Creating a VPN Gateway

Scenario

To connect your on-premises data center or private network to your ECSs in a VPC, you need to create a VPN gateway before creating a VPN connection.

Context

Prerequisites

• A VPC has been created. For details about how to create a VPC, see the Virtual Private Cloud User Guide.
• Security group rules have been configured for the VPC, and ECSs can communicate with other devices on the cloud. For details about how to configure security group rules, see the Virtual Private Cloud User Guide.
• An enterprise router has been created if you want to use it to connect to a VPN gateway. For details, see the enterprise router documentation.

Procedure

1. Log in to the management console.
2. Click in the upper left corner and select the desired region and project.
3. Click in the upper left corner, and choose > Virtual Private Network.
4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
5. On the S2C VPN Gateways page, click Create S2C VPN Gateway.
6. Set parameters as prompted and click Create Now.

   Table 2 lists the VPN gateway parameters.

   Table 2 Description of VPN gateway parameters

   Parameter	Description	Example Value
   Region	For low network latency and fast resource access, select the region nearest to your target users. Resources cannot be shared across regions.	Select a region as required.
   Name	Name of a VPN gateway. The value can contain only letters, digits, underscores (_), hyphens (-), and periods (.).	vpngw-001
   Associate With	VPC Through a VPC, the VPN gateway sends messages to the customer gateway or servers in the local subnet. Enterprise Router Through an enterprise router, the VPN gateway sends messages to the customer gateway or servers in the subnets of all VPCs connected to the enterprise router. NOTE: In this scenario, pay attention to the upper limit of entries in the routing table of the enterprise router. If the number of routes advertised by the customer gateway and VPN gateway exceeds this upper limit, the enterprise router cannot learn the excess routes. As a result, traffic will fail to be forwarded between the VPN gateway and the customer gateway.	VPC
   VPC	Select a VPC.	vpc-001(192.168.0.0/16)
   Enterprise Router	Select an enterprise router.	er-001
   Access VPC	This parameter is available only when Associate With is set to Enterprise Router. If a VPN gateway needs to connect to different VPCs in the southbound and northbound directions, set the VPC in the northbound direction as the access VPC.	vpc-001(192.168.0.0/16)
   Access Subnet	This parameter is available only when Associate With is set to Enterprise Router. An access subnet is used by the VPN gateway to connect to the Internet.	subnet-001(192.168.0.0/24)
   Gateway IP Address	This parameter is available only when Associate With is set to Enterprise Router and Network Type is set to Private network. Auto-assigned IP address (default) An IP address on the access subnet will be automatically assigned to the VPN gateway. You can view the automatically assigned IP address on the VPN Gateway page. Manually-specified IP address Manually configure IP addresses on the access subnet for the VPN gateway.	Auto-assigned IP address
   Interconnection Subnet	This parameter is available only when Associate With is set to VPC. This subnet is used for communication between the VPN gateway and VPC. Ensure that the selected interconnection subnet has four or more assignable IP addresses.	192.168.66.0/24
   Local Subnet	This parameter is available only when Associate With is set to VPC. Specify the VPC subnets with which your on-premises data center needs to communicate through the customer gateway. Select subnet Select subnets of the local VPC. Enter CIDR block Enter subnets of the local VPC or subnets of the VPC that establishes a peering connection with the local VPC.	192.168.1.0/24,192.168.2.0/24
   BGP ASN	BGP ASN of the VPN gateway, which must be different from that of the customer gateway. The BGP ASN ranges from 1 to 4294967295.	64512
   HA Mode	Active-active When Associate With is set to VPC, the outgoing traffic from the VPN gateway to the customer subnet is preferentially forwarded through the first VPN connection (VPN connection 1) set up between the customer subnet and an EIP. If VPN connection 1 fails, the outgoing traffic is automatically switched to the other VPN connection (VPN connection 2) set up with the customer subnet. After VPN connection 1 recovers, the outgoing traffic is still transmitted through VPN connection 2 and will not be switched back to VPN connection 1. When Associate With is set to Enterprise Router, the outgoing traffic from the VPN gateway to the customer subnet is load balanced among all VPN connections set up with the customer subnet. Active/Standby The outgoing traffic from the VPN gateway to the customer subnet is preferentially transmitted through the VPN connection