Connecting an On-Premises Data Center to a VPC Through a VPN

Scenarios

By default, ECSs in a VPC cannot communicate with your on-premises data center or private network. To enable network communications between them, you can set up a VPN. After that, configure security group rules for ECSs in the VPC to allow traffic from your on-premises data center, and check the connectivity between the VPC and your on-premises data center to ensure that the VPN is functional. VPNs can be classified into the following two types:

• A site-to-site VPN functions as a communication tunnel between a VPC and a single on-premises data center.
• By contrast, a hub-and-spoke VPN is between a VPC and multiple on-premises data centers.

Prerequisites

You have created the VPC and subnets that the on-premises data center wants to access.

Procedure

1. On the management console, select the appropriate IKE and IPsec policies to create a VPN.
2. Check the IP address pools for the local and remote subnets.

   In Figure 1, the VPC has subnets 192.168.1.0/24 and 192.168.2.0/24. Your on-premises data center has subnets 192.168.3.0/24 and 192.168.4.0/24. You can set up a VPN to connect these subnets.

   Figure 1 IPsec VPN
   

   The IP address pools for the local subnets cannot overlap with those for the remote subnets. Like in this example, the IP address pool for the remote subnets cannot contain the two subnets of the VPC.

3. Configure security group rules for the ECSs to allow packets from and to the on-premises data center over the VPN.
4. Ping the ECSs from the on-premises data center to verify that the security group allows packets from and to the on-premises data center over the VPN.
5. Check the on-premises network configuration.

   A route must be configured for the on-premises network to enable traffic to be forwarded to network devices on the network over the VPN. If the data transmitted through the VPN cannot be forwarded to the network devices, check whether the remote LAN has rules configured to refuse the traffic.