Connect multiple offices to each other and to a VPC - VPN Gateway (2024)

Table of Contents
Overview of the hub feature Sample scenario Prerequisites Procedure Step 1: Create a VPN gateway Step 2: Create a customer gateway for each office Step 3: Create an IPsec-VPN connection for each office Step 4: Configure routes for the VPN gateway Step 5: Configure the on-premises gateway device Step 6: Test the network connectivity FAQs

The hub feature of VPN Gateway allows large-scale enterprises to connect multiple offices to each other and to a virtual private cloud (VPC). This topic describes how to use the hub feature of VPN Gateway to connect multiple offices to each other and to a VPC.

Overview of the hub feature

After you create a VPN gateway, the hub feature is automatically enabled. You need to only configure the customer gateway of each office and the IPsec-VPN connection from each office to the cloud. This way, the offices can communicate with each other and with the VPC.

Note

By default, you can establish up to 10 IPsec-VPN connections to each VPN gateway. You can connect 10 offices in different regions to each VPN gateway.

You can use one of the following methods to increase the quota:

  • Go to the Quota Management page and request a quota increase. For more information, see the Adjust quotas section of the "Manage VPN Gateway quotas" topic.

  • Go to the Quota Center console and request a quota increase. For more information, see the Adjust quotas section of the "Manage VPN Gateway quotas" topic.

Sample scenario

Connect multiple offices to each other and to a VPC - VPN Gateway (1)

The preceding scenario is used as an example in this topic. A large enterprise has offices in Shanghai, Hangzhou, and Ningbo. The enterprise has deployed a VPC named VPC1 in the China (Hangzhou) region. Services are deployed on Elastic Compute Service (ECS) instances in VPC1. The offices cannot communicate with each other or with VPC1. Due to business development, the enterprise wants to use the hub feature of VPN Gateway to connect the offices to VPC1.

Prerequisites

  • The public IP addresses of the on-premises gateway devices in the offices are obtained.

  • VPC1 is created in the China (Hangzhou) region. Services are deployed on the ECS instances in VPC1. For more information, see Create an IPv4 VPC.

    The following table describes the CIDR blocks of VPC1 and each office in this example.

    Note

    You can plan the CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap with each other.

    Site

    VPC1

    Shanghai office

    Hangzhou office

    Ningbo office

    CIDR block to be connected

    192.168.0.0/16

    10.10.10.0/24

    10.10.20.0/24

    10.10.30.0/24

    IP address of the ECS instance

    192.168.20.121

    N/A

    N/A

    N/A

    Public IP address of the on-premises gateway device

    N/A

    1.XX.XX.1

    2.XX.XX.2

    3.XX.XX.3

  • You are aware of the security group rules that apply to the ECS instances in VPC1 and the access control rules that apply to each office. The security group rules and the access control rules allow the offices to communicate with each other and with VPC1. For more information, see View security group rules and Add a security group rule.

Procedure

Connect multiple offices to each other and to a VPC - VPN Gateway (2)

Step 1: Create a VPN gateway

Create a VPN gateway in the region to which VPC1 belongs. The Shanghai office, Hangzhou office, and Ningbo office use the VPN gateway to communicate with each other and with VPC1.

  1. Log on to the VPN Gateway console.

  2. In the top navigation bar, select the region where you want to create the VPN gateway.

    See Also
    You need to access your work computer from home. How can you do it securely?How to Access Your Work Computer from Home (with Pictures)

    In this example, the China (Hangzhou) region is selected.

  3. On the VPN Gateways page, click Create VPN Gateway.

  4. On the buy page, configure the following parameters, click Buy Now, and then complete the payment.

    Parameter

    Description

    Name

    Enter a name for the VPN gateway. In this example, VPN Gateway 1 is entered.

    Region

    Select the region where you want to deploy the VPN gateway. In this example, the China (Hangzhou) region is selected.

    Gateway Type

    Select a VPN gateway type. In this example, Standard is selected.

    Network Type

    Select the network type of the VPN gateway. In this example, Public is selected.

    Tunnels

    The supported tunnel modes are automatically displayed.

    VPC

    Select the VPC with which you want to associate the VPN gateway. In this example, VPC 1 is selected.

    VSwitch

    Select a vSwitch from the selected VPC.

    • If you select Single-tunnel, you need to specify one vSwitch.
    • If you select Dual-tunnel, you need to specify two vSwitches.

    Note

    • The system selects a vSwitch by default. You can change or use the default vSwitch.
    • After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.

    vSwitch 2

    Select another vSwitch from the selected VPC.

