ALIYUN::VPC::VpnAttachment is used to create an IPsec-VPN connection and associate it with a transit router.
Syntax
{
"Type": "ALIYUN::VPC::VpnAttachment",
"Properties": {
"LocalSubnet": String,
"CustomerGatewayId": String,
"AutoConfigRoute": Boolean,
"Name": String,
"EffectImmediately": Boolean,
"BgpConfig": Map,
"RemoteSubnet": String,
"RemoteCaCert": String,
"IpsecConfig": Map,
"NetworkType": String,
"HealthCheckConfig": Map,
"EnableNatTraversal": Boolean,
"IkeConfig": Map,
"EnableDpd": Boolean
}
}
Properties
Property | Type | Required | Editable | Description | Constraint |
LocalSubnet | String | Yes | Yes | The CIDR blocks on the virtual private cloud (VPC) side. The CIDR blocks are used in Phase 2 negotiations. | Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24. The following routing modes are supported for the IPsec-VPN connection:
Example: 10.1.1.0/24,10.1.2.0/24. |
CustomerGatewayId | String | Yes | No | The ID of the customer gateway. | None. |
AutoConfigRoute | Boolean | No | Yes | Specifies whether to automatically configure routes. | Valid values:
|
Name | String | No | Yes | The name of the IPsec-VPN connection. | None. |
EffectImmediately | Boolean | No | Yes | Specifies whether to immediately start IPsec negotiations. | Valid values:
|
BgpConfig | Map | No | Yes | The Border Gateway Protocol (BGP) configurations. | For more information, see BgpConfig properties. Note Before you configure BGP, we recommend that you familiarize yourself with the implementation mechanism and the limits of BGP dynamic routing. For more information, see VPN Gateway supports BGP dynamic routing. We recommend that you use a private autonomous system number (ASN) to establish a connection with Alibaba Cloud over BGP. For more information about the range of private ASNs, see the relevant documentation. Example:
|
RemoteSubnet | String | Yes | Yes | The CIDR blocks on the data center side. The CIDR blocks are used in Phase 2 negotiations. | Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24. The following routing modes are supported for the IPsec-VPN connection:
Example: 10.1.3.0/24,10.1.4.0/24. |
RemoteCaCert | String | No | No | The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection. | Example:
|
IpsecConfig | Map | No | Yes | The configurations of Phase 2 negotiations. | For more information, see IpsecConfig properties. Example:
|
NetworkType | String | No | No | The network type of the IPsec-VPN connection. | Valid values:
|
HealthCheckConfig | Map | No | Yes | The health check configurations. | For more information, see HealthCheckConfig properties. Example:
|
EnableNatTraversal | Boolean | No | Yes | Specifies whether to enable NAT traversal. | Valid values:
|
IkeConfig | Map | No | Yes | The configurations of Phase 1 negotiations. | For more information, see IkeConfig properties. |
EnableDpd | Boolean | No | Yes | Specifies whether to enable the dead peer detection (DPD) feature. | Valid values:
|
BgpConfig syntax
"BgpConfig": {
"EnableBgp": Boolean,
"LocalAsn": Number,
"TunnelCidr": String,
"LocalBgpIp": String
}
BgpConfig properties
Property | Type | Required | Editable | Description | Constraint |
EnableBgp | Boolean | No | No | Specifies whether to enable the BGP feature. | Valid values:
|
LocalAsn | Number | No | Yes | The ASN on the Alibaba Cloud side. | Valid values: 1 to 4294967295. Default value: 45104. |
TunnelCidr | String | No | Yes | The CIDR block of the IPsec-VPN tunnel. | The CIDR block must belong to 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. |
LocalBgpIp | String | No | Yes | The BGP IP address on the Alibaba Cloud side. | The IP address must fall within the CIDR block range of the IPsec-VPN tunnel. |
IpsecConfig syntax
"IpsecConfig": {
"IpsecPfs": String,
"IpsecEncAlg": String,
"IpsecAuthAlg": String,
"IpsecLifetime": Integer
}
IpsecConfig properties
Property | Type | Required | Editable | Description | Constraint |
IpsecPfs | String | No | Yes | The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 2 negotiations. | Valid values:
|
IpsecEncAlg | String | No | Yes | The encryption algorithm that is used in Phase 2 negotiations. | Valid values:
|
IpsecAuthAlg | String | No | Yes | The authentication algorithm that is used in Phase 2 negotiations. | Valid values:
|
IpsecLifetime | Integer | No | Yes | The SA lifetime that is determined by Phase 2 negotiations. | Unit: seconds. Valid values: 0 to 86400. Default value: 86400. |
HealthCheckConfig syntax
"HealthCheckConfig": {
"Policy": String,
"Enable": Boolean,
"Dip": String,
"Retry": Integer,
"Sip": String,
"Interval": Integer
}
HealthCheckConfig properties
Property | Type | Required | Editable | Description | Constraint |
Policy | String | No | Yes | Specifies whether to withdraw published routes when the health check fails. | Valid values:
|
Enable | Boolean | No | Yes | Specifies whether to enable the health check feature. | Valid values:
|
Dip | String | No | Yes | The destination IP address that is used for health checks. | Specify the IP address of the data center with which the VPC can communicate based on the IPsec-VPN connection. |
Retry | Integer | No | Yes | The maximum number of health check retries. | Default value: 3. |
Sip | String | No | Yes | The source IP address that is used for health checks. | Specify the IP address of the VPC with which the data center can communicate based on the IPsec-VPN connection. |
Interval | Integer | No | Yes | The interval between two consecutive health check retries. | Unit: seconds. Default value: 3. |
IkeConfig syntax
"IkeConfig": {
"IkeAuthAlg": String,
"LocalId": String,
"IkeEncAlg": String,
"IkeVersion": String,
"IkeMode": String,
"IkeLifetime": Integer,
"RemoteId": String,
"Psk": String,
"IkePfs": String
}
IkeConfig properties
Property | Type | Required | Editable | Description | Constraint |
IkeAuthAlg | String | No | Yes | The authentication algorithm that is used in Phase 1 negotiations. | Valid values:
|
LocalId | String | No | Yes | The identifier of the IPsec-VPN connection on the Alibaba Cloud side. | The identifier can be up to 100 characters in length. By default, this property is empty. |
IkeEncAlg | String | No | Yes | The encryption algorithm that is used in Phase 1 negotiations. | Valid values:
|
IkeVersion | String | No | Yes | The version of the IKE protocol. | Valid values:
|
IkeMode | String | No | Yes | The negotiation mode. | Valid values:
|
IkeLifetime | Integer | No | Yes | The SA lifetime that is determined by Phase 1 negotiations. | Unit: seconds. Valid values: 0 to 86400. Default value: 86400. |
RemoteId | String | No | Yes | The identifier of the IPsec-VPN connection on the data center side. | The identifier can be up to 100 characters in length. The default value is the IP address of the customer gateway. |
Psk | String | No | Yes | The pre-shared key that is used for identity authentication between the VPN gateway and the data center. | The following limits apply:
Note The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway. |
IkePfs | String | No | Yes | The DH key exchange algorithm that is used in Phase 1 negotiations. | Valid values:
|
Return values
Fn::GetAtt
InternetIp: the gateway address of the IPsec-VPN connection.
VpnAttachmentId: the ID of the IPsec-VPN connection.
PeerVpnAttachmentConfig: the configurations of the IPsec-VPN connection.