All Products
Search
Document Center

VPN Gateway:Encrypt private connections by using BGP routing

更新時間:May 08, 2024

This topic describes how to encrypt the private connection between a data center and a virtual private cloud (VPC) by using a private VPN gateway (hereafter referred to as "VPN gateway"). To encrypt the private connection between a data center and a VPC, you can configure BGP routing for the VPN gateway and the virtual border router (VBR) that connects the data center to the VPC.

Background information

Before you encrypt private connections by using static routing and BGP routing, we recommend that you understand how private connections are encrypted and the configuration methods. For more information, see Overview of configuration methods.

Scenarios

Diagram

The preceding scenario is used as an example in this topic. An enterprise owns a data center in Hangzhou and has a VPC (VPC1) deployed in the China (Hangzhou) region. Applications are deployed on Elastic Compute Service (ECS) instances in VPC1. Due to business growth, the enterprise wants to connect VPC1 to the data center through an Express Connect circuit and CEN. In addition, the enterprise wants to encrypt the connection between VPC1 and the data center due to security concerns.

After VPC1 is connected to the data center through CEN and an Express Connect circuit, the enterprise can create a VPN gateway in VPC1 and establish an IPsec-VPN connection between the VPN gateway and an on-premises gateway device. Then, the enterprise can configure BGP routing for both the VBR and VPN gateway to encrypt the private connection.

Preparations

  • Before you use private VPN gateways, you must apply for the required permissions from your account manager or submit a ticket to obtain the permissions.

  • You must plan networks for the data center and network instances. Make sure that the CIDR block of the data center does not overlap with those of the network instances. The following table describes the CIDR blocks in this example.

    Item

    CIDR block

    IP address

    VPC1

    • Primary CIDR block: 10.0.0.0/16

    • CIDR block to which vSwitch1 belongs: 10.0.0.0/24

    • CIDR block to which vSwitch2 belongs: 10.0.1.0/24

    • ECS1: 10.0.1.1

    • ECS2: 10.0.1.2

    VBR

    10.0.0.0/30

    • VLAN ID: 201

    • IPv4 address on the Alibaba Cloud side: 10.0.0.2/30

    • IPv4 address on the user side: 10.0.0.1/30

      In this example, the IPv4 address on the user side is the IPv4 address of the gateway device in the data center.

    • Autonomous system number (ASN): 45104

      By default, the ASN of the VBR is 45104. You cannot change the ASN.

    Data center

    • Primary CIDR block: 192.168.0.0/16

    • Subnet1: 192.168.0.0/24

    • Subnet2: 192.168.1.0/24

    Client: 192.168.1.1

    On-premises gateway device

    • 10.0.0.0/30

    • 192.168.0.0/24

    • VPN IP address: 192.168.0.251

      The VPN IP address refers to the IP address of the interface of the on-premises gateway device to be connected to the VPN gateway.

    • IP address of the interface connected to the Express Connect circuit: 10.0.0.1

    • ASN: 65530

  • VPC1 is deployed in the China (Hangzhou) region and applications are deployed on the ECS instances in VPC1. For more information, see Create and manage a VPC.

    Make sure that VPC1 in the China (Hangzhou) region contains at least two vSwitches in different zones that support Enterprise Edition transit routers. In addition, each vSwitch must have at least one idle IP address. This way, VPC1 can be attached to a CEN instance. For more information, see Connect VPCs.

    In this example, VPC1 contains two vSwitches (vSwitch1 and vSwitch2). vSwitch1 is deployed in Zone H and vSwitch2 is deployed in Zone I. ECS instances are deployed on vSwitch2. vSwitch1 is used only to associate the VPN gateway.

    Note

    When you create a VPC, we recommend that you create a dedicated vSwitch in the VPC for the VPN gateway. This way, the vSwitch can allocate a private IP address to the VPN gateway.

