Tencent Cloud VPN Connections provides a complete solution to guarantee the high availability of your business. Not only the VPN gateway itself supports a high availability, but also primary/secondary tunnels are supported. The VPN gateway uses health check to identify the tunnel status and triggers the traffic switch between the primary and secondary tunnels based on their status. This document describes how to configure health check.
We recommend you use a route-based tunnel for health check. If you use an SPD policy-based tunnel, you need to configure an SPD policy for
VPN tunnel health check uses the NQA mechanism and the
ping command by default. In this way, the VPN gateway regularly uses the local address of health check to ping (encrypted in the tunnel) the peer address, so as to determine the connectivity. If the ping fails multiple times in a row, the VPN gateway will consider the tunnel as abnormal and switch the traffic from the primary tunnel to the secondary tunnel. At the same time, the customer gateway also needs to implement a similar mechanism to switch the traffic to the secondary tunnel. To this end, you need to configure two IP addresses that are mutually pingable in the tunnel or adopt such two IP addresses automatically assigned by the system for health check. The IP ranges of the two addresses cannot conflict with those of the VPC and IDC.
This section only introduces the parameters for health checks. For other steps for creating a VPN tunnel, see Creating a VPN Tunnel.
You can also configure health check on the VPN tunnel details page after the tunnel is created.
Note that your business may be interrupted for a short time.
|VPN gateway IP for health check||It defaults to an IP within the range of `169.254.128.0/17`. You can also specify `0.0.0.0` or an IP within `188.8.131.52`-`184.108.40.206` but outside the VPC IP range.|
|Customer gateway IP for health check||It defaults to an IP within the range of `169.254.128.0/17`. You can also specify an available on-premises IP.|
0.0.0.0/0for the local and peer IP ranges in the SPD policy to ensure that the communication between the local and peer health check IPs is encrypted based on the VPN tunnel.