Simulate a client in IDC1 that needs to communicate with the cloud.

IDC2

  • Public IP address of on-premises Gateway 2: 121.XX.XX.78.

  • Interfaces of on-premises Gateway 2:

    • port1 interface: IP address 192.168.99.4 and subnet mask 255.255.255.0. Establish BGP neighbor relationship with the third-party SD-WAN appliance.

    • loopback interface: IP address 192.168.254.104 and subnet mask 255.255.255.0. Simulate a client in IDC2 that needs to communicate with the cloud.

Table 2. BGP configurations

Resource

BGP autonomous system number (ASN)

Local BGP IP address

Peer BGP IP address

BGP configuration between the third-party SD-WAN appliance and transit router

IPsec-VPN connection

65531

169.254.20.1

169.254.20.2

Third-party SD-WAN appliance

65534

169.254.20.2

169.254.20.1

BGP configuration between the third-party SD-WAN appliance and IDC1

IDC1

65534

169.254.10.10

169.254.10.1

Third-party SD-WAN appliance

65534

169.254.10.1

169.254.10.10

BGP configuration between the third-party SD-WAN appliance and IDC2

IDC2

65534

169.254.10.11

169.254.10.1

Third-party SD-WAN appliance

65534

169.254.10.1

169.254.10.11

Prerequisites

Make sure that the following prerequisites are met before you begin:

  • A service VPC (VPC1) and a security VPC are created in the China (Shanghai) region. A service VPC (VPC2) is created in the China (Hangzhou) region. ECS instances are deployed in the VPCs to run workloads. For more information, see Create a VPC with an IPv4 CIDR block.

    • Deploy workloads on the ECS instances in VPC1 and in VPC2 based on your business requirements.

    • Install the image that is used to deploy the third-party SD-WAN appliance on the ECS instance in the security VPC. In this example, the image FortiGate V6.2.4 is used. Make sure that the third-party SD-WAN appliance is assigned a public IP address. You can purchase the image from Alibaba Cloud Marketplace. For more information, see Alibaba Cloud Marketplace images.

  • A Cloud Enterprise Network (CEN) instance is created. For more information, see Create a CEN instance.

Procedures

SD-WAN-配置流程

Step 1: Create transit routers

Before you can use a CEN instance to connect data centers to VPCs, you must deploy transit routers in the China (Shanghai) and China (Hangzhou) regions, and assign CIDR blocks to the transit router in the China (Shanghai) region.

  1. Log on to the CEN console.

  2. On the Instances page, select the CEN instance that you created in Prerequisites, and click the CEN instance ID.

  3. On the Basic Information > Transit Router tab, click Create Transit Router.

  4. In the Create Transit Router dialog box, configure the parameters and click OK. The following table describes the parameters.

    The following table lists only the parameters that are closely related to this topic. Other parameters are kept at their default value. For more information, see Transit router CIDR blocks.

    Parameter

    Description

    China (Shanghai)

    China (Hangzhou)

    Region

    Select the region where you want to create the transit router.

    In this example, China (Shanghai) is selected.

    In this example, China (Hangzhou) is selected.

    Edition

    The edition of the transit router.

    The transit router edition that is supported in the selected region is automatically displayed.

    Enable Multicast

    Specify whether to enable multicast.

    The default setting is used in this example. Multicast is disabled.

    Name

    Enter a name for the transit router.

    In this example, TR-Shanghai is entered.

    In this example, TR-Hangzhou is entered.

    TR CIDR Block

    Specify a CIDR block for the transit router.

    You can specify a custom CIDR block. The CIDR block works in a similar way as the CIDR block of the loopback interface on a router. IP addresses within the CIDR block can be assigned to IPsec-VPN connections . For more information, see Transit router CIDR blocks.

    In this example, 10.10.10.0/24 is entered.

    No CIDR block is specified in this example.

Step 2: Connect the VPCs to the transit routers

To allow the data centers to communicate with the VPCs by using the transit routers, connect VPC1, the security VPC, and VPC2 to the transit router in the desired region.

  1. On the Instances page, select the CEN instance that you created in Prerequisites, and click the CEN instance ID.

  2. On the Basic Information > Transit Router tab, find the transit router instance that you created in Step 1, and click Actions in the Create Connection column.

  3. On the Connection with Peer Network Instance page, configure the VPC connection based on the following information, and then click OK.

    The following table lists only the parameters that are closely related to this topic. Other parameters are kept at their default value. For more information, see Transit router CIDR blocks.

    Parameter

    Description

    Service VPC (VPC1)

    Security VPC

    Service VPC (VPC2)

    Instance Type

    Select the type of network instance.