  • Check the gateway device in the data center. Make sure that it supports standard IKEv1 and IKEv2 protocols. To check whether the gateway device supports the IKEv1 and IKEv2 protocols, contact the gateway vendor.

  • Take note of the security group rules that apply to the ECS instances in VPC1 and the access control list (ACL) rules that apply to the client in the data center. Make sure that the rules allow the ECS instances in VPC1 to communicate with the client in the data center. For more information, see View security group rules and Add a security group rule.

Procedure

Procedure

Step 1: Deploy an Express Connect circuit

You must deploy an Express Connect circuit to connect the data center to Alibaba Cloud.

  1. Create an Express Connect circuit.

    You must apply for an Express Connect circuit in the China (Hangzhou) region. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview of hosted connections.

    In this example, a dedicated connection over an Express Connect circuit is created.

  2. Create a VBR.

    1. Log on to the Express Connect console.

    2. In the left-side navigation pane, click Virtual Border Routers (VBRs).

    3. In the top navigation bar, select the region where you want to create a VBR.

      In this example, the China (Hangzhou) region is selected.

    4. On the Virtual Border Routers (VBRs) page, click Create VBR.

    5. In the Create VBR panel, set the following parameters and click OK.

      The following table describes only the key parameters. For more information about the other parameters, see Create and manage a VBR.

      Parameter

      Description

      Account

      In this example, Current account is selected.

      Name

      In this example, VBR is used.

      Physical Connection Interface

      In this example, Dedicated Physical Connection is selected, and the Express Connect circuit created in Step 1 is selected.

      VLAN ID

      In this example, 201 is used.

      Note

      Make sure that the VLAN ID of the VBR is the same as the VLAN ID of the interface that the on-premises gateway device uses to connect to the Express Connect circuit.

      Set VBR Bandwidth Value

      Specify a maximum bandwidth value for the VBR.

      Peer IPv4 Address of Gateway at Alibaba Cloud Side

      In this example, 10.0.0.2 is used.

      Peer IPv4 Address of Gateway at Customer Side

      In this example, 10.0.0.1 is used.

      Subnet Mask (IPv4 Address)

      In this example, 255.255.255.252 is used.

  3. Configure a BGP group for the VBR.

    1. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.

    2. On the details page, click the BGP Groups tab.

    3. On the BGP Groups tab, click Create BGP Group, set the following parameters, and click OK.

      The following section describes only the key parameters. For more information about the other parameters, see Configure and manage BGP.

      • Name: Enter a name for the BGP group. In this example, VBR-BGP is entered.

      • Peer ASN: Enter the ASN of the on-premises gateway device. In this example, 65530 is used.

  4. Configure a BGP peer for the VBR.

    1. On the VBR details page, click the BGP Peers tab.

    2. On the BGP Peers tab, click Create BGP Peer.

    3. In the Create BGP Peer panel, set the following parameters and click OK:

      • BGP Group: Select a BGP group.

        In this example, VBR-BGP is selected.

      • BGP Peer IP Address: Enter the IP address of the BGP peer.

        In this example, the IP address 10.0.0.1 is entered. This is the IP address of the interface that the on-premises gateway device uses to connect to the Express Connect circuit.

  5. Configure BGP routing for the on-premises gateway device.

    The following configurations are used for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.

    router bgp 65530                         //Enable BGP and configure the ASN of the data center. In this example, 65530 is used. 
    bgp router-id 10.0.0.1                   //Enter the ID of the BGP router. In this example, 10.0.0.1 is used. 
    bgp log-neighbor-changes
    neighbor 10.0.0.2 remote-as 45104        //Establish a peering connection to the VBR. 
    !
    address-family ipv4
    network 192.168.0.0 mask 255.255.0.0     //Advertise the CIDR block of the data center. 
    neighbor 10.0.0.2 activate               //Activate the BGP peer. 
    exit-address-family
    !

Step 2: Configure a CEN instance

You must attach VPC1 and the VBR to a CEN instance. Then, the data center and VPC1 can communicate with each other through CEN.

