Creating a VPN Gateway

Scenario

To connect your on-premises data center or private network to your ECSs in a VPC, you need to create a VPN gateway before creating a VPN connection.

Context

Notes and Constraints

• When an enterprise router is associated, pay attention to the upper limit of entries in the routing table of the enterprise router.

Prerequisites

• A VPC has been created. For details about how to create a VPC, see the Virtual Private Cloud User Guide.
• Security group rules have been configured for the VPC, and ECSs can communicate with other devices on the cloud. For details about how to configure security group rules, see the Virtual Private Cloud User Guide.
• An enterprise router has been created if you want to use it to connect to a VPN gateway. For details, see the enterprise router documentation.

Procedure

1. Log in to the management console.
2. Click in the upper left corner and select the desired region and project.
3. Click in the upper left corner of the page, and choose Network > Virtual Private Network.
4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
5. Click Create VPN Gateway.
6. Set parameters as prompted and click Create Now.
   Figure 1 Creating a VPN gateway
   

   Table 2 lists the VPN gateway parameters.

   Table 2 Description of VPN gateway parameters

   Parameter	Description	Example Value
   Region	For low network latency and fast resource access, select the region nearest to your target users. Resources cannot be shared across regions.	Select a region as required.eu-de
   Name	Name of a VPN gateway. The value can contain only letters, digits, underscores (_), hyphens (-), and periods (.).	vpngw-001
   Network Type	Public network: A VPN gateway establishes VPN connections through the Internet. Public network is the default value. Private network: A VPN gateway establishes VPN connections through a private network.	Public network
   Associate With	VPC Through a VPC, the VPN gateway sends messages to the customer gateway or servers in the local subnet. Enterprise Router Through an enterprise router, the VPN gateway sends messages to the customer gateway or servers in the subnets of all VPCs connected to the enterprise router. NOTE: In this scenario, pay attention to the upper limit of entries in the routing table of the enterprise router. If the number of routes advertised by the customer gateway and VPN gateway exceeds this upper limit, the enterprise router cannot learn the excess routes. As a result, traffic will fail to be forwarded between the VPN gateway and the customer gateway.	VPC
   VPC	Select a VPC. For the VPC parameter configuration, see Figure 2 and Figure 3.	vpc-001(192.168.0.0/16)
   Enterprise Router	Select an enterprise router. For the enterprise router parameter configuration, see Figure 4.	er-001
   Interconnection Subnet	This subnet is used for communication between the VPN gateway and VPC. Ensure that the selected interconnection subnet has four or more assignable IP addresses.	192.168.66.0/24
   Local Subnet	VPC subnets with which your on-premises data center needs to communicate through the customer gateway. Select subnet Select subnets of the local VPC. Enter CIDR block Enter subnets of the local VPC or subnets of the VPC that establishes a peering connection with the local VPC.	192.168.1.0/24,192.168.2.0/24
   BGP ASN	BGP ASN of the VPN gateway, which must be different from that of the customer gateway.	64512
   Specification	Three options are available: Basic, Professional 1 and Professional 2.	Professional 1
   AZ	An AZ is a geographic location with independent power supply and network facilities in a region. AZs in the same VPC are interconnected through private networks and are physically isolated. If two or more AZs are available, select two AZs. The VPN gateway deployed in two AZs has higher availability. You are advised to select the AZs where resources in the VPC are located. If only one AZ is available, select this AZ.	AZ1, AZ2
   HA Mode	Active-active When Associate With is set to VPC, the outgoing traffic from the VPN gateway to the customer subnet is preferentially forwarded through the first VPN connection (VPN connection 1) set up between the customer subnet and an EIP. If VPN connection 1 fails, the outgoing traffic is automatically switched to the other VPN connection (VPN connection 2) set up with the customer subnet. After VPN connection 1 recovers, the outgoing traffic is still transmitted through VPN connection 2 and will not be switched back to VPN connection 1. When Associate With is set to Enterprise Router, the outgoing traffic from the VPN gateway to the customer subnet is load balanced among all VPN connections set up with the customer subnet. Active/Standby The outgoing traffic from the VPN gateway to the customer subnet is preferentially transmitted through the VPN connection (VPN connection 1) set up between the customer subnet and the active EIP. If VPN connection 1 fails, the outgoing traffic is automatically switched to the other VPN connection (VPN connection 2) set up between the customer subnet and the standby EIP. After VPN connection 1 recovers, the outgoing traffic is automatically switched back to VPN connection 1.	Active-active