    In this example, VPC is selected.

    In this example, VPC is selected.

    In this example, VPC is selected.

    Region

    Select the region of the network instance.

    In this example, China (Shanghai) is selected.

    In this example, China (Shanghai) is selected.

    In this example, China (Hangzhou) is selected.

    Transit Router

    The transit router in the selected region is automatically displayed.

    Resource Owner UID

    Specify whether the network instance belongs to the current Alibaba Cloud account.

    In this example, Current Account is selected.

    In this example, Current Account is selected.

    In this example, Current Account is selected.

    Billing Method

    The billing method of the VPC connection. Default value: Pay-as-you-go. For more information about the billing rules of transit routers, see Billing rules.

    Connection Name

    Enter a name for the VPC connection.

    In this example, Service VPC1 connection is entered.

    In this example, Security VPC connection is entered.

    In this example, Service VPC2 connection is entered.

    Network Instance

    Select a network instance.

    In this example, VPC1 is selected.

    In this example, the security VPC is selected.

    In this example, VPC2 is selected.

    vSwitch

    Select the vSwitches that are deployed in the zones of the transit router.

    • If the Enterprise Edition transit router is deployed in a region that supports only one zone, select a vSwitch in the zone.

    • If the Enterprise Edition transit router is deployed in a region that supports multiple zones, select at least two vSwitches. The two vSwitches must be in different zones. The two vSwitches support zone-disaster recovery to ensure uninterrupted data transmission between the VPC and the transit router.

      We recommend that you select a vSwitch in each zone to reduce network latency and improve network performance because data can be transmitted over a shorter distance.

    Make sure that each selected vSwitch has at least one idle IP address. If the VPC does not have a vSwitch in the zone supported by the TR or the vSwitch does not have an idle IP address, create a new vSwitch in the zone. For more information, see Create and manage a vSwitch.

    In this example, vSwitch 1 in Shanghai Zone F and vSwitch 2 in Shanghai Zone G are selected.

    In this example, vSwitch 1 in Shanghai Zone F and vSwitch 2 in Shanghai Zone G are selected.

    In this example, vSwitch 1 in Hangzhou Zone I and vSwitch 2 in Hangzhou Zone H are selected.

    Advanced Configuration

    Specify whether to enable the advanced features.

    In this example, the default settings are used. The advanced features are enabled.

    In this example, the default settings are used. The advanced features are enabled.

    In this example, the default settings are used. The advanced features are enabled.

Step 3: Create an inter-region connection

As VPC1 and the security VPC are deployed in the same region, they can communicate with each other by default. The transit routers to which VPC1 and VPC2 are attached are in different regions. Therefore, VPC1 and the security VPC cannot communicate with VPC2. To enable communication between them, you must create an inter-region connection between the transit routers deployed in China (Hangzhou) and China (Shanghai).

  1. On the CEN Instance page, find the CEN instance you want to manage, and click the ID.

  2. On the Basic Information > Bandwidth Plans tab, click Allocate Bandwidth for Inter-region Communication.

  3. On the Connect with Peer Network Instance page, configure the following parameters, and then click OK.

    Set the parameters by referring to the following table and keep other parameters at their default values. For more information, see Create an inter-region connection.

    Parameter

    Description

    Instance Type

    Select Inter-region Connection.

    Region

    Select the region to be connected.

    In this example, China (Hangzhou) is chosen.

    Transit Router

    The ID of the transit router in the selected region is automatically displayed.

    Connection Name

    Enter a name for the inter-region connection.

    In this example, Inter-region connection is entered.

    Peer Region

    Select the other region to be connected.

    In this example, China (Shanghai) is selected.

    Transit Router

    The ID of the transit router in the selected region is automatically displayed.

    Bandwidth Plan

    The following modes are supported:

    • Allocate from Bandwidth Plan: Allocate bandwidth from the purchased bandwidth plan.

    • Pay-by-data Transfer: Charged by traffic used by the inter-region connection.

    In this example, Pay-by-data Transfer is selected.

    Bandwidth

    Specify a bandwidth value for the inter-region connection. Unit: Mbit/s.

    Default Link Type

    Use the default link type.

    Advanced Configuration

    Keep the default value, with all advanced features enabled.

Step 4: Create VPN attachments

After you complete the preceding steps, VPC1, VPC2, and the security VPC can communicate with each other. However, the transit routers and the security VPC cannot learn routes from the data centers. To enable the third-party SD-WAN appliance to learn routes, you must create a VPN attachment between the third-party SD-WAN appliance and the transit routers, and between the third-party SD-WAN appliance and the data centers. Then, the third-party SD-WAN appliance can advertise routes to the transit routers over the VPN attachment.