  1. Create a CEN instance.

    1. Log on to the CEN console.

    2. On the Instances page, click Create CEN Instance.

    3. In the Create CEN Instance dialog box, configure the following parameters and click OK.

      • Name: Enter a name for the CEN instance.

        In this example, CEN is used.

      • Description: Enter a description for the CEN instance.

        In this example, CEN-for-test-private-VPN-Gateway is used.

  2. Attach VPC1 to the CEN instance

    1. On the Instances page, click the ID of the CEN instance created in Step 1.

    2. In the VPC section of the Basic Settings tab, click the 添加 icon.

      添加第一个连接

    3. On the Connection with Peer Network Instance page, configure the following parameters and click OK:

      Parameter

      Description

      Network Type

      Select the type of network instance that you want to attach.

      In this example, VPC is selected.

      Region

      Select the region where the network instance is deployed.

      In this example, the China (Hangzhou) region is selected.

      Transit Router

      The system automatically creates a transit router in the selected region.

      Resource Owner ID

      Select the Alibaba Cloud account to which the network instance belongs.

      In this example, Current Account is selected.

      Billing Method

      In this example, the default value Pay-As-You-Go is selected.

      For more information, see Billing.

      Attachment Name

      Enter a name for the network connection.

      In this example, VPC1-test is used.

      Network Instance

      Select the ID of the network instance that you want to attach.

      In this example, VPC1 is selected.

      VSwitch

      Select vSwitches that are deployed in zones supported by the transit router.

      • If the Enterprise Edition transit router is deployed in a region that supports only one zone, select a vSwitch in the zone.

      • If the Enterprise Edition transit router is deployed in a region that supports multiple zones, select at least two vSwitches. The two vSwitches must be in different zones. The two vSwitches support zone-disaster recovery to ensure uninterrupted data transmission between the VPC and the transit router.

        We recommend that you select a vSwitch in each zone to reduce network latency and improve network performance because data can be transmitted over a shorter distance.

      For more information, see Create a VPC connection.

      Advanced Settings

      By default, the system automatically enables the following advanced features.

      • Associate with Default Route Table of Transit Router

        After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.

      • Propagate System Routes to Default Route Table of Transit Router

        After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.

      • Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC

        After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops of the routes point to the VPC. The routes are used to forward traffic from the VPC to the transit router. By default, transit routers do not advertise routes to VPCs.

        Important

        If such a route is already in the route table of the VPC, the system cannot advertise this route. You must manually add a route that points to the VPC connection to the route table of the VPC. Otherwise, network communication cannot be established between the VPC and the transit router.

        To check whether such routes exist, click Check Route below Advanced Settings.

      The default settings are used in this example.

  3. Attach the VBR to the CEN instance.

    1. On the Connection with Peer Network Instance page, configure the following parameters and click OK:

      Parameter

      Description

      Network Type

      Select the type of network instance that you want to attach.

      In this example, Virtual Border Router (VBR) is selected.

      Region

      Select the region where the network instance is deployed.

      In this example, the China (Hangzhou) region is selected.

      Transit Router

      The transit router in the selected region is displayed.

      Resource Owner ID

      Select the Alibaba Cloud account to which the network instance belongs.

      In this example, Current Account is selected.

      Attachment Name

      Enter a name for the network connection.

      In this example, VBR-test is used.

      Network Instance

      Select the ID of the network instance that you want to attach.

      In this example, the VBR created in Step 1 is selected.

      Advanced Settings

      By default, the system automatically enables the following advanced features.

      • Associate with Default Route Table of Transit Router

        After this feature is enabled, the VBR connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VBR based on the default route table.

      • Propagate System Routes to Default Route Table of Transit Router

        After this feature is enabled, the system routes of the VBR are advertised to the default route table of the transit router. This way, the VBR can communicate with other network instances that are connected to the transit router.

      • Propagate Routes to VBR

        After this feature is enabled, the system automatically advertises the routes in the transit router route table that is associated with the VBR connection to the VBR.