   Active EIP	EIP used by the VPN gateway to communicate with a customer gateway. Create Now: Create an EIP. Use existing: Use an existing EIP.	Create Now
   Bandwidth (Mbit/s)	Bandwidth of the EIP, in Mbit/s. All VPN connections created using the EIP share the bandwidth of the EIP. The total bandwidth consumed by all the VPN connections cannot exceed the bandwidth of the EIP. If network traffic exceeds the bandwidth of the EIP, network congestion may occur and VPN connections may be interrupted. As such, ensure that you configure enough bandwidth. You can configure alarm rules on Cloud Eye to monitor the bandwidth. You can customize the bandwidth within the allowed range.	10 Mbit/s
   Bandwidth Name	EIP bandwidth name.	Vpngw-bandwidth1
   Active EIP 2	A VPN gateway needs to be bound to a group of EIPs (active EIP and active EIP 2). You can plan the bandwidth for each EIP. The EIPs can share bandwidth with the EIPs of other network services.	Create Now
   Standby EIP	A VPN gateway needs to be bound to a group of EIPs (active EIP and standby EIP). You can plan the bandwidth for each EIP. The EIPs can share bandwidth with the EIPs of other network services.	Create Now
   Bandwidth (Mbit/s)	Bandwidth of the EIP, in Mbit/s. All VPN connections created using the EIP share the bandwidth of the EIP. The total bandwidth consumed by all the VPN connections cannot exceed the bandwidth of the EIP. If network traffic exceeds the bandwidth of the EIP, network congestion may occur and VPN connections may be interrupted. As such, ensure that you configure enough bandwidth. You can configure alarm rules on Cloud Eye to monitor the bandwidth. You can customize the bandwidth within the allowed range.	10 Mbit/s
   Bandwidth Name	EIP bandwidth name.	Vpngw-bandwidth2
   Enterprise Project	Enterprise project to which the VPN belongs. An enterprise project facilitates project-level management and grouping of cloud resources and users. The default project is default. For details about how to create and manage enterprise projects, see the Enterprise Management User Guide.	default
   Access VPC	This parameter is available only when Associate With is set to Enterprise Router. If a VPN gateway needs to connect to different VPCs in the southbound and northbound directions, set the VPC in the northbound direction as the access VPC. The VPC in the southbound direction is the VPC associated with the VPN gateway.	Same as the associated VPC
   Access Subnet	This parameter is available only when Associate With is set to Enterprise Router. By default, a VPN gateway uses the interconnection subnet to connect to the associated VPC. Set this parameter when another subnet needs to be used.	Same as the interconnection subnet
   Gateway IP Address	This parameter is available only when Associate With is set to Enterprise Router and Network Type is set to Private network. Self-assigned IP address (default) An IP address on the access subnet will be automatically assigned to the VPN gateway. You can view the automatically assigned IP address on the VPN Gateways page. Manually-specified IP address Manually configure IP addresses on the access subnet for the VPN gateway.	Self-assigned IP address
   Advanced Settings > Access VPC	This parameter is available only when Associate With is set to VPC and Network Type is set to Private network. If a VPN gateway needs to connect to different VPCs in the southbound and northbound directions, set the VPC in the northbound direction as the access VPC. The VPC in the southbound direction is the VPC associated with the VPN gateway.	Same as the associated VPC
   Advanced Settings > Access Subnet	This parameter is available only when Associate With is set to VPC and Network Type is set to Private network. By default, a VPN gateway uses the interconnection subnet to connect to the associated VPC. Set this parameter when another subnet needs to be used.	Same as the interconnection subnet
   Advanced Settings > Gateway IP Address	This parameter is available only when Associate With is set to VPC and Network Type is set to Private network. Self-assigned IP address (default) An IP address on the access subnet will be automatically assigned to the VPN gateway. You can view the automatically assigned IP address on the VPN Gateways page. Manually-specified IP address Manually configure IP addresses on the access subnet for the VPN gateway.	Self-assigned IP address
   Advanced Settings > Tags	Configure Tags in Advanced Settings.	-

   Figure 2 VPC parameter configuration when Network Type is set to Public network
   
   Figure 3 VPC parameter configuration when Network Type is set to Private network
   
   Figure 4 Enterprise router parameter configuration
   

7. Confirm the VPN gateway information and click Submit.