After the communication through private network is established between the local IDC and the VPC on the cloud via a connection, the VPN gateway can establish an encrypted communication tunnel with the local gateway device through the existing private network connection. You can steer the traffic between the local IDC and VPC that needs to communicate with each other into the encrypted communication tunnel through the relevant routing configuration, achieving the encrypted communication of private network traffic.
Service Scenario
If your cloud resources are located within a single VPC and require encrypted traffic, and secure communication between cloud and off-cloud environments is needed, this scheme can be adopted.
Use Limits
VPN currently only supports the VPC-type VPN. The CCN-type VPN is not supported at the moment.
VPN does not support the dynamic BGP routing at this time.
It is only supported in VPN version 4.0.
Network Planning
Configuration Object
IP Range Planning
IP Addresses and Description
VPC
10.7.0.0/16
CVM:10.7.6.10
VPN gateway IP address: 10.7.6.15
Note:
VPN gateway IP address belongs to the tenant's VPC.
Direct Connect Gateway
195.168.0.0/29
VLAN ID:1234
Tencent Cloud boundary IP address 1: 195.168.0.3/29
Tencent Cloud boundary IP address 2: 195.168.0.2/29
Customer boundary IP address: 195.168.0.1/29
Local Gateway
195.168.0.0/24
Local gateway IP address connected to VPN on the cloud: 195.168.0.6
IP range connected to the direct connect gateway on the cloud: 195.168.0.1/29
The connection has been constructed and is connected.
You have applied for VPN access permissions. If you need to use it, please submit a ticket to apply.
IDC side device is ready.
Configuration Process
Deploying Direct Connect Services
Step 1.Creating a VPC-Type Direct Connect Gateway
1. Log in to the Direct Connect console, and click Direct Connect Gateway in the left sidebar.
2. On the Direct Connect Gateway page, select the region and VPC at the top, and then click Create.
3. In the Create a Direct Connect Gateway dialog box, configure the gateway details, and then click Confirm,For detailed directions, see Creating a VPC-Type Direct Connect Gateway.
Field
Meaning
Name
Enter a name for the direct connect gateway.
Availability Zone
Select the availability zone in the region.
Associated Network
Select VPC.
Network
Associate with the created VPC instance, for example, vpc-xxx.
Step 2. Creating a Dedicated Tunnel of Direct Connect
2. Click Dedicated Tunnels > Exclusive Private Tunnel in the left sidebar. At the top of the page, click Create and configure Name, Direct Connect Type, Access Network, Region, Associated Direct Connect Gateway, and other basic name configurations. After completion, click Next.
Field
Meaning
Dedicated Tunnel Name
Dedicated Tunnel Name.
Direct Connect Type
Select "My Direct Connect"
Connection
Select a connection that is ready.
Access Network
Select VPC.
Gateway Region
Select the region where the target VPC instance is located, such as Guangzhou.
Direct Connect Gateway
Associate the private line gateway created in step 1.
3. Configure the following parameters on the Advanced Configuration page,For more information, see Exclusive Virtual Interface..
Field
Meaning
VLAN ID
Configure the planned VLAN, for example, 1234.
One VLAN corresponds to one tunnel, with a value range of [0-3,000).
Bandwidth
The maximum bandwidth of a dedicated tunnel cannot exceed the bandwidth of the associated connection. Under the billing model of post-95 monthly payment, the "Bandwidth" parameter does not represent the billing bandwidth.
Tencent Cloud Boundary IP Address 1
Configure the planned connection's Tencent Cloud side boundary interconnect IP address, for example, 195.168.0.3/29
Do not use the following IP ranges or network addresses: 169.254.0.0/16, 127.0.0.0/8, 255.255.255.255/32, 224.0.0.0/8 - 239.255.255.255/32, 240.0.0.0/8 - 255.255.255.254/32.
Tencent Cloud Boundary IP Address 2
Configure the planned standby boundary interconnect IP address, for example, 195.168.0.2/29.
If the primary boundary IP address becomes unavailable due to failure, the standby IP address is automatically activated to ensure the normal service operation.
If the Tencent Cloud boundary IP address mask is set to 30, 31, then configuring the Tencent Cloud standby boundary IP address is not supported.
User Boundary IP Address
Configure the cloud IP on the IDC side for direct connect interconnection, for example, 195.168.0.1/29.
Switch the route if the health check fails consecutively for the specified number of times.
BGP ASN
Enter the BGP neighbor ASN on the CPE side. Note that the cloud platform ASN is 45090. If this field is left empty, a random ASN will be assigned.