      The default settings are used in this example.

Step 3: Deploy a VPN gateway

After you complete the preceding steps, the data center is connected to VPC1 over a private connection. However, the private connection is not encrypted. To encrypt the private connection, you must deploy a VPN gateway in VPC1.

  1. Create a VPN gateway.

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region where you want to create the VPN gateway.

      The VPN gateway and the VPC to be associated must belong to the same region. In this example, the China (Hangzhou) region is selected.

    3. On the VPN Gateways page, click Create VPN Gateway.

    4. On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

      Parameter

      Description

      Name

      Enter a name for the VPN gateway.

      In this example, VPNGateway1 is entered.

      Region

      Select the region where you want to deploy the VPN gateway.

      In this example, the China (Hangzhou) region is selected.

      Gateway Type

      Select the type of the VPN gateway.

      In this example, Standard is selected.

      Network Type

      Select the network type of the VPN gateway.

      Private is selected in this example.

      Tunnels

      The tunnel mode supported by IPsec-VPN connections in the region is displayed.

      VPC

      Select the VPC with which you want to associate the VPN gateway.

      In this example, VPC1 is selected.

      VSwitch

      Select a vSwitch from VPC1.

      • If you select Single-tunnel, you need to specify one vSwitch.

      • If you select Dual-tunnel, you need to specify two vSwitches.

      Note
      • The system selects a vSwitch by default. You can change or use the default vSwitch.

      • After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone in which the vSwitch resides on the details page of the VPN gateway.

      vSwitch 2

      Select another vSwitch from VPC1.

      Ignore this parameter if you select Single-tunnel.

      Maximum Bandwidth

      Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.

      Traffic

      Select a billing method for the VPN gateway. Default value: Pay-by-data-transfer.

      For more information, see Billing.

      IPsec-VPN

      Private VPN gateways support only the IPsec-VPN feature.

      In this example, the default value Enable is selected for the IPsec-VPN feature.

      Duration

      Select a billing cycle. Default value: By Hour.

      Service-linked Role

      Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.

      The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

      If Created is displayed, the service-linked role is created and you do not need to create it again.

    5. Return to the VPN Gateways page, check and record the private IP address of the VPN gateway that you created. This IP address is used when you configure IPsec-VPN connections.

      A newly created VPN gateway is in the Preparing state. After about 1 to 5 minutes, it enters the Normal state. The Normal state indicates that the VPN gateway is initialized and ready for use.创建私网VPN网关

  2. Create a customer gateway.

    1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

    2. On the Customer Gateway page, click Create Customer Gateway.

    3. In the Create Customer Gateway panel, set the following parameters and click OK.

      The following content describes only the key parameters. For more information, see Create a customer gateway.

      • Name: the name of the customer gateway.

        In this example, Customer-Gateway is entered.

      • IP Address: the VPN IP address of the on-premises device to be connected to the VPN gateway.

        In this example, 192.168.0.251 is entered.

      • ASN: the ASN of the on-premises gateway device.

        In this example, 65530 is emtered.

  3. Create an IPsec-VPN connection.

    1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    2. On the IPsec-VPN connection page, click Create IPsec-VPN Connection.

    3. On the Create IPsec Connection page, configure the IPsec-VPN connection based on the following information and click OK.

      The following table describes only the key parameters. For more information about the other parameters, see Create and manage IPsec-VPN connections in single-tunnel mode.

      Parameter

      Description

      Name

      Enter a name for the IPsec-VPN connection.

      In this example, IPsecConnection1 is used.

      VPN Gateway

      Select the VPN gateway that you created.

      In this example, VPNGateway1 is selected.

      Customer Gateway

      Select the customer gateway that you created.

      In this example, Customer-Gateway is selected.

      Routing Mode

      Select a routing mode.

      In this example, Destination Routing Mode is selected.

      Effective Immediately

      Specify whether to immediately start negotiations.

