Help Center/ Virtual Private Network/ Best Practices/ S2C Enterprise Edition VPN/ Configuring VPN Load Balancing to Provide High Bandwidth for Cloud and On-Premises Interconnection/ Procedure
Updated on 2025-05-14 GMT+08:00
View PDF
Share

Procedure

Prerequisites

  • Cloud side
    • VPCs have been created. For details about how to create a VPC, see Creating a VPC and Subnet.
    • Security group rules have been configured for the VPCs, and ECSs can communicate with other devices on the cloud. For details about how to configure security group rules, see Security Group Rules.
    • An enterprise router has been created. For details, see the enterprise router documentation.
  • Data center side
    • IPsec has been configured on the VPN device in the on-premises data center. For details, see Administrator Guide.

Procedure

In this scenario, the BGP routing mode is used, and you need to create four VPN connections between the cloud and the on-premises data center.

  1. Log in to the management console.
  2. Choose Networking > Virtual Private Network.
  3. Configure VPN gateways.

    1. Choose Virtual Private Network > Enterprise – VPN Gateways, and click Buy S2C VPN Gateway.
    2. Set parameters as prompted.

      Table 1 describes the parameter settings for VPN gateway 1.

      Table 1 Parameter settings for VPN gateway 1

      Parameter

      Description

      Value

      Name

      VPN gateway name.

      vpngw-001

      Network Type

      Select Public network.

      Public network

      Associate With

      Select Enterprise Router.

      Enterprise Router

      Enterprise Router

      Enterprise router to which the VPN gateway is attached.

      er-001

      Access VPC

      This parameter is mandatory only when Associate With is set to Enterprise Router.

      vpc-001(192.168.0.0/24)

      Access Subnet

      Subnet used for communication between VPN gateway 1 and VPCs. Ensure that the selected access subnet has four or more assignable IP addresses.

      192.168.2.0/24

      BGP ASN

      BGP AS number.

      64512

      HA Mode

      Select Active-active.

      Active-active

      Active EIP

      EIP 1 used by the VPN gateway to access the on-premises data center.

      1.1.1.2

      Active EIP 2

      EIP 2 used by the VPN gateway to access the on-premises data center.

      2.2.2.2
    3. Configure VPN gateway 2 (192.168.3.0/24) by referring to the preceding steps.

      VPN gateway 2 has different settings of Name, Access Subnet, Active EIP, and Active EIP 2 from VPN gateway 1. Other parameter settings are the same.

      Table 2 Parameter settings for VPN gateway 2

      Parameter

      Description

      Value

      Name

      VPN gateway name.

      vpngw-002

      Access Subnet

      Subnet used for communication between VPN gateway 2 and VPCs. Ensure that the selected access subnet has four or more assignable IP addresses.

      192.168.3.0/24

      Active EIP

      EIP 1 used by the VPN gateway to access the on-premises data center.

      3.3.3.3

      Active EIP 2

      EIP 2 used by the VPN gateway to access the on-premises data center.

      4.4.4.4

  4. Configure customer gateways.

    1. Choose Virtual Private Network > Enterprise – Customer Gateways, and click Create Customer Gateway.
    2. Set parameters as prompted.

      Table 3 describes the parameter settings for customer gateway 1.

      Table 3 Parameter settings for customer gateway 1

      Parameter

      Description

      Value

      Name

      Customer gateway name.

      cgw-fw1

      Identifier

      IP address used by customer gateway 1 to communicate with the Huawei Cloud VPN gateway.

      Ensure that UDP port 4500 is permitted on the customer gateway device in the on-premises data center.

      1.1.1.1

      BGP ASN

      BGP AS number.

      65000
    3. Configure customer gateway 2 (2.2.2.1) by referring to the preceding steps.

      Customer gateway 2 has different settings of Name and Identifier (IP address) from customer gateway 1. Other parameters are the same.

      Table 4 Parameter settings for customer gateway 2

      Parameter

      Description

      Value

      Name

      Customer gateway name.

      cgw-fw2

      Identifier

      IP address used by customer gateway 2 to communicate with the Huawei Cloud VPN gateway.

      Ensure that UDP port 4500 is permitted on the customer gateway device in the on-premises data center.

      2.2.2.1

  5. Configure VPN connections between VPN gateway 1 on the cloud and the data center.

    1. Choose Virtual Private Network > Enterprise – VPN Connections, and click Create VPN Connection.
    2. Create the first group of VPN connections and click Buy Now.

      Table 5 only describes the key parameters for creating VPN connections.

