tencent cloud

Feedback

Dedicated Private Network Traffic Encrypted Via a Private Network VPN Gateway

Last updated: 2024-08-15 16:12:01
    After the communication through private network is established between the local IDC and the VPC on the cloud via a connection, the VPN gateway can establish an encrypted communication tunnel with the local gateway device through the existing private network connection. You can steer the traffic between the local IDC and VPC that needs to communicate with each other into the encrypted communication tunnel through the relevant routing configuration, achieving the encrypted communication of private network traffic.

    Service Scenario

    
    
    

    Use Limits

    VPN currently only supports the VPC-type VPN. The CCN-type VPN is not supported at the moment.
    VPN does not support the dynamic BGP routing at this time.
    It is only supported in VPN version 4.0.

    Network Planning

    Configuration Object
    IP Range Planning
    IP Addresses and Description
    VPC
    10.7.0.0/16
    CVM:10.7.6.10
    VPN gateway IP address: 10.7.6.15
    Note:
    VPN gateway IP address belongs to the tenant's VPC.
    Direct Connect Gateway
    195.168.0.0/29
    VLAN ID:1234
    Tencent Cloud boundary IP address 1: 195.168.0.3/29
    Tencent Cloud boundary IP address 2: 195.168.0.2/29
    Customer boundary IP address: 195.168.0.1/29.
    Local Gateway
    195.168.0.0/24
    Local gateway IP address connected to VPN on the cloud: 195.168.0.6
    IP range connected to the direct connect gateway on the cloud: 195.168.0.1/29
    Local IDC Server
    133.168.0.0/16
    Client IP address: 133.168.0.3/32

    Prerequisites

    The connection has been constructed and is connected.
    You have applied for VPN access permissions. If you need to use it, please submit a ticket to apply.
    IDC side device is ready.

    Configuration Process

    

    Step One: Deploying Direct Connect Services

    1. Log in to the Direct Connect console, and click Direct Connect Gateway in the left sidebar.
    2. On the Direct Connect Gateway page, select the region and VPC at the top, and then click Create.
    3. In the Create a Direct Connect Gateway dialog box, configure the gateway details, and then click Confirm.
    Field
    Meaning
    Name
    Enter a name for the direct connect gateway.
    Availability Zone
    Select the availability zone in the region.
    Associated Network
    Select VPC.
    Network
    Associate with the created VPC instance, for example, vpc-xxx.
    1. Log in to the DC - Dedicated Tunnels console.
    2. Click Dedicated Tunnels > Exclusive Private Tunnel in the left sidebar. At the top of the page, click Create and configure Name, Direct Connect Type, Access Network, Region, Associated Direct Connect Gateway, and other basic name configurations. After completion, click Next.
    Field
    Meaning
    Dedicated Tunnel Name
    Dedicated Tunnel Name.
    Direct Connect Type
    Select "My Direct Connect"
    Connection
    Select a connection that is ready.
    Access Network
    Select VPC.
    Gateway Region
    Select the region where the target VPC instance is located, such as Guangzhou.
    Direct Connect Gateway
    Associate the private line gateway created in step 1.
    3. Configure the following parameters on the Advanced Configuration page.
    Field
    Meaning
    VLAN ID
    Configure the planned VLAN, for example, 1234.
    One VLAN corresponds to one tunnel, with a value range of [0-3,000).
    Bandwidth
    The maximum bandwidth of a dedicated tunnel cannot exceed the bandwidth of the associated connection. Under the billing model of post-95 monthly payment, the "Bandwidth" parameter does not represent the billing bandwidth.
    Tencent Cloud Boundary IP Address 1
    Configure the planned connection's Tencent Cloud side boundary interconnect IP address, for example, 195.168.0.3/29
    Do not use the following IP ranges or network addresses: 169.254.0.0/16, 127.0.0.0/8, 255.255.255.255/32, 224.0.0.0/8 - 239.255.255.255/32, 240.0.0.0/8 - 255.255.255.254/32.
    Tencent Cloud Boundary IP Address 2
    Configure the planned standby boundary interconnect IP address, for example, 195.168.0.2/29.
    If the primary boundary IP address becomes unavailable due to failure, the standby IP address is automatically activated to ensure the normal service operation.
    If the Tencent Cloud boundary IP address mask is set to 30, 31, then configuring the Tencent Cloud standby boundary IP address is not supported.
    User Boundary IP Address
    Configure the cloud IP on the IDC side for direct connect interconnection, for example, 195.168.0.1/29.
    Routing Mode
    Select BGP Routing.
    Health check
    Health check is enabled by default. For details, see Dedicated Tunnel Health Check.
    Check Mode
    Select the BFD mode.
    Health Check Interval
    Interval between two health checks.
    Number of Health Checks
    Switch the route if the health check fails consecutively for the specified number of times.
    BGP ASN
    Enter the BGP neighbor ASN on the CPE side. Note that the cloud platform ASN is 45090. If this field is left empty, a random ASN will be assigned.
    BGP Key
    Enter the MD5 value of the BGP neighbor, which defaults to "tencent". If it is left empty, no BGP key is required. It cannot contain the following six special characters: ? & space " \\ +.
    4. Click Submit.