      • Yes: starts connection negotiations after the configuration is completed.

      • No: starts negotiations when inbound traffic is detected.

      Yes is selected in this example.

      Pre-Shared Key

      Enter a pre-shared key.

      If you do not enter a value, the system generates a random 16-bit string as the pre-shared key.

      Important

      Make sure that the on-premises device and the IPsec-VPN connection use the same pre-shared key.

      In this example, fddsFF123**** is used.

      Encryption Configuration

      In this example, ikev2 is selected for the Version parameter in the IKE Configurations section. The default values are used for the other parameters.

      BGP Configuration

      In this example, BGP Configuration is enabled. The following content describes the parameters.

      • Tunnel CIDR Block: Enter the CIDR block of the IPsec tunnel.

        The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.

        In this example, 169.254.10.0/30 is entered.

      • Local BGP IP address: Enter the BGP IP address on the VPN gateway side.

        This IP address must fall within the CIDR block of the IPsec tunnel.

        In this example, 169.254.10.1 is entered. The BGP IP address on the data center side is 169.254.10.2.

      • Local ASN: Enter the ASN on the VPN gateway side. Default value: 45104.

        In this example, the default value 45104 is used.

        Important

        If you configure BGP routing for both the VBR and the VPN gateway, make sure that the ASN on the VPN gateway side is the same as the ASN of the VBR. This facilitates route management.

      Health Check

      In this example, the default settings are used.

    4. After you create an IPsec-VPN connection, click OK in the Established dialog box.

  4. Enable automatic BGP advertising for the VPN gateway.

    After automatic BGP advertising is enabled and a peering connection is established between the VPN gateway and the on-premises gateway device, the VPN gateway learns and advertises the CIDR block of the data center to VPC1. The VPN gateway also advertises the routes in the system route table of VPC1 to the on-premises gateway device.

    1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateway.

    2. On the VPN Gateways page, find VPNGateway1 and choose 更多 > Enable Automatic BGP Propagation in the Actions column.

    3. In the Enable Automatic BGP Propagation message, click OK.

  5. Download the IPsec configurations of the on-premises gateway device.

    1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    2. On the IPsec Connections page, find IPsecConnection1 and click Generate Peer Configuration in the Actions column.

      Save the downloaded IPsec configurations on your client.

  6. Add VPN configurations, BGP configurations, and static routes to the on-premises gateway device.

    Add VPN configurations, BGP configurations, and static routes to the on-premises gateway device based on the configurations of the IPsec-VPN connection that you downloaded.

    The following configurations are for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.

    1. Open the CLI of the on-premises gateway device.

    2. Run the following commands to set the IKEv2 proposal and policy:

      crypto ikev2 proposal alicloud  
      encryption aes-cbc-128          //Configure the encryption algorithm. In this example, aes-cbc-128 is used. 
      integrity sha1                  //Configure the authentication algorithm. In this example, sha1 is used. 
      group 2                         //Configure the DH group. In this example, group 2 is used. 
      exit
      !
      crypto ikev2 policy Pureport_Pol_ikev2
      proposal alicloud
      exit
      !
    3. Run the following commands to set the IKEv2 keyring:

      crypto ikev2 keyring alicloud
      peer alicloud
      address 10.0.0.167               //Configure the private IP address of the VPN gateway. In this example, 10.0.0.167 is used. 
      pre-shared-key fddsFF123****     //Configure the pre-shared key. In this example, fddsFF123**** is used. 
      exit
      !
    4. Run the following commands to set the IKEv2 profile:

      crypto ikev2 profile alicloud
      match identity remote address 10.0.0.167 255.255.255.255    //Configure the private IP address of the VPN gateway. In this example, 10.0.0.167 is used. 
      identity local address 192.168.0.251    //Configure the VPN IP address of the data center. In this example, 192.168.0.251 is used. 
      authentication remote pre-share   //Set the authentication mode for the VPC to PSK (pre-shared key). 
      authentication local pre-share    //Set the authentication mode of the data center to PSK. 
      keyring local alicloud            //Invoke the IKEv2 keyring. 
      exit
      !
    5. Run the following commands to set transform:

