A Tencent Cloud VPN connection features high availability. If the customer IDC connects to Tencent Cloud via primary/secondary VPN tunnels, when the primary tunnel fails, the business will be automatically switched over to the secondary tunnel, thus ensuring business sustainability and improving reliability. This document describes how to connect an IDC to a single Tencent Cloud VPC and implement primary/secondary disaster recovery.
The customer IDC only needs to interconnect with a single Tencent Cloud VPC. In the IDC, you can deploy two IPsec VPN devices that respectively create IPsec VPN tunnels with Tencent Cloud VPN gateway for VPC. Then, configure two routes to the same destination in the VPN gateway route table, and set the priority to control the primary/secondary tunnels. In case of failure, the routes can be switched over automatically.
You have created a Tencent Cloud VPC.
This document takes creating a VPN gateway v3.0 as an example.
Repeat the step 1-4 of creating a customer gateway D.
After creating the VPN gateway and customer gateways, create two VPN tunnels (primary and secondary) that respectively connect the VPN gateway to customer gateways.
Repeat the step 1-4 of creating a primary tunnel B. The SPD policy specifies a customer IP range
After the first 3 steps, the VPN gateway and VPN tunnel on the Tencent Cloud are configured. Then, you need to configure the VPN tunnel on the local gateway of the IDC. For detailed directions, see Local Gateway Configurations. The local gateway refers to the IPsec VPN device on the IDC side. The public IP of this device is recorded in the “customer gateway” created in step 2.
Configure both VPN gateways connected with the primary and secondary tunnels on the IDC side.
After configuring the primary and secondary VPN tunnels, you need to configure the VPN gateway routes to VPN tunnels in the VPN console.
|Destination||Enter the IDC IP range that provides the public access.|
|Next hop type||It defaults to VPN Tunnel.|
|Next hop||Select a VPN tunnel that has been created.|
The smaller the value, the higher the priority.
After configuring the VPN gateway routes, configure health checks for both the primary and secondary tunnels.
Your business may be interrupted for 1-2 seconds when the health check triggers the primary/secondary tunnel switchover.
- VPC IP refers to the Tencent Cloud IP address that sends the access request to the IDC for a health check. This IP does not fall within a VPC CIDR block.
- IDC IP refers to the IDC IP address that responds to the health check request of Tencent Cloud. Use an IP different from the VPC IP to avoid conflict.
- If an IP address responds to the Tencent Cloud access request delivered via the tunnel, it means the tunnel is healthy.
Repeat the step 1-3 of configuring a health check for the primary tunnel B, with a different health check IP address.
Now, you need to configure a VPC routing policy to direct the subnet traffic to the VPN gateway, thus enabling the subnet IP ranges to communicate with IDC IP ranges.
You can use the CVM in the VPC to ping an IP address in the customer IP range to activate the VPN tunnel. If the pinging succeeds, the VPC and IDC can communicate with each other.
When the VPN route table finds the route of the primary tunnel B is unreachable, the traffic will be automatically forwarded to the VPN tunnel C to ensure high business availability.