BGP Key
Enter the MD5 value of the BGP neighbor, which defaults to "tencent". If it is left empty, no BGP key is required. It cannot contain the following six special characters: ? & space " \\ +.
2. In the left directory, select VPN Connection > VPN Gateway to enter the management page.
3. On the VPN gateway management page, click New.
4. In the Create VPN Gateway dialog box, configure the gateway parameters as follows.
Parameter Name
Parameter Description
Billing Mode
Select billing by traffic. Monthly subscription is not supported for VPC VPNs currently.
Gateway Name
Enter the VPN gateway name (up to 60 characters).
Region
Display the region of the VPN gateway.
Protocol Type
Select IPsec.
Network Type
Select "VPC".
Associated Network
Select "VPC". Currently, CCN is not supported by VPC VPNs.
Cloud Subnet
Select the subnet created on the VPC side.
The VPC VPN gateway IP address is assigned to the tenant's VPC from this subnet.
Bandwidth Cap
Select 5 Mbps.
Network
Select the VPC to be associated with the VPN gateway only when the associated network is a VPC.
Tag
Tags are identifiers for VPN gateway resources, designed to facilitate quicker querying and management of these resources. This configuration is optional and can be defined as needed.
5. After completing the gateway parameter settings, click Create to initiate the creation of the VPN gateway.For more information, see Creating a IPSec VPN Gateway.
Step 2. Create a Peer Gateway
1. In the left navigation bar, select VPN Connection > Peer Gateway.
2. On the Peer Gateway management page, select the region, then click Create.
3. Enter the name of the peer gateway. For the VPC IP, enter the VPC IP of the local gateway device on the IDC side (195.168.0.6).
4. Click Create.
Step 3. Create a VPN Tunnel
1. In the left navigation bar, select VPN Connection > VPN Tunnel.
2. On the VPN Tunnel management page, select the region, and click New.
3. Enter the VPN tunnel information on the pop-up page.
This section only introduces the key parameter configurations. For other parameter configurations, refer to Create VPN Tunnel.
After the first three steps are completed, the configuration of the VPN gateway and VPN tunnel on the cloud platform has been completed. It is necessary to continue configuring the VPN tunnel information for the other side on the local gateway at the IDC side. For details, refer to Local Gateway Configurations. The "Local Gateway" on the IDC side refers to the IPsec VPN device on the IDC side, and its VPC IP is recorded in the "Peer Gateway" in Step 2.
Configure Cloud Routing
After the above configuration is completed, an encrypted communication tunnel can be established between the local gateway device and the VPN gateway. You will also need to configure routes for the cloud network instance to direct cloud and on-premises traffic into the VPN's encrypted communication tunnel.
Step 1. Configure Custom Routing for the Cloud VPC
2. In the left directory, click Subnet, select the corresponding Region and VPC, and then click on the subnet's associated Route Table ID to display the Details page.
3. Click Create Routing Policy, and configure the route to the VPN gateway in the pop-up box.
Parameter Name
Description
Destination Address
Enter the local IDC network segment, for example, '133.168.0.3/32'.
To direct VPC traffic to the on-premises network through the VPN gateway-based encrypted communication tunnel, you need to add a route in the VPN gateway for the local IDC network segment.
1. In the left navigation bar, click VPN Connection > VPN Gateway.
2. On the VPN Gateway management page, select the region and VPC, and then click the VPN Gateway instance ID to display the details page.
3. On the Instance Details page, click the Route Table tab, and then click Add Route to configure a routing policy.
Note:
When a new route is added to the VPN Gateway route table, the list by default displays all VPN tunnels under the VPN Gateway (that is, all SPD policy-based and route-based VPN tunnels under the VPN gateway).
Configuration Item
Description
Destination
Enter the local IDC network segment, for example, '133.168.0.3/32'.
Next Hop Type
Not selectable, and defaults to "VPN Tunnel".
Next Hop
Select the VPN Tunnel created when deploying the VPN.
Weight
Set the tunnel's weight to 0.
0: High priority.
100: Low priority.
4. After configuring the routing policy, click Confirm.
Verify Traffic
After the above configurations are completed, encrypted VPC network communication can be established between the local IDC and the VPC. Test the VPC network connectivity between the local IDC and the VPC and verify that the traffic is encrypted through the VPN gateway.
1. Testing connectivity
Log in to the CVM instance and use the Ping command to access servers within the local IDC network segment.
2. Encryption verification
In the VPN Console, check the VPN tunnel traffic monitoring. The presence of traffic indicates successful encryption.