    Ignore this parameter if you select Single-tunnel.

    Maximum Bandwidth

    Specify a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.

    Traffic

    Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.

    For more information, see Billing.

    IPsec-VPN

    Specify whether to enable IPsec-VPN. In this example, Enable is selected.

    SSL-VPN

    Specify whether to enable SSL-VPN. In this example, Disable is selected.

    Duration

    Select a billing cycle. Default value: By Hour.

    Service-linked Role

    Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.

    The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

    If Created is displayed, it indicates that the service-linked role is created and you do not need to create it again.

    For more information about the parameters, see Create a VPN gateway.

  5. Return to the VPN Gateways page to view the VPN gateway.

    After you create a VPN gateway, it is in the Preparing state. After 1 to 5 minutes, the VPN gateway changes to the Normal state. After the VPN gateway changes to the Normal state, the VPN gateway is ready for use.

Step 2: Create a customer gateway for each office

To enable the offices to communicate with each other by using the VPN gateway, you must create a customer gateway for each office.

  1. In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.

  2. In the top navigation bar, select the region where you want to create the customer gateways.

    Note

    The customer gateways and the VPN gateway to be connected must be deployed in the same region.

  3. On the Customer Gateway page, click Create Customer Gateway.

  4. In the Create Customer Gateway panel, configure the following parameters and click OK.

    You must create a customer gateway for each office. For more information, see the following table.

    Parameter

    Description

    Shanghai office

    Hangzhou office

    Ningbo office

    Name

    Enter a name for the customer gateway.

    Shanghai-customer1

    Hangzhou-customer2

    Ningbo-customer3

    IP Address

    Enter the public IP address of the customer gateway.

    In this example, 1.XX.XX.1 is entered. This is the public IP address of the on-premises gateway device in the Shanghai office.

    In this example, 2.XX.XX.2 is entered. This is the public IP address of the on-premises gateway device in the Hangzhou office.

    In this example, 3.XX.XX.3 is entered. This is the public IP address of the on-premises gateway device in the Ningbo office.

    For more information about the parameters, see Create a customer gateway.

Step 3: Create an IPsec-VPN connection for each office

Create an IPsec-VPN connection for each office to connect the offices to Alibaba Cloud.

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  2. In the top navigation bar, select the region of the IPsec-VPN connection.

  3. On the IPsec Connections page, click Create IPsec-VPN Connection.

  4. On the Create IPsec-VPN Connection page, configure the parameters and click OK.

    The following table describes the configuration of the IPsec-VPN connection for each office.

    Parameter

    Description

    Shanghai office

    Hangzhou office

    Ningbo office

    Name

    Enter a name for the IPsec-VPN connection.

    IPsec-VPN Connection 1

    IPsec-VPN Connection 2

    IPsec-VPN Connection 3

    VPN Gateway

    Select the VPN gateway that you created.

    VPN Gateway 1

    Customer Gateway

    Select the customer gateway that you created.

    Shanghai-customer1

    Hangzhou-customer2

    Ningbo-customer3

    Routing Mode

    Select a routing mode.

    Destination Routing Mode

    Destination Routing Mode

    Protected Data Flows

    Local Network

    Enter the CIDR block to be connected to the offices. The CIDR block is used in Phase 2 negotiations.

    N/A

    N/A

    192.168.0.0/16

    Remote Network

    Enter the CIDR block to be connected to the VPC. This CIDR block is used in Phase 2 negotiations.

    10.10.30.0/24

    Effective Immediately

    Specify whether to start connection negotiations immediately.

    • Yes: starts negotiations after the configuration is complete.

    • No: starts negotiations when inbound traffic is detected.

    Yes

    Yes

    Yes

    Pre-Shared Key

    Enter a pre-shared key.

    If you do not enter a value, the system generates a random 16-bit string as the pre-shared key.

    Important

    Make sure that the on-premises device and the IPsec-VPN connection use the same pre-shared key.

    fddsFF123****

    TTTddd321****

    PPPttt456****

    Encryption Configuration

    Configure the IKE, IPsec, DPD, and NAT traversal features.

    In this example, IKEv1 is used and the other parameters use the default values.

    In this example, IKEv1 is used and the other parameters use the default values.

    In this example, IKEv1 is used and the other parameters use the default values.

    Use the default settings for the other parameters. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

  5. In the Created message, click OK.

Step 4: Configure routes for the VPN gateway

After you create the IPsec-VPN connections, you must add the CIDR blocks of the Shanghai and Hangzhou offices to the destination-based route table of the VPN gateway, and advertise the CIDR blocks of the Shanghai, Hangzhou, and Ningbo offices to VPC1.