  1. Log on to the VPN Gateway console.

  2. Create a customer gateway.

    Before you can create VPN attachments between the third-party SD-WAN appliance and the transit routers, you must deploy a customer gateway and register the third-party SD-WAN appliance on Alibaba Cloud.

    1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

    2. In the top navigation bar, select the region of the customer gateway.

      Select the region in which the third-party SD-WAN appliance is deployed. In this example, China (Shanghai) is selected.

    3. On the Customer Gateway page, click Create Customer Gateway.

    4. In the Create Customer Gateway panel, configure the parameters, and click OK.

      The following table lists only the parameters that are closely related to this topic. You can keep other parameters at their default value. For more information, see Create and manage a customer gateway.

      Parameter

      Description

      Customer gateway

      Name

      Enter a name for the customer gateway.

      In this example, Customer-Gateway is entered.

      IP Address

      Enter the IP address that the third-party SD-WAN appliance uses to create the VPN attachments.

      In this example, the private IP address 172.16.0.15 of the third-party SD-WAN appliance is entered.

      ASN

      Enter the BGP ASN used by the third-party SD-WAN appliance.

      In this example, 65534 is entered.

  3. Create an IPsec-VPN connection.

    After you create a customer gateway, you need to create an IPsec-VPN connection on Alibaba Cloud. The transit routers use the IPsec-VPN connection to connect to the third-party SD-WAN appliance.

    1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    2. In the top menu bar, select the region of the IPsec-VPN connection.

      The IPsec-VPN connection and the customer gateway must be created in the same region. In this example, China (Shanghai) is selected.

    3. On the IPsec-VPN connection page, click Create IPsec-VPN Connection.

    4. On the Create IPsec-VPN Connection page, configure the parameters for the IPsec-VPN connection and click OK. The following table describes the parameters.

      Creating an IPsec-VPN connection incurs charges. For more information about the billing of IPsec-VPN connections, see Billing description.

      Parameter

      Description

      IPsec-VPN connection

      Name

      Enter a name for the IPsec-VPN connection.

      In this example, IPsec connection is entered.

      Associated Resource

      Select the type of network resource to be associated with the IPsec-VPN connection.

      In this example, CEN is selected.

      Gateway Type

      Select the type of gateway used by the IPsec-VPN connection.

      In this example, Private is selected.

      The security VPC is already connected to the transit router. The third-party SD-WAN appliance can connect to the transit router over a private network connection.

      CEN Instance ID

      Select a CEN instance.

      In this example, the CEN instance that you created in Prerequisites is selected.

      Transit Router

      Select the transit router that you want to associate with the IPsec-VPN connection.

      The transit router in the region of the IPsec-VPN connection is automatically selected.

      Zone

      Select the zone in which the IPsec-VPN connection is created. Make sure that the IPsec-VPN connection is created in a zone that supports transit routers.

      In this example, Shanghai Zone F is selected.

      Routing Mode

      Select a routing mode.

      In this example, Destination Routing Mode is selected.

      Effective Immediately

      Specify whether to immediately start IPsec negotiations. Valid values:

      • Yes: immediately starts IPsec negotiations after the configurations take effect.

      • No: starts negotiations when traffic is detected.

      In this example, Yes is selected.

      Customer Gateway

      Select the customer gateway to be associated with the IPsec-VPN connection.

      In this example, Customer-Gateway is selected.

      Pre-shared Key

      Enter a pre-shared key that is used to authenticate the on-premises gateway devices.

      • The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | ; : ' , . < > / ?. The key cannot contain spaces.

      • If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key. After an IPsec-VPN connection is created, you can click Edit in the Actions column of the IPsec-VPN connection to view the pre-shared key that is generated for the IPsec-VPN connection. For more information, see the Modify an IPsec-VPN connection section of this topic.

      Important

      The IPsec-VPN connection and peer gateway device must use the same pre-shared key. Otherwise, the system cannot establish an IPsec-VPN connection.

      In this example, fddsFF123**** is entered.

      Enable BGP

      Specify whether to enable BGP. By default, BGP is disabled.

      In this example, BGP is enabled.

      Local ASN

      Enter the ASN of the IPsec-VPN connection. Default value: 45104. Valid values: 1 to 4294967295.

      In this example, 65531 is entered.

      Encryption Setting

      Specify custom encryption configurations, including IKE configurations and IPsec configurations.

      Configure the following parameters. Keep other parameters at default values.

      • In the IKE Configurations, select des as the Encryption Algorithm.