      crypto ipsec transform-set TSET esp-aes esp-sha-hmac
      mode tunnel
      exit
      !
    6. Run the following command to configure an IPsec profile, and invoke the transform set, Perfect Forward Secrecy (PSF), and the IKEv2 profile:

      crypto ipsec profile alicloud
      set transform-set TSET
      set pfs group2
      set ikev2-profile alicloud
      exit
      !
    7. Run the following commands to configure the IPsec tunnel:

      interface Tunnel100
      ip address 169.254.10.2 255.255.255.252    //Configure the tunnel address for the data center. In this example, 169.254.10.2 is used. 
      tunnel source GigabitEthernet1
      tunnel mode ipsec ipv4
      tunnel destination 10.0.0.167              //Configure the private IP address of the VPN gateway. In this example, 10.0.0.167 is used. 
      tunnel protection ipsec profile alicloud
      no shutdown
      exit
      !
      interface GigabitEthernet1                 //Configure the IP address of the interface that is used to connect to the VPN gateway. 
      ip address 192.168.0.251 255.255.255.0
      negotiation auto
      !
    8. Run the following commands to set the BGP routing protocol:

      Important

      To ensure that traffic from the VPC to the data center is routed to the encrypted tunnel of the VPN gateway, you must advertise a CIDR block that is smaller than the CIDR block of the data center in the BGP configurations of the on-premises gateway device.

      In this example, the CIDR block of the data center is 192.168.0.0/16. Therefore, you must advertise a CIDR block that is smaller than 192.168.0.0/16 in the BGP configurations of the on-premises gateway device. In this example, 192.168.1.0/24 is advertised.

      router bgp 65530                         //Enable BGP and configure the ASN of the data center. In this example, 65530 is used. 
      neighbor 169.254.10.1 remote-as 45104    //Configure the ASN of the BGP peer. In this example, the ASN of the VPN gateway 45104 is used. 
      neighbor 169.254.10.1 ebgp-multihop 10   //Set the EBGP hop-count to 10.   
      !
      address-family ipv4
      network 192.168.1.0 mask 255.255.255.0   //Advertise the CIDR block of the data center. In this example, 192.168.1.0/24 is advertised. 
      neighbor 169.254.10.1 activate           //Activate the BGP peer. 
      exit-address-family
      !
    9. Run the following command to configure a static route:

      ip route 10.0.0.167 255.255.255.255 10.0.0.2  //Route traffic from the data center to the VPN gateway to the Express Connect circuit.

Step 4: Configure routes and routing policies for the VPC, VBR, and CEN instance

After you complete the preceding steps, an encrypted tunnel can be established between the on-premises gateway device and the VPN gateway. You must configure routes and routing policies for the VPC, VBR, and CEN instance to route traffic to the encrypted tunnel when the data center communicates with Alibaba Cloud.

  1. Add a custom route to VPC1.

    1. Log on to the VPC console.

    2. In the left-side navigation pane, click Route Tables.

    3. In the top navigation bar, select the region to which the route table belongs.

      In this example, the China (Hangzhou) region is selected.

    4. On the Route Tables page, find the route table that you want to manage and click its ID.

      In this example, the ID of the system route table of VPC1 is clicked.

    5. On the Route Entry List tab, click the Custom Route tab, and then click Add Route Entry.

    6. In the Add Route Entry panel, configure the following parameters and click OK.

      Parameter

      Description

      Name

      Enter a name for the custom route.

      Destination CIDR Block

      Enter the destination CIDR block of the custom route.

      In this example, IPv4 CIDR Block is selected and the VPN IP address of the on-premises gateway device is used, which is 192.168.0.251/32.

      Next Hop Type

      Select the type of the next hop.

      In this example, Transit Router is selected.