Note

The routing mode of the IPsec-VPN connection that you created for the Ningbo office is set to Protected Data Flows. After the IPsec-VPN connection is created, the system automatically adds the local route and the peer route to the policy-based route table of the VPN gateway. Therefore, you need to only advertise the CIDR block of the Ningbo office to VPC1 in the policy-based route table. You do not need to add a route.

  1. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

  2. In the top navigation bar, select the region of the VPN gateway.

  3. On the VPN Gateway page, find the VPN gateway that you want to manage and click its ID.

  4. Add and advertise the CIDR blocks of the Shanghai and Hangzhou offices on the Destination-based Route Table tab of the VPN gateway.

    1. On the Destination-based Route Table tab, click Add Route Entry.

    2. In the Add Route Entry panel, configure the following parameters and click OK.

      Parameter

      Description

      Route 1

      Route 2

      Destination CIDR Block

      Enter the destination CIDR block to be connected.

      Enter 10.10.10.0/24, the private CIDR block of the Shanghai office.

      Enter 10.10.20.0/24, the private CIDR block of the Hangzhou office.

      Next Hop Type

      Select the next hop type.

      Select IPsec-VPN connection.

      Select IPsec-VPN connection.

      Next Hop

      Select the next hop.

      In this example, IPsec-VPN Connection 1 is selected.

      In this example, IPsec-VPN Connection 2 is selected.

      Advertise to VPC

      Specify whether to advertise the route to the route table of VPC1, the VPC that is associated with the VPN gateway.

      Yes

      Yes

      Weight

      Select a weight for the route. Valid values:

      • 100: specifies a high priority for the route.

      • 0: specifies a low priority for the route.

      The default value 100 is used in this example.

      The default value 100 is used in this example.

      For more information, see Add a destination-based route.

  5. Advertise the CIDR block of the Ningbo office on the Policy-based Route Table tab of the VPN gateway.

    1. On the Policy-based Route Table tab, find the route whose destination CIDR block is the CIDR block of the Ningbo office and click Advertise in the Actions column.

    2. In the Advertise Route message, click OK.

Step 5: Configure the on-premises gateway device

After you configure the VPN gateway, you must configure the on-premises gateway device of each office. You must download the configurations of the on-premises gateway devices on the IPsec Connections page and add the configurations to the on-premises gateway devices. This way, the offices can communicate with each other and with VPC1.

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  2. On the IPsec Connections page, find the IPsec-VPN connection that you want to manage and click Generate Peer Configuration in the Actions column.

    Download the peer configurations of IPsec-VPN Connection 1, IPsec-VPN Connection 2, and IPsec-VPN Connection 3.

  3. Load the configurations to the on-premises gateway devices. For more information, see Configure an on-premises gateway device.

    • Add the configuration downloaded from IPsec-VPN Connection 1 to the on-premises gateway device of the Shanghai office.

    • Add the configuration downloaded from IPsec-VPN Connection 2 to the on-premises gateway device of the Hangzhou office.

    • Add the configuration downloaded from IPsec-VPN Connection 3 to the on-premises gateway device of the Ningbo office.

Step 6: Test the network connectivity

After you complete the preceding configurations, the Shanghai office, Hangzhou office, Ningbo office, and VPC1 can communicate with each other. The following content describes how to test the network connectivity.

  1. Test the network connectivity between the offices and VPC1.

    1. Log on to the ECS instance that is deployed in VPC1.

      For more information about how to log on to an ECS instance, see Methods used to connect to ECS instances.

    2. Run the ping command to ping a client in each of the Shanghai office, Hangzhou office, and Ningbo office. 

      ping <the IP address of a client>

      If you can receive echo reply packets from the offices, the offices can communicate with VPC1.

  2. Test the network connectivity among the offices.

    1. Open the CLI on a client in the Shanghai office.

    2. Run the ping command to ping a client in each of the Hangzhou office and the Ningbo office. 

      ping <the IP address of a client>

      If you can receive echo reply packets from the offices, the Shanghai office can communicate with the Hangzhou office and the Ningbo office.

    3. Open the CLI on a client in the Hangzhou office.

    4. Run the ping command to ping a client in the Ningbo office. 

      ping <the IP address of a client>

      If you can receive echo reply packets from the Ningbo office, the Hangzhou office can communicate with the Ningbo office.