      • In the IPsec Configurations, select des as the Encryption Algorithm.

      Note

      You need to select encryption parameters based on the on-premises gateway device to ensure that the encryption configurations for the IPsec connection are the same as those for the on-premises gateway device.

      BGP Configuration

      Tunnel CIDR Block

      Enter the CIDR block that is used for IPsec tunneling.

      The CIDR block must fall within 169.254.0.0/16. The mask of the CIDR block must be 30 bits in length.

      The CIDR block must fall into 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, or 169.254.169.252/30.

      In this example, 169.254.20.0/30 is entered.

      Local BGP IP address

      Enter a BGP IP address for the IPsec-VPN connection.

      This IP address must fall within the CIDR block of the IPsec tunnel.

      In this example, 169.254.20.1 is entered.

      Advanced Settings

      Enable or disable the advanced features for the IPsec-VPN connection.

      In this example, the advanced features are enabled.

      After the IPsec-VPN connections are created, the system assigns a gateway IP address to each IPsec-VPN connection. The gateway IP address is an endpoint on the Alibaba Cloud side of the IPsec-VPN connection. You can view the gateway IP address on the details page of the IPsec-VPN connection, as shown in the following figure. 查看私网IP地址

      Note
      • The system assigns gateway IP addresses to IPsec-VPN connections only after you associate the IPsec-VPN connections with transit routers. If the Associated Resource type of the IPsec-VPN connection is set to Not Bound or VPN Gateway when you create the IPsec-VPN connection, the system does not assign a gateway IP address to the IPsec-VPN connection.

      • After a private IPsec-VPN connection is associated with a transit router, the system automatically advertises the gateway IP address of the IPsec-VPN connection to the route table of the transit router.

  4. Download the configurations of the IPsec-VPN connection peer.

    Return to the IPsec-VPN Connections page, find the IPsec-VPN connection that you created, and click Download Peer Configuration in the Actions column.

  5. Add VPN and BGP configurations on the third-party SD-WAN appliance.

    After you create the IPsec-VPN connections, add VPN and BGP configurations on the third-party SD-WAN appliance based on the IPsec peer configurations and the following steps to create a VPN attachment between the third-party SD-WAN appliance and transit routers:

    Note

    In this example, a FortiGate firewall of v6.2.4 is used as an example. As the commands may vary with software versions, you can consult the firewall vendor or refer to their documents based on your actual environment. For more configuration examples, see On-premises gateway device configuration examples.

    The following content contains third-party product information, which is only for reference. Alibaba Cloud does not guarantee or make any form of commitments to the performance and reliability of these products, or the potential impacts of operations performed by using these products.

    1. Open the command-line interface (CLI) on the third-party SD-WAN appliance.

    2. Add configurations of IPsec-VPN phase 1 negotiation for the third-party SD-WAB appliance (IKE settings).

      # Add the IPsec-VPN phase 1 configuration for tunnel 1
      config vpn ipsec phase1-interface
       edit "to_aliyun_test1"
       set interface "port1"             # Use port1 to establish a VPN connection to the transit router.
       set ike-version 2
       set peertype any
       set net-device disable
       set proposal des-sha1             # Configure the phase 1 encryption algorithm and authentication algorithm. The settings must be consistent with the phase 1 configuration (IKE configuration) on the IPsec-VPN connection side.
       set localid-type address          # Specify the format of the local ID as an IP address, which must be consistent with the format of the Remote ID on the Alibaba Cloud IPsec-VPN connection.
       set dhgrp 2                       # Configure the phase 1 DH group. The settings must be consistent with the phase 1 configuration (IKE configuration) on the IPsec-VPN connection side.
       set remote-gw 192.168.168.1       # Specify the IP address of the peer of the third-party SD-WAN appliance, which is the gateway IP address of the IPsec-VPN connection.
       set psksecret fddsFF123****       # Specify the pre-shared key of the tunnel. The pre-shared key on the Alibaba Cloud IPsec-VPN connection side and the third-party SD-WAN appliance side must be consistent.
       next
      end
    3. Add configurations of IPsec-VPN phase 2 negotiation for the third-party SD-WAS appliance (IPsec settings).