      Transit Router

      Select the next hop of the custom route.

      In this example, VPC1-test is selected.

  2. Add a custom route for the VBR.

    1. Log on to the Express Connect console.

    2. In the left-side navigation pane, click Virtual Border Routers (VBRs).

    3. In the top navigation bar, select the region where the VBR is deployed.

      In this example, the China (Hangzhou) region is selected.

    4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.

    5. Click the Routes tab and click Add Route.

    6. In the Add Route panel, set the following parameters and click OK.

      Parameter

      Description

      Next Hop Type

      Select Physical Connection Interface.

      Destination CIDR Block

      Enter the VPN IP address of the on-premises gateway device.

      In this example, 192.168.0.251/32 is used.

      Next Hop

      Select the Express Connect circuit created in Step 1.

  3. Configure a routing policy for the CEN instance.

    After you complete the preceding configurations, the data center learns the CIDR block of VPC1 from both the VBR and the VPN gateway. To ensure that traffic from Alibaba Cloud to the data center is preferentially routed to VPC1 through the encrypted tunnel of the VPN gateway, you must configure a routing policy for the CEN instance. The routing policy is used to ensure that the priority of the VPC CIDR block advertised by the VBR to the data center is lower than the priority of the VPC CIDR block advertised by the VPN gateway to the data center.

    1. Log on to the CEN console.

    2. On the Instances page, click the ID of the CEN instance created in Step 1.

    3. Choose Basic Settings > Transit Router, find and click the ID of the transit router that you want to manage.

    4. On the details page of the transit router, click the Route Table tab and click Route Maps.

    5. On the Route Maps tab, click Add Route Map. In the Add Route Map panel, set the following parameters and click OK.

      The following table describes only the key parameters. For more information about the other parameters, see Routing policy overview.

      Parameter

      Description

      Routing Policy Priority

      Enter a priority value for the routing policy.

      In this example, 5 is entered.

      Region

      Select the region in which the routing policy applies.

      In this example, the China (Hangzhou) region is selected.

      Associated Route Table

      Select a route table to associate with the routing policy.

      In this example, the default route table of the current transit router is selected.

      Direction

      Select the direction in which the routing policy applies.

      In this example, Import to Regional Gateway is selected.

      Match Condition

      Configure match conditions for the routing policy.

      In this example, the following match conditions are used:

      • Source Instance IDs: Enter the ID of VPC1.

      • Destination Instance IDs: Enter the ID of the VBR.

      • Route Prefix: Enter 10.0.1.0/24 and 10.0.0.0/24.

      Routing Policy Action

      Select an action for the routing policy.

      In this example, Permit is selected.

      Add Policy Entry

      Specify a priority for the routes that are permitted.

      In this example, Appended AS Path is selected and 65525, 65526, and 65527 are entered. This reduces the priority of the VPC CIDR block that the VBR advertises to the data center.

Step 5: Check the network connectivity

After you complete the preceding steps, the data center can communicate with VPC1 over private and encrypted connections. The following content describes how to check the connectivity between the data center and VPC1, and check whether the private connection is encrypted by the VPN gateway.

  1. Check the network connectivity.

    1. Log on to ECS 1. For more information, see Connect to an ECS instance.

    2. Run the ping command to ping a client in the data center to check the network connectivity between the data center and VPC1.

      ping <the IP address of a client in the data center>

      If an echo reply packet is returned, the data center is connected to VPC1.

  2. Check whether the private connection is encrypted.

    If you can view monitoring data of data transfer on the details page of the IPsec-VPN connection, it indicates that the private connection is encrypted.

    1. Log on to the VPN Gateway console.

    2. In the top navigation bar, select the region where the VPN gateway is deployed.

      In this example, the China (Hangzhou) region is selected.

    3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

    4. On the IPsec Connections page, find the IPsec-VPN connection created in Step 3 and click its ID.

      Go to the details page of the IPsec-VPN connection to view monitoring data of data transfer.