Connect multiple offices to each other and to a VPC - VPN Gateway (2024)

FAQs

Connect multiple offices to each other and to a VPC - VPN Gateway? ›

After you create a VPN gateway, the hub feature is automatically enabled. You need to only configure the customer gateway of each office and the IPsec-VPN connection from each office to the cloud. This way, the offices can communicate with each other and with the VPC.

Know More
How to connect multiple offices with VPN? ›

You will need to create a VPN gateway on each that knows the internal address range and the external IP address of the other. Once you have that you will be able to create the VPN and you will have a secure IP tunnel between your two sites.

Discover More Details
How do you connect multiple sites to a VPC? ›

VPC connectivity between VPCs is best achieved when using non-overlapping IP ranges for each VPC being connected. For example, if you'd like to connect multiple VPCs, make sure each VPC is configured with unique Classless Inter-Domain Routing (CIDR) ranges.

Continue Reading
Which type of VPN enables two different office location to connect to each other? ›

Site-to-site VPNs connect entire networks to each other, enabling multiple sites within an enterprise to share resources securely over the internet. They work for organizations with fixed locations looking to establish a continuous, secure connection between offices.

Learn More
Can I connect to two VPNs at the same time? ›

It is possible for a double VPN service provider, such as NordVPN, to support multiple VPNs from a single device, with appropriate configuring of the NordVPN Double VPN feature. A VPN chain uses more than one VPN server, providing greater security for the connection.

Learn More
Can I use a VPN at multiple locations? ›

Installing a VPN on multiple decides is usually possible, but some companies may limit your connections when using one. In essence, you can load a provider's VPN service onto as many devices as you'd like, but the app may work simultaneously on a limited number at one time.

Keep Reading
What type of VPN would you use to connect two corporate offices? ›

Site-to-site VPN is a permanent connection between multiple offices to create a unified network that is always on. It needs separately configuring for both networks, and it works best for cases when you have multiple remote sites. It can be configured on-premises routers or on firewalls.

Get More Info Here
What is the difference between VPC peering and private link? ›

AWS PrivateLink: Provides enhanced security by isolating traffic within the AWS network and limiting exposure to a specific application or service. VPC Peering: Ensures secure communication between VPCs without traversing the public internet, but exposes all resources in the peered VPCs to each other.

Read More
What is the difference between VPC peering and transit gateway? ›

Transit Gateway excels in complex architectures requiring scalable hub-and-spoke models, transitive routing, and cross-region connectivity. On the other hand, VPC Peering is suitable simpler scenarios with direct connections between specific VPC pairs, facilitating resource sharing and collaboration.

Explore More
How to create a VPN tunnel between two sites? ›

Supply the following information:
  1. In the Name field, enter a name for the tunnel.
  2. In the Remote peer IP address field, enter the external IP address of the peer VPN gateway.
  3. Choose an IKE version compatible with your peer VPN gateway.
  4. Provide the IKE pre-shared key (shared secret) for authentication.

See More

Which type of VPN connection usually connects two business entities? ›

A site-to-site VPN establishes a link between two or more distinct networks, such as a company's main network and its satellite office networks. Many organizations adopt site-to-site VPNs to utilize internet pathways for confidential data rather than private MPLS channels.

Get More Info
What is making two connections over a VPN line called? ›

This is known as split-tunneling. For example, the VPN policy might say all traffic sent to 192.168. 0.0/24 goes over LAN #1 in the clear (no VPN), and all other traffic goes over the VPN tunnel to Concentrator XYZ. Or it could say all traffic sent to 192.168. 0.0/24 goes to Concentrator XYZ, all traffic sent to 10.0.

Keep Reading
Which type of VPN allows a site to connect to another site thru the internet? ›

Creating an MPLS Site-to-Site VPN

The configuration of an MPLS VPN involves creating VPN connections between the primary site and the satellite sites. MPLS works through labels that route data packets to where they need to go instead of using IP addresses.

Explore More
What is VPN chaining? ›

VPN chaining is the nesting of a VPN tunnel in another VPN tunnel. VPN chaining provides additional security by hiding the Tunnel VPN end destination. With MobileIron Tunnel you can configure VPN chaining with OpenVPN as the outer tunnel and MobileIron Tunnel as the inner tunnel.

Know More
What is onion over VPN? ›

Using Onion over VPN means that you connect to a VPN server before you start using the Tor browser. By doing so, you add an extra layer of security to your connection and protect it from the potential threats posed by compromised servers within the Tor network.

Get More Info Here
What are multi-hop connections? ›

Multi-Hop VPNs encrypt and disperse your data across multiple servers, making it difficult for attackers to intercept or decipher your traffic. This significantly reduces the risk of successful cyber attacks and surveillance.