      # Add the IPsec-VPN phase 2 configuration for the tunnel
      config vpn ipsec phase2-interface
          edit "to_aliyun_test1"
              set phase1name "to_aliyun_test1"    # Associate the tunnel with the phase1-interface.
              set proposal des-sha1               # Configure the phase 2 encryption algorithm and authentication algorithm. The settings must be consistent with the phase 2 configuration (IPsec configuration) on the IPsec-VPN connection side.
              set dhgrp 2                         # Configure the phase 2 DH group. The settings must be consistent with the phase 2 configuration (IPsec configuration) on the IPsec-VPN connection side.
              set auto-negotiate enable           
              set keylifeseconds 86400            # Configure the security association lifetime.
          next
      end
    4. Configure BGP IP addresses for the tunnel interface.

      config system interface
          edit "to_aliyun_test1"
              set ip 169.254.20.2 255.255.255.255          # Configure the BGP IP address of the tunnel interface.
              set type tunnel                              # Specify the tunnel port type.
              set remote-ip 169.254.20.1 255.255.255.255   # Specify the peer BGP IP address of the tunnel.
              set interface "port1"                        # Associate the tunnel with port1.
          next
      end
    5. Configure firewall policies.

      config firewall policy
          edit 1
              set name "forti_to_aliyun1"       # Configure the security policy from the third-party SD-WAN appliance to Alibaba Cloud.
              set srcintf "port1"               # The source interface is port1.
              set dstintf "to_aliyun_test1"     # The destination interface is the VPN connection tunnel interface.
              set srcaddr "all"                 # Match traffic from all source CIDR blocks.
              set dstaddr "all"                 # Match traffic to all destination CIDR blocks.
              set action accept                 # Allow traffic.
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set name "aliyun_to_forti1"       # Configure the security policy from Alibaba Cloud to the third-party SD-WAN appliance.
              set srcintf "to_aliyun_test1"     # The source interface is the VPN connection tunnel interface.
              set dstintf "port1"               # The destination interface is port1.
              set srcaddr "all"                 # Match traffic from all source CIDR blocks.
              set dstaddr "all"                 # Match traffic to all destination CIDR blocks.
              set action accept                 # Allow traffic.           
              set schedule "always"
              set service "ALL"
          next
      end
    6. Configure BGP dynamic routing.

      config router bgp
          set as 65534
          set router-id 172.16.0.15
          config neighbor
              edit "169.254.20.1"                       # Specify the peer BGP neighbor of the tunnel.
                  set remote-as 65531
              next
          end
          config network
              edit 1
                  set prefix 172.16.0.0 255.255.0.0    # Advertise the CIDR block in the security VPC that needs to communicate with other networks.
              next
          end
      end

Step 5: Configure the on-premises gateway devices

You need to add VPN and BGP configurations on On-premises Gateway 1, On-premises Gateway 2, and the third-party SD-WAN appliance. Then, On-premises Gateway 1, On-premises Gateway 2, and the third-party SD-WAN appliance can establish IPsec-VPN connections among each other and enable IDC1 and IDC2 to communicate with the VPCs and IDC1 to communicate with IDC2. You can refer to the following configuration examples.

Note
  • Use Auto Discovery VPN (ADVPN) to create a full mesh of IPsec-VPN connections between the third-party SD-WAN appliance and IDC1 and IDC2. For more information about ADVPN, see Fortinet Documents Library.

  • In this example, a FortiGate firewall of v6.2.4 is used as an example. As the commands may vary with software versions, you can consult the firewall vendor or refer to their documents based on your actual environment. For more configuration examples, see On-premises gateway device configuration examples.

Third-party SD-WAN appliance

  1. Make sure that UDP ports 500 and 5000 on the third-party SD-WAN appliance allow access from the public IP addresses of On-premises Gateway 1 and On-premises Gateway 2. For more information, see Add a security group rule.

  2. Open the CLI on the third-party SD-WAN appliance.

  3. Run the following command to add the IPsec-VPN phase 1 configuration.

    config vpn ipsec phase1-interface
        edit "HUB"                                              # Specify the third-party SD-WAN appliance as the hub.
            set type dynamic
            set interface "port1"                               # Use port1 to establish an IPsec-VPN connection to the data centers.
            set ike-version 2                                   # Specify IKEv2.
            set peertype any
            set net-device disable                              # Disable this feature.
            set proposal des-sha1                               # Configure the phase 1 encryption algorithm and authentication algorithm.
            set add-route disable                               # Disable automatic route adding.
            set dpd on-idle
            set wizard-type hub-fortigate-auto-discovery         
            set auto-discovery-sender enable                    # Enable this feature on the hub to receive and send spoke-to-spoke tunneling information.
            set network-overlay enable
            set network-id 1
            set psksecret fddsFF456****                         # Specify the pre-shared key.
            set dpd-retryinterval 60
        next
    end
                                    
  4. Run the following command to add the IPsec-VPN phase 2 configuration.

    config vpn ipsec phase2-interface
        edit "HUB"
            set phase1name "HUB"
            set proposal des-sha1                          # Configure the phase 2 encryption algorithm and authentication algorithm.
        next
    end
                                    
