Tencent Cloud VPN Connections provides Internet-based remote network connection services. As an important component of a VPN connection, a VPN gateway can enable secure site-to-site access by creating a secure encrypted IPsec or SSL tunnel with the customer IDC, mobile client, and private office network.
Use Cases of IPSec VPN
VPN has two routing and forwarding methods:
Matching the source and destination IP ranges of data flow based on the SPD policy-based routing, and forwarding according to the set forwarding policy. Routing cannot be realized through this method, so traffic cannot be forwarded, but the first, fourth and sixth communication scenarios can be realized.
By configuring the VPN route table, you can route and forward data packets based on the destination IP range. This method is called destination routing, and all the following communication scenarios can be realized with this method. The sixth scenario can not only be realized through SPD policy-based routing alone but also through SPD policy-based routing and destination routing at the same time.
Note:
The "customer gateway" in the following figures means the logical object that records the public IP address of the IPsec VPN device on the IDC side. Each customer gateway corresponds to the IPsec VPN device on the IDC side.
Scenario 1: communication between VPC and IDC
VPN Connections enables the communication between VPC and IDC
Scenario 2: traffic interconnection between a single VPC and multiple IDCs
Multiple IDCs connect to each other in the VPN connection-based migration-to-cloud scenario.
Scenario description: the customer IDC-1, IDC-2, and IDC-3 are connected to Tencent Cloud VPN gateway for VPC via their respective IPsec VPN device. They can not only access various resources in the VPC of the VPN gateway but also connect to each other through Tencent Cloud VPN gateway, thus enabling secure communication between VPC and the customer IDC-1, IDC-2, and IDC-3.
Scenario 3: communication among multiple IDCs via a VPN gateway
Multiple IDCs can communicate with each other via the VPN for Cloud Connect Network (CCN) if they don’t need to access cloud resources.
Scenario description: the customer IDC-1, IDC-2, and IDC-3 are connected to Tencent Cloud VPN gateway for CCN via their respective IPsec VPN device. They communicate with each other only via Tencent Cloud VPN gateway without the need to access the public cloud resources of Tencent Cloud. In this case, customers can create a VPN gateway for CCN which is not associated with CCN.
Scenario 4: traffic interconnection between multiple IDCs and multiple cloud networks
Scenario description: the customer IDC-1, IDC-2, and IDC-3 are connected to Tencent Cloud VPN gateway for CCN via their respective IPsec VPN device. They can communicate with each other via Tencent Cloud VPN gateway and access CCN-associated VPC and direct connect networks via CCN. In this case, customers can create a VPN gateway for CCN and associate it with CCN to realize traffic interconnection.
Scenario 5: IDC realizes active/standby cloud disaster recovery through active/standby VPN tunnels
If the customer IDC migrates to cloud via active/standby VPN tunnels, when the active tunnel fails, the business will be automatically switched over to the standby tunnel, thus ensuring business sustainability and reliability.
Scenario description 1: The customer IDC only needs to connect to a single Tencent Cloud VPC. On the customer IDC side, the customer can deploy 2 IPsec VPN devices that respectively create IPSec VPN tunnels with Tencent Cloud VPN gateway for VPC. The VPN gateway route table configures 2 routes that share the same destination port, and the active/standby tunnel mechanism will be effective through priority control. In case of failure, the routes can be switched over automatically.
Scenario description 2: The customer IDC needs to connect to multiple Tencent Cloud VPCs (which can be in the same region or different regions) and direct connect networks. On the customer IDC side, the customer can deploy 2 IPsec VPN devices that respectively create IPSec VPN tunnels with Tencent Cloud VPN gateway for CCN. The VPN gateway route table can configure 2 routes that share the same destination port, and the active/standby tunnel mechanism will be effective through priority control. In case of failure, the routes can be switched over automatically.
Scenario 6: communication between a single VPC and multiple IDCs via multiple VPN tunnels
This communication scenario is similar to the second scenario. The difference between them is that in this scenario, the customer IDC-1, IDC-2, and IDC-3 only need to communicate with VPC and don’t need to communicate with each other.
In terms of this scenario, we recommend that SPD policy-based routing method be used to create the VPC > IDC1, VPC > IDC2, and VPC > IDC3 rules.
If the destination routing method is used alone, IDC-1, IDC-2, and IDC-3 can communicate with each other, which does not conform to the communication scenario. You can configure the VPC > IDC1 and VPC > IDC2 rules when using the SPD policy-based routing method, and then configure in the route table a routing policy whose destination IP range is IDC3. As SPD policy-based routing has higher priority over destination routing, this communication scenario can also be realized.
Scenario 7: A VPN Gateway and a DC Gateway Realize Primary/Secondary Disaster Recovery
This communication scenario is akin to Scenario 5, with the distinction lying in the utilization of the dynamic BGP for orchestrating a primary DC + a standby VPN to achieve disaster recovery redundancy. Within this framework, the two VPN gateways are configured in an ECMP relationship. Under normal circumstances, service traffic flows through the dedicated channel; in the event of a failure, traffic is automatically rerouted to the VPN. Once normalcy is restored, service traffic seamlessly switches back to the DC.
Scenario 8: A VPN Gateway and a DC Gateway Realize Encrypted Private Network Traffic Communication
Upon establishing private network communication between the local IDC and the cloud-based VPC via a physical DC, the private VPN gateway can create an encrypted communication channel with the local gateway device through the established private network connection. You may guide the traffic to be communicated between the local IDC and the VPC, into the encrypted communication channel through pertinent routing configuration, thereby achieving the encrypted communication of private network traffic.
Note:
In this scenario, the IP address of the private VPN gateway belongs to the tenant's VPC.
Currently, the private VPN only supports VPC-based VPNs, with CCN-based VPNs not yet supported.
Use Cases of SSL VPN
Scenario 1: Remote Access to a Single VPC from Mobile Devices
Users can establish a connection to resources within a single VPC in the cloud via an SSL VPN, enabling remote access from PCs or mobile devices.
Scenario 2: Remote Access to Multiple VPCs from Remote Devices
Users can establish a connection to resources across multiple VPCs in the cloud via a CCN-based SSL VPN, enabling remote access from PCs or mobile devices.
Scenario 3: Access to IDC Resources via a VPN from Mobile Devices
Through the CCN, users can associate IPSec VPN gateways and SSL VPN gateways, enabling remote access to resources and services within their own IDC using PCs or mobile devices.
Was this page helpful?