VPN Gateway Best Practice Series (1) How to Make VPCs Interoperable

Abstract:  Topic introduction VPN gateway is a new network service launched by Alibaba Cloud, which can help your enterprise easily build a secure, stable and highly available network interconnection solution. Compared with traditional VPN software and self-built VPN, Alibaba Cloud VPN gateway is easy to deploy, ready to use, and professional after-sales support. Today, let's talk about how to deploy and configure a VPN gateway, so that the two VPCs can communicate with each other in the private network and connect your cloud network.

topic introduction

VPN Gateway is a new network service launched by Alibaba Cloud, which can help your enterprise easily build a secure, stable, and highly available network interconnection solution. Compared with traditional VPN software and self-built VPN, Alibaba Cloud VPN gateway is easy to deploy, ready to use, and professional after-sales support.

Today, let's talk about how to deploy and configure a VPN gateway, so that the two VPCs can communicate with each other in the private network and connect your cloud network.

Tip : VPN gateways establish encrypted tunnels based on the Internet for communication, and the communication quality depends on the Internet. If there is a higher requirement for VPC interworking, you can use the high-speed channel. For details, refer to Cross-account VPC Interworking and Cross -region VPC Interworking .

This operation uses two VPCs under the same account as an example to describe how to implement VPC intercommunication by deploying a VPN gateway. If it is inter-account VPC interworking, the operation steps are the same as the same-account VPC interworking. Before creating a user gateway, you need to obtain the public IP address of the VPN gateway of the other party's account, and then use the obtained public network IP address of the other party's account to create a user gateway.

VPC name network segment VPC ID cloud product instance

VPC1	172.16.0.0/12	vpc-xxxxl8	ECS1
VPC2	10.0.0.0/8	vpc-xxxnkf	ECS2

Step 1 Create a VPN gateway

First you need to create a VPN gateway for each of the two VPCs.

1. Log in to the VPC management console .

2. 在左侧导航栏，单击VPN > VPN网关。

3. 单击创建VPN网关。

4. 提供以下信息，然后单击立即购买，完成创建。

   配置 说明

   地域	选择VPN网关的所属地域。 确保和VPC的地域相同。
   专有网络	选择部署VPN网关的专有网络。
   虚拟交换机	选择VPN网关的所属交换机。
   带宽规格	选择VPN网关的公网带宽。
   购买数量	使用默认值，即创建一个VPN网关。
   购买时长	选择VPN网关的使用时长。

5. 重复上述步骤，为另外一个VPC创建一个VPN网关。

   VPN网关创建后，系统会自动分配两个公网IP。

   

   本操作中分配的IP地址为116.XX.XX.142和116.XX.XX.2，VPC与VPN网关之间的对应关系如下表所示。

   VPC VPN网关 IP地址

   名称：VPC1 ID：vpc-xxxxl8 网段：172.16.0.0/12	vpn-xxxxxq70	116.XX.XX.2
   名称：VPC2 ID：vpc-xxxnkf 网段：10.0.0.0/8	vpn-xxxxxlg3	116.XX.XX.142

步骤二 创建用户网关

创建完两个VPN网关后，您可以使用系统分配的IP地址，分别创建两个用户网关。

1. 登录专有网络管理控制台。

2. 在左侧导航栏，单击VPN > 用户网关。

3. 单击创建用户网关。

4. 提供以下信息，然后单击提交。

   配置 说明

   用户网关名称	输入用户网关的名称。
   IP地址	输入VPN网关的公网IP地址。

5. 重复上述步骤，使用另外一个IP地址再创建一个用户网关。

   

   本操作后，VPC与VPN网关、用户网关之间的对应关系如下表所示。

   VPC VPN网关 IP地址 用户网关

   名称：VPC1 ID：vpc-xxxxl8 网段：172.16.0.0/12	vpn-xxxxxq70	116.XX.XX.2	user_VPC1
   名称：VPC2 ID：vpc-xxxnkf 网段：10.0.0.0/8	vpn-xxxxxlg3	116.XX.XX.142	user_VPC2

步骤三 创建VPN连接

创建好VPN网关和用户网关后，您需要分别创建两个VPN连接建立VPN通道。

1. 登录专有网络管理控制台。

2. 在左侧导航栏，单击VPN > VPN连接。

3. 单击创建VPN连接。

4. 在创建VPN连接对话框，提供以下信息，然后单击提交。

   配置 说明

   VPN网关	选择其中一个VPC的VPN网关。 本操作中选择VPC1的网关vpn-xxxxxq70。
   用户网关	选择使用对端VPN网关的IP地址创建的用户网关。 本操作中选择VPC2的用户网关user_VPC2。
   本端网段	输入已选VPN网关所属VPC的网段。 本操作中输入VPC1的网段172.16.0.0/12。
   对端网段	输入对端VPC的网段。 本操作中输入VPC2的网段10.0.0.0/8。
   预共享密钥	展开高级配置，输入一个共享密钥。

5. 重复上述步骤，为另外一个VPC添加一个VPN连接。

   本操作中，VPC1的VPN连接配置如下图所示。

   

   In this operation, the VPN connection configuration of VPC2 is shown in the following figure.

   

Step 4 Add a route

Finally, you need to add a custom route to each of the two VPCs.

1. Log in to the VPC management console .

2. In the left navigation bar, click VPC .

3. On the VPC list page, find VPC1 and click the link for the instance ID to enter the VPC details page.

4. In the VPC Details navigation bar, click Router , and then click Add Route .

5. In the Add Route dialog box, provide the following information and click OK .

   Configuration instructions

   target network segment	Enter the network segment of the peer VPC to connect to. In this operation, enter the network segment of VPC2, that is, 10.0.0.0/8.
   next hop instance	Select VPN Gateway .
   VPN gateway	Select the VPN gateway deployed in this VPC. In this operation, select the VPN gateway created by VPC1.

6. Repeat the preceding steps to add a route entry for VPC2 with the destination network segment 172.16.0.0/12 and the next hop as the VPN gateway of VPC2.

   In this operation, the routing configuration of VPC1 is shown in the following figure.

   

   In this operation, the routing configuration of VPC2 is shown in the following figure.

   

Step 5 Test private network communication

Ping the private network IP of ECS2 on the ECS1 instance in VPC1 on the private network to test the private network communication between the two VPCs.