  5. Run the following command to configure the IPsec-VPN tunnel IP address.

    
    config system interface                            
        edit "HUB"
            set vdom "root"
            set ip 169.254.10.1 255.255.255.255            # Configure the tunnel IP address.
            set allowaccess ping
            set type tunnel                                # Specify the tunnel port type.
            set remote-ip 169.254.10.254 255.255.255.0     # Specify the peer IP address of the tunnel.
            set interface "port1"                          # Associate the tunnel with port1. 
        next
    end
    Important

    169.254.10.254 is a reserved IP address that is not used by spokes. An IPsec-VPN tunnel is a point-to-point tunnel. However, an ADVPN tunnel uses a hub-spoke distribution model. Therefore, you cannot set remote-ip to the IP address of a spoke.

  6. Run the following command to configure security policies on the third-party SD-WAN appliance to allow communication between the data centers and between the data centers and Alibaba Cloud.

    config firewall policy
        edit 7
            set name "HUB_to_SPOKE"               
            set srcintf "port1" "HUB" "to_aliyun_test1"     # The source interfaces are port1, HUB, and to_aliyun_test1.
            set dstintf "HUB" "port1" "to_aliyun_test1"     # The destination interfaces are port1, HUB, and to_aliyun_test1.
            set action accept                               # Allow traffic.
            set srcaddr "all"                               # Match traffic from all source CIDR blocks.
            set dstaddr "all"                               # Match traffic to all destination CIDR blocks.
            set schedule "always"
            set service "ALL"
        next
    end                              
  7. Run the following command to add BGP configurations.

    config router bgp
        set as 65534                                           # Specify 65534 as the BGP ASN of the third-party SD-WAN appliance.                                
        config neighbor-group                                  # Enable the neighbor-group attribute.
            edit "HUB_group"
                set next-hop-self enable
                set remote-as 65534                            # Specify the peer BGP ASN.
                set additional-path send
                set route-reflector-client enable              # Enable the route reflector feature and specify the third-party SD-WAN appliance as the route reflector.
            next
        end
        config neighbor-range                                           
            edit 1
                set prefix 169.254.10.0 255.255.255.0          # Specify that BGP neighbors who match the prefix list 169.254.10.0/24 can establish iBGP neighbor relationship with the hub.
                set neighbor-group "HUB_group"
            next
        end
    end                              

On-premises Gateway 1

  1. Open the CLI on the on-premises Gateway 1.

  2. Configure a default route to enable on-premises Gateway 1 to reach the public IP address of the third-party SD-WAN appliance.

    
                # Example: Port1 interface is associated with the public IP address 121.XX.XX.211. Set the default route to the Port1 gateway.
                config router static
                    edit 1
                        set device "port1"
                        set distance 5
                        set gateway 192.168.100.253
                    next
                end
    
                # To check the routing information, execute the command below.
                FortiGate-VM64-KVM # get router info routing-table all
                S*      0.0.0.0/0 [5/0] via 192.168.100.253, port1
            
  3. Run the following command to configure phase 1 of the IPsec-VPN.

    
                config vpn ipsec phase1-interface
                    edit "hz_sp"
                        set interface "port1"                           # Establish IPsec-VPN connection via port1 to the third-party SD-WAN appliance.
                        set ike-version 2                               # Use IKEv2.
                        set peertype any
                        set net-device disable                          # Disable net-device feature.
                        set proposal des-sha1                           # Set phase 1 encryption and authentication algorithms.
                        set localid "hzoffice1"
                        set dpd on-idle
                        set wizard-type spoke-fortigate-auto-discovery
                        set auto-discovery-receiver enable              # Enable auto-discovery receiver for spoke-to-spoke tunneling.
                        set network-overlay enable
                        set network-id 1
                        set remote-gw 42.XX.XX.129                      # Define the public IP address of the hub.
                        set psksecret fddsFF456****                     # Enter the pre-shared key, matching the hub's key.
                        set add-route disable                           # Turn off automatic route addition.
                    next
                end
            
  4. Enter the following command to add phase 2 configuration for the IPsec-VPN.

    
                config vpn ipsec phase2-interface
                    edit "hz_sp"
                        set phase1name "hz_sp"
                        set proposal des-sha1                         # Define phase 2 encryption and authentication algorithms.
                        set auto-negotiate enable                     # Activate auto-negotiation.
                    next
                end
            
