Help Center> Virtual Private Network> Best Practices> Classic VPN> Connecting an On-Premises Data Center to a VPC Through a VPN
Updated on 2022-11-09 GMT+08:00

Connecting an On-Premises Data Center to a VPC Through a VPN


By default, ECSs in a VPC cannot communicate with your on-premises data center or private network. To enable network communications between them, you can set up a VPN. After that, configure security group rules for ECSs in the VPC to allow traffic from your on-premises data center, and check the connectivity between the VPC and your on-premises data center to ensure that the VPN is functional. VPNs can be classified into the following two types:

  • A site-to-site VPN functions as a communication tunnel between a VPC and a single on-premises data center.
  • By contrast, a hub-and-spoke VPN is between a VPC and multiple on-premises data centers.
Pay attention to the following when you configure a VPN:
  • The local and remote subnets cannot conflict.
  • The IKE policies, IPsec policies, and PSKs configured on the cloud and in the on-premises data center must be the same.
  • The parameters configured for the local and remote subnets and gateways must be symmetric.
  • The security group containing the ECSs in the VPC allows traffic from and to the on-premises data center.
  • The status of a VPN changes to Normal only after ECSs and on-premises servers access each other.


You have created the VPC and subnets that the on-premises data center wants to access.


  1. On the management console, select the appropriate IKE and IPsec policies to create a VPN.
  2. Check the IP address pools for the local and remote subnets.

    In Figure 1, the VPC has subnets and Your on-premises data center has subnets and You can set up a VPN to connect these subnets.

    Figure 1 IPsec VPN

    The IP address pools for the local subnets cannot overlap with those for the remote subnets. Like in this example, the IP address pool for the remote subnets cannot contain the two subnets of the VPC.

  3. Configure security group rules for the ECSs to allow packets from and to the on-premises data center over the VPN.
  4. Ping the ECSs from the on-premises data center to verify that the security group allows packets from and to the on-premises data center over the VPN.
  5. Check the on-premises network configuration.

    A route must be configured for the on-premises network to enable traffic to be forwarded to network devices on the network over the VPN. If the data transmitted through the VPN cannot be forwarded to the network devices, check whether the remote LAN has rules configured to refuse the traffic.