      Table 5 Parameter settings for the first group of VPN connections

      Parameter

      Description

      Value

      Name

      VPN connection name.

      vpn-001

      VPN Gateway

      VPN gateway 1 for which VPN connections are created.

      vpngw-001

      VPN Gateway IP of Connection 1

      Active EIP of VPN gateway 1.

      1.1.1.2

      Customer Gateway of Connection 1

      Customer gateway of connection 1.

      1.1.1.1

      VPN Gateway IP of Connection 2

      Active EIP 2 of VPN gateway 1.

      2.2.2.2

      Customer Gateway of Connection 2

      Customer gateway of connection 2.

      1.1.1.1

      VPN Type

      Select BGP routing.

      BGP routing

      Customer Subnet

      Subnet in the on-premises data center that needs to access the VPCs on Huawei Cloud.

      • A customer subnet cannot be included in any local subnet or any subnet of the VPC to which the VPN gateway is attached.
      • Reserved VPC CIDR blocks such as 100.64.0.0/10 and 214.0.0.0/8 cannot be used as customer subnets.

      172.16.0.0/16

      Connection 1's Configuration

      Configure the IP address assignment mode of tunnel interfaces, local tunnel interface address, customer tunnel interface address, link detection, PSK, confirm PSK, and policies for connection 1.

      Set parameters based on the site requirements.

      Interface IP Address Assignment
      • Manually specify

        In this example, select Manually specify.

      • Automatically assign

      Manually specify

      Local Tunnel Interface Address

      Tunnel interface IP address of the VPN gateway.

      169.254.70.1/30

      Customer Tunnel Interface Address

      Tunnel interface IP address of the customer gateway device.

      169.254.70.2/30

      Link Detection

      Whether to enable route reachability detection in multi-link scenarios. When NQA is enabled, ICMP packets are sent for detection and your device needs to respond to these ICMP packets.

      NQA enabled

      PSK, Confirm PSK

      The value must be the same as the PSK configured on the customer gateway device.

      Test@123

      Policy Settings

      The policy settings must be the same as those on the customer gateway device.

      Default

      Connection 2's Configuration

      Determine whether to enable Same as that of connection 1.

      NOTE:

      If you disable Same as that of connection 1, you are advised to use the same settings as connection 1 for connection 2, except the local and customer tunnel interface addresses.

      Disabled

      Local Tunnel Interface Address

      Tunnel IP address of the VPN gateway.

      169.254.72.1/30

      Customer Tunnel Interface Address

      Tunnel IP address of the customer gateway.

      169.254.72.2/30
    3. Create the second group of VPN connections.

      The name, customer gateway, local tunnel interface IP address, and customer tunnel interface IP address for the second group of VPN connections are different from those of the first group of VPN connections. Other parameter settings are the same.

      Table 6 Parameter settings for the second group of VPN connections

      Parameter

      Description

      Value

      Name

      VPN connection name.

      vpn-002

      VPN Gateway IP of Connection 1

      Active EIP of VPN gateway 1.

      1.1.1.2

      Customer Gateway of Connection 1

      Customer gateway of connection 1.

      2.2.2.1

      VPN Gateway IP of Connection 2

      Active EIP 2 of VPN gateway 1.

      2.2.2.2

      Customer Gateway of Connection 2

      Customer gateway of connection 2.

      2.2.2.1

      Connection 1's Configuration

      Configure the IP address assignment mode of tunnel interfaces, local tunnel interface address, customer tunnel interface address, link detection, PSK, confirm PSK, and policies for connection 1.

      Set parameters based on the site requirements.

      Local Tunnel Interface Address

      Tunnel interface IP address of the VPN gateway.

      169.254.71.1/30

      Customer Tunnel Interface Address

      Tunnel interface IP address of the customer gateway.

      169.254.71.2/30

      Connection 2's Configuration

      Determine whether to enable Same as that of connection 1.

      NOTE:

      If you disable Same as that of connection 1, you are advised to use the same settings as connection 1 for connection 2, except the local and customer tunnel interface addresses.

      Disabled

      Local Tunnel Interface Address

      Tunnel IP address of the VPN gateway.

      169.254.73.1/30

      Customer Tunnel Interface Address

      Tunnel IP address of the customer gateway.

      169.254.73.2/30

  6. Configure VPN connections between VPN gateway 2 on the cloud and the data center.

    The configuration procedure is the same as that for VPN gateway 1.

  7. Configure the customer gateway device in the on-premises data center.

    The configuration procedures may vary according to the type of the customer gateway device. For details, see Administrator Guide.