  5. Use the command below to specify the IP address for the IPsec-VPN tunnel.

    
                config system interface
                    edit "hz_sp"
                        set vdom "root"
                        set ip 169.254.10.10 255.255.255.255           # Assign the tunnel IP address.
                        set allowaccess ping
                        set type tunnel                                # Designate the interface as a tunnel.
                        set remote-ip 169.254.10.254 255.255.255.0     # Define the tunnel's peer IP address.
                        set interface "port1"                          # Link the tunnel to port1.
                    next
                end
    
                config system interface                                # Create a loopback interface to represent a client in IDC1.
                    edit "loopback"
                        set vdom "root"
                        set ip 192.168.254.100 255.255.255.0
                        set allowaccess ping
                        set type loopback
                    next
                end
            
  6. Run the following command to establish security policies on on-premises Gateway 1, which enables communication between data centers and between data centers and Alibaba Cloud.

    
                config firewall policy
                    edit 3
                        set name "hz_sp_remote"                    # Set the security policy for IDC1.
                        set srcintf "hz_sp"  "loopback" "port1"    # Source interfaces include port1, hz_sp, and loopback.
                        set dstintf "loopback" "hz_sp" "port1"     # Destination interfaces include port1, hz_sp, and loopback.
                        set action accept                          # Permit the traffic flow.
                        set srcaddr "all"                          # Allow all source CIDR blocks.
                        set dstaddr "all"                          # Allow all destination CIDR blocks.
                        set schedule "always"
                        set service "ALL"
                    next
                end
            
  7. Run the following command to add BGP configurations.

    
                    config router bgp
                        set as 65534                                         # Define the BGP ASN for on-premises Gateway 1.
                        set network-import-check disable                     # Turn off route advertisement validation.
                        config neighbor
                            edit "169.254.10.1"                              # Initiate iBGP relationship with the third-party SD-WAN appliance.
                                set remote-as 65534                          # Set the BGP ASN for the third-party SD-WAN appliance.
                                set additional-path receive
                            next
                        end
                        config network
                            edit 1
                                set prefix 192.168.254.100 255.255.255.255   # Advertise the client address in IDC1 for VPC and IDC2 connectivity.
                            next
                        end
                    end
                

On-premises Gateway 2

  1. Open the CLI on the On-premises Gateway 2.

  2. Add a default route to enable On-premises Gateway 1 to access the public IP address of the third-party SD-WAN appliance.

    
    # Example: Port1 is associated with public IP 121.XX.XX.78. Set the default route to the Port1 gateway.
    config router static
        edit 1
            set device "port1"
            set distance 5
            set gateway 192.168.99.253
        next
    end
    
    # To check the routing information, execute:
    FortiGate-VM64-KVM # get router info routing-table all
    S*      0.0.0.0/0 [5/0] via 192.168.99.253, port1
            
  3. Run this command to configure IPsec-VPN phase 1 parameters.

    
    config vpn ipsec phase1-interface                        
        edit "hz_sp1"
            set interface "port1"                           # Establish IPsec-VPN via port1 to the SD-WAN appliance.
            set ike-version 2                               # Use IKEv2.
            set peertype any
            set net-device disable                          # Disable net-device.
            set proposal des-sha1                           # Set phase 1 encryption and authentication algorithms.
            set localid "hzoffice2"
            set dpd on-idle
            set wizard-type spoke-fortigate-auto-discovery  
            set auto-discovery-receiver enable               # Enable auto-discovery for spoke-to-spoke tunneling.
            set network-overlay enable
            set network-id 1
            set remote-gw 42.XX.XX.129                       # Define the hub's public IP.
            set psksecret fddsFF456****                      # Enter the matching pre-shared key.
            set add-route disable                            # Turn off automatic route addition. 
        next
    end
                
  4. Run the following command to set up IPsec-VPN phase 2 parameters.

    
    config vpn ipsec phase2-interface
        edit "hz_sp1"
            set phase1name "hz_sp1"
            set proposal des-sha1                         # Set phase 2 encryption and authentication algorithms.
            set auto-negotiate enable                     # Enable auto-negotiation.    
        next
    end
                
  5. Use this command to assign the IPsec-VPN tunnel IP address:

    
    config system interface
        edit "hz_sp1"
            set vdom "root"
            set ip 169.254.10.11 255.255.255.255           # Set the tunnel IP address.
            set allowaccess ping
            set type tunnel                                # Define tunnel interface type.
            set remote-ip 169.254.10.254 255.255.255.0     # Specify the tunnel's peer IP address.
            set interface "port1"                          # Link the tunnel to port1. 
        next
    end
    
    config system interface                                # Create a loopback for a simulated IDC2 client.
        edit "loopback"
             set vdom "root"
             set ip 192.168.100.104 255.255.255.0
             set allowaccess ping
             set type loopback
    end
                
