New Titanium Cloud Service has shared 735 technical articles for you
foreword
This article introduces some preparatory work, how to configure, and precautions for the interconnection between Alibaba Cloud and Azure IPSec in China.
Preparation
Account permission preparation
If you do not have the primary account of Alibaba Cloud and Azure, you can log in as a RAM user;
On the Aliyun side, you need to ensure that you have the configuration authority of the VPN gateway, preferably with the configuration or view authority of CEN and VPC;
On the Azure side, you can set the account role to be a network administrator.
The network segments that Alibaba Cloud and Azure need to communicate with each other
For example, Alibaba Cloud is 10.1.0.0/16, and Azure is 172.16.0.0/16
How Alibaba Cloud establishes IPSecVPN
You can use a VPN gateway or a forwarding router. If you use a forwarding router, you need to be an enterprise version router. The normal version does not support it. You need to submit a ticket to upgrade to the enterprise version;
This document will take the VPN gateway as an example for demonstration.
Selection of Azure SKUs
If there is no particularly high bandwidth requirement, you can choose the first-generation basic SKU.
01
Configuration details (Aliyun)
The instance name of the VPN gateway: for example to-azure-vpngateway (can be modified)
The region and availability zone where the VPN gateway is located: just select the availability zone where the current business is located
The VPC where the VPN gateway is located: The VPN gateway is similar to a network device, and the VPC where it is located needs to be configured. If you only have one VPC, you can put it in it. If there are multiple, you can choose according to the situation
Bandwidth specifications of the VPN gateway: It is recommended to choose the lowest one first, and you can upgrade at any time later
Billing cycle of VPN gateway: select according to the situation
The instance name of the user gateway: for example azure-usergateway
IP address of the user gateway: this IP will only be available after it is created in the Azure virtual network gateway
The name of the IPSec connection: for example aliyun-to-azure
Route Mode: It is recommended to use the destination route mode
Pre-Shared Key: Generate a complex password
Choice of IKE protocol: IKEv2 is recommended
IKE encryption and authentication algorithm: select according to the situation, but need to match with Azure
IKE DH grouping: select according to the situation, but need to match with Azure
SA life cycle: select according to the situation, but it needs to match with Azure
IPSec encryption and authentication algorithm: select according to the situation, but need to match with Azure
DH grouping: optional disabled, because Azure basic SKU does not support
02
Configuration details (Azure)
Instance name of the VPN gateway: for example to-aliyun-vpngateway (unmodifiable, if you want to modify, you can only delete and reconfigure)
The region and availability zone where the VPN gateway is located: just select the availability zone where the current business is located
VPC where the VPN gateway is located: It is recommended to create a new VPC, only for the VPN gateway
Bandwidth specifications of the VPN gateway: billed by volume, cannot be selected
Local network gateway name: such as aliyun-usergateway, which is the same as Ali's user gateway
IP address of the user gateway: this IP is available only after it is created in Alibaba Cloud
The name of the IPSec connection: for example azure-to-aliyun
Route Mode: It is recommended to use the destination route mode
Pre-Shared Key: Generate a complex password
Choice of IKE protocol: IKEv2 is recommended
IKE encryption and authentication algorithm: select according to the situation, but need to match with Aliyun
IKE DH group: select according to the situation, but it needs to match with Aliyun
SA life cycle: select according to the situation, but it needs to match with Aliyun
IPSec encryption and authentication algorithm: select according to the situation, but need to match with Aliyun
DH grouping: optional disabled, because Azure basic SKU does not support
Alibaba Cloud configuration
01
Create a VPN gateway
1. Fill in the previously prepared configuration items and click Buy Now
2. After the creation is complete, there will be an IP address, which will be used when configuring the local network gateway on the Azure side
3. finish
02
Create user gateway
1. You need to create a virtual gateway in Azure before setting it up
2. Create a user gateway
3. finish
03
Configure IPSec connection
1. Edit IPSec connection, configuration name and other information
2. IKE and IPSec configuration
3. DPD and NAT traversal remain enabled by default
4. finish
04
Configure the destination route on the VPN gateway
1. Click on the VPN gateway to enter, select "Destination Routing Table"
2. Click "Add Route Entry"
3. Publish this route to CEN (optional)
If you only have 1 VPC, this step can be ignored
If your VPC is associated with CEN and other VPCs also need to access Azure, you need to publish the route to CEN
If you are not using CEN, but have multiple VPCs, you need to configure VPC peering
Azure configuration
01
Create a virtual network gateway
1. Create a virtual network gateway
2. Continue to click Next and wait for the creation to complete, which takes about 10-20 minutes
02
Create a local network gateway
1. Fill in the basic settings
2. Click Next and wait for the creation to complete
03
Create an IPSec connection
1. Click the virtual network gateway created earlier, click Enter, select "Connect", and click "Add"
2. Make the following configurations
Name: to-aliyun-vpngateway
Connection Type: Site-to-Site (IPsec)
Select the previously configured virtual network gateway and local network gateway
3. After creation, Azure will use the default IPSec/IKE policy, but in the actual creation, there may be cases where negotiation cannot be achieved. It is recommended to manually adjust the IPSec/IKE policy, as shown in the example below
04
Configure Routing and Peering
Since the virtual network gateway of Azure is a separate VNet, if the virtual machines in other VNets want to communicate with Alibaba Cloud, they also need to configure peering interconnection
Enter the virtual network where the virtual gateway is located, click "Peering" to start configuration
Under "Virtual network gateway" under the settings of this virtual network, select "Use this virtual network's gateway"
In the "Virtual Network Gateway" under the configuration of the remote virtual network, select "use the gateway of the remote virtual network"
Finish
Precautions
Choice of Azure AKU
Due to the large price difference of SKU, if the speed of IPSec is not high, you can choose the basic type of gateway, as shown in the figure below
In addition, different SKUs have different encryption algorithms, but the basic ones are enough
Azure name settings
For example, settings such as virtual network gateway, local network gateway, and IPSec connection cannot be changed after setting, so it is recommended to plan in advance, otherwise it needs to be deleted and rebuilt, and the correlation is strong. Some settings need to be disassociated, deleted, recreated, and reassociated Yes, it's more troublesome
There are many names of Alibaba Cloud that can be configured and then modified, and there is no need to delete and rebuild
Troubleshooting method that VPN cannot be established
Normally, you only need to check the encryption parameters of IKE and IPSec, and make sure that both sides are consistent
After modifying the parameters, you can change the establishment mode to passive on the Alibaba Cloud side, save it, then change it to active, and save it to re-initiate the connection
recommended reading
recommended video