Discover More Details
How to Use Two VPN Connections at the Same ...TechTargethttps://www.techtarget.com ›

It explores scenarios where multiple VPN sessions provide value to individual users, as well as the risks associated with expanded remote access. Finally, it di...
If by “network” you just mean all devices at both sites are able to communicate, then all you need is site-to-site VPN. Any business or enterprise-type firewall...
Let's start by answering one of the most important questions. Do you need to use two VPNs in the first place? In most cases, the answer will be no. One VPN ...

Show Me More
How do I make my VPN show different locations? ›

To change your VPN location, you simply need to switch to a server in a different region: choose a VPN with many server options; download, install, and open the VPN app; select a preferred VPN server location — and you're done.

Continue Reading
Can you have multiple site-to-site VPN? ›

Multiple Site-to-Site VPN connections with a transit gateway

When you create multiple Site-to-Site VPN connections to a single transit gateway, you can configure a second customer gateway to create a redundant connection to the same external location.

Read More
How to setup a VPN to access your Office files remotely? ›

For a Mac: Choose Apple menu > System Preferences, and then click Network Click Add (+) at the bottom of the network connection services list, and then choose VPN from the Interface pop-up menu. For Windows: Go to Control Panels > Network and Sharing > Create a New Connection, then choose VPN and enter the IP address.

Discover More

How to connect two servers in different locations? ›

Connect 2 physical servers together - use a direct cable, or use a switch and 2 patch cables one to each server. Then assign ip address to each server in the same range. your error sounds like a different issue altogether such as accessing a shared resource. much more detial is required.

Explore More
Top Articles
Ginger Benefits
Make Stretchy Universe Slime! | NASA Space Place – NASA Science for Kids
Palm Coast Permits Online
The UPS Store | Ship & Print Here > 400 West Broadway
Monthly Forecast Accuweather
East Cocalico Police Department
Www.politicser.com Pepperboy News
Txtvrfy Sheridan Wy
Owatc Canvas
Routing Number 041203824
Pj Ferry Schedule
Lycoming County Docket Sheets
Lichtsignale | Spur H0 | Sortiment | Viessmann Modelltechnik GmbH
Monticello Culver's Flavor Of The Day
Scentsy Dashboard Log In
Craigslist Estate Sales Tucson
What is a basic financial statement?
Miami Valley Hospital Central Scheduling
Builders Best Do It Center
Hca Florida Middleburg Emergency Reviews
Jc Post News
Bowlero (BOWL) Earnings Date and Reports 2024
The best TV and film to watch this week - A Very Royal Scandal to Tulsa King
Odfl4Us Driver Login
Apply for a credit card
Sprinkler Lv2
97226 Zip Code
Exterior insulation details for a laminated timber gothic arch cabin - GreenBuildingAdvisor
Shiftselect Carolinas
Gina Wilson All Things Algebra Unit 2 Homework 8
Rust Belt Revival Auctions
Dark Entreaty Ffxiv
Gilchrist Verband - Lumedis - Ihre Schulterspezialisten
Access a Shared Resource | Computing for Arts + Sciences
Emily Katherine Correro
MethStreams Live | BoxingStreams
Navigating change - the workplace of tomorrow - key takeaways
The Boogeyman Showtimes Near Surf Cinemas
My.lifeway.come/Redeem
Bbc Gahuzamiryango Live
Duff Tuff
How To Get Soul Reaper Knife In Critical Legends
Nsav Investorshub
The power of the NFL, its data, and the shift to CTV
2013 Honda Odyssey Serpentine Belt Diagram
Patricia And Aaron Toro
17 of the best things to do in Bozeman, Montana
Craigslist Free Cats Near Me
Fresno Craglist
Spongebob Meme Pic
Glowforge Forum
Factorio Green Circuit Setup
Latest Posts
Chocolate Babka Recipe | Make this world-famous creation from home!
Gravity Forms file uploads: A comprehensive guide (manage your files with ease!)
Article information

Author: Arielle Torp

Last Updated:

Views: 5717

Rating: 4 / 5 (41 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Arielle Torp

Birthday: 1997-09-20

Address: 87313 Erdman Vista, North Dustinborough, WA 37563

Phone: +97216742823598

Job: Central Technology Officer

Hobby: Taekwondo, Macrame, Foreign language learning, Kite flying, Cooking, Skiing, Computer programming

Introduction: My name is Arielle Torp, I am a comfortable, kind, zealous, lovely, jolly, colorful, adventurous person who loves writing and wants to share my knowledge and understanding with you.