  6. Run the following command to configure security policies on On-premises Gateway 2, which enable communication between data centers and between data centers and Alibaba Cloud.

    
    config firewall policy
        edit 3
            set name "hz_sp1_remote"                  # Set the IDC2 security policy.
            set srcintf "hz_sp1" "loopback" "port1"   # Source interfaces: port1, hz_sp1, loopback.
            set dstintf "loopback" "hz_sp1" "port1"   # Destination interfaces: port1, hz_sp1, loopback.
            set action accept                         # Permit traffic flow.
            set srcaddr "all"                         # Include all source CIDR blocks.
            set dstaddr "all"                         # Include all destination CIDR blocks.
            set schedule "always"
            set service "ALL"
        next
    end
                
  7. Run the following command to add BGP configurations.

    
    config router bgp
        set as 65534                                          # Assign the BGP ASN for On-premises Gateway 2.
        set network-import-check disable                      # Turn off route advertisement verification.
        config neighbor
            edit "169.254.10.1"                               # Set up iBGP with the SD-WAN appliance.
                set remote-as 65534                           # Define the appliance's BGP ASN.
                set additional-path receive                                
            next
        end
        config network
            edit 1
                set prefix 192.168.254.104 255.255.255.255    # Advertise the IDC2 client address for VPC and IDC1 connectivity.
            next
        end
    end
                

Step 6: Test the connectivity

After you complete the preceding steps, the data centers are connected to the VPCs. This step shows how to test network connectivity among the data centers and the VPCs.

Note

Before running the connectivity tests, make sure that you understand the security group rules for the ECS instances in the VPCs and the access control policies in the data centers. Ensure that these rules and policies permit communication among the data centers, between the data centers and ECS instances, and among the ECS instances. For more information about security group rules, see View security group rules and Add a security group rule.

  1. Test the connectivity between IDC1 and VPC1, VPC2, and IDC2.

    1. Open the CLI in the IDC1 client.

    2. Run the ping command from the client to test connectivity with ECS1 in VPC1, ECS1 in VPC2, and a client in IDC2.

      SD-WAN-IDC1TOremotAs shown in the preceding figure, if IDC1 gets returned messages, it means IDC1 can access resources in VPC1, VPC2, and IDC2.

  2. Test the connectivity between IDC2 and VPC1, VPC2, and IDC1.

    1. Open the CLI of the client in IDC2.

    2. Run the ping command from the client to test connectivity with ECS1 in VPC1, ECS1 in VPC2, and a client in IDC1.

      SD-WAN-IDC2TOremoteAs shown in the preceding figure, if IDC2 gets the returned messages, it means IDC2 can access resources in VPC1, VPC2, and IDC1.

  3. Test the connectivity between VPC1 and two IDCs.

    1. Log on to the ECS1 instance in VPC1. For more information, see ECS remote connection guide.

    2. Run the ping command on the ECS1 instance to test connectivity with clients in IDC1 and IDC2.

      ping <IP address of the IDC client>

      SD-WAN-VPC1TOIDC

      The preceding figure indicates that VPC1 can access resources in IDC1 and IDC2, as the ECS1 instance gets returned messages.

  4. Test the connectivity between VPC2 and two IDCs.

    1. Log on to the ECS1 instance in VPC2. For more information, see the ECS remote connection guide.

    2. Run the ping command on the ECS1 instance to test connectivity with clients in IDC1 and IDC2.

      ping <IP address of the IDC client>

      SD-WAN-VPC2toIDC

      The preceding figure indicates that VPC2 can access resources in IDC1 and IDC2, as the ECS1 instance gets returned messages.

  5. Test the connectivity between VPC1 and VPC2.

    1. Log on to the ECS1 instance in VPC1. For more information, consult the ECS remote connection guide.

    2. Run the ping command on the ECS1 instance to test connectivity with the ECS1 instance in VPC2.

      ping <IP address of the ECS instance>

      SD-WAN-VPC1TOVPC2

      The preceding figure shows that ECS1 in VPC1 can access resources in VPC2, as the ECS1 instance gets returned messages.

    3. Log on to the ECS1 instance in VPC2. For more information, see the ECS remote connection guide.

    4. Run the ping command on the ECS1 instance to test connectivity with the ECS1 instance in VPC1.

      ping <IP address of the ECS instance>

      SD-WAN-VPC2TOVPC1

      The preceding figure indicates that VPC2 can access resources in VPC1, as the ECS1 instance gets the returned messages.