    Step 2: Deploy VPN Service

    1. Log in to the Virtual Private Cloud.
    2. In the left directory, select VPN Connection > VPN Gateway to enter the management page.
    3. On the VPN gateway management page, click New.
    4. In the Create VPN Gateway dialog box, configure the gateway parameters as follows.
    Parameter Name
    Parameter Description
    Billing Mode
    Select billing by traffic. Monthly subscription is not supported for VPC VPNs currently.
    Gateway Name
    Enter the VPN gateway name (up to 60 characters).
    Region
    Display the region of the VPN gateway.
    Protocol Type
    Select IPsec.
    Network Type
    Select "VPC".
    Associated Network
    Select "VPC". Currently, CCN is not supported by VPC VPNs.
    Cloud Subnet
    Select the subnet created on the VPC side.
    The VPC VPN gateway IP address is assigned to the tenant's VPC from this subnet.
    Bandwidth Cap
    Select 5 Mbps.
    Network
    Select the VPC to be associated with the VPN gateway only when the associated network is a VPC.
    Tag
    Tags are identifiers for VPN gateway resources, designed to facilitate quicker querying and management of these resources. This configuration is optional and can be defined as needed.
    5. After completing the gateway parameter settings, click Create to initiate the creation of the VPN gateway.
    1. In the left navigation bar, select VPN Connection > Peer Gateway.
    2. On the Peer Gateway management page, select the region, then click Create.
    3. Enter the name of the peer gateway. For the VPC IP, enter the VPC IP of the local gateway device on the IDC side (195.168.0.6).
    4. Click Create.
    1. In the left navigation bar, select VPN Connection > VPN Tunnel.
    2. On the VPN Tunnel management page, select the region, and click New.
    3. Enter the VPN tunnel information on the pop-up page.
    This section only introduces the key parameter configurations. For other parameter configurations, refer to Create VPN Tunnel.
    Parameter Name
    Parameter Description
    Tunnel Name
    Enter the tunnel name.
    Network Type
    Select a VPC.
    VPC
    Select a VPC instance that has been created.
    VPN Gateway
    Select the VPC VPN gateway created in Step 1.
    Peer Gateway
    Select the peer gateway created in Step 2.
    Pre-shared Key
    Set it to 123456.
    Negotiation Type
    Select "Traffic Negotiation".
    Communication Mode
    Select "Destination Routing".
    Advanced Settings
    Select the current default value.
    4. Click Create.
    After the first three steps are completed, the configuration of the VPN gateway and VPN tunnel on the cloud platform has been completed. It is necessary to continue configuring the VPN tunnel information for the other side on the local gateway at the IDC side. For details, refer to Local Gateway Configurations. The "Local Gateway" on the IDC side refers to the IPsec VPN device on the IDC side, and its VPC IP is recorded in the "Peer Gateway" in Step 2.

    Step 3: Configure Cloud Routing

    After the above configuration is completed, an encrypted communication tunnel can be established between the local gateway device and the VPN gateway. You will also need to configure routes for the cloud network instance to direct cloud and on-premises traffic into the VPN's encrypted communication tunnel.

    Step 1. Configure Custom Routing for the Cloud VPC

    1. Log in to the VPC Console.
    2. In the left directory, click Subnet, select the corresponding Region and VPC, and then click on the subnet's associated Route Table ID to display the Details page.
    3. Click Create Routing Policy, and configure the route to the VPN gateway in the pop-up box.
    Parameter Name
    Description
    Destination Address
    Enter the local IDC network segment, for example, '133.168.0.3/32'.
    Next Hop Type
    Select "VPC VPN Gateway".
    Next Hop
    Select the VPN gateway created in Step 1 in Step 2 Deploy VPN Service, that is, vpngw-xxxx.
    4. Click + Add New Line to configure routing policies to the Direct Connect Gateway.
    Parameter Name
    Description
    Destination Address
    Enter the VPN IP address of the Local Gateway device, for example '195.168.0.6'.
    Next Hop Type
    Select Direct Connect Gateway.
    Next Hop
    Select the Direct Connect Gateway created in Step 1 Create VPC Direct Connect Gateway, that is, dcg-xxxx.
    5. Click Create.

    Step 2: Configure VPN Gateway Routing

    Note:
    To direct VPC traffic to the on-premises network through the VPN gateway-based encrypted communication tunnel, you need to add a route in the VPN gateway for the local IDC network segment.
    1. In the left navigation bar, click VPN Connection > VPN Gateway.
    2. On the VPN Gateway management page, select the region and VPC, and then click the VPN Gateway instance ID to display the details page.
    3. On the Instance Details page, click the Route Table tab, and then click Add Route to configure a routing policy.
    Note:
    When a new route is added to the VPN Gateway route table, the list by default displays all VPN tunnels under the VPN Gateway (that is, all SPD policy-based and route-based VPN tunnels under the VPN gateway).
    Configuration Item
    Description
    Destination
    Enter the local IDC network segment, for example, '133.168.0.3/32'.
    Next Hop Type
    Not selectable, and defaults to "VPN Tunnel".
    Next Hop
    Select the VPN Tunnel created when deploying the VPN.
    Weight
    Set the tunnel's weight to 0.
    0: High priority.
    100: Low priority.
    4. After configuring the routing policy, click Confirm.

    Step 4: Verify Traffic

    After the above configurations are completed, encrypted VPC network communication can be established between the local IDC and the VPC. Test the VPC network connectivity between the local IDC and the VPC and verify that the traffic is encrypted through the VPN gateway.
    1. Testing connectivity
    Log in to the CVM instance and use the Ping command to access servers within the local IDC network segment.
    2. Encryption verification
    In the VPN Console, check the VPN tunnel traffic monitoring. The presence of traffic indicates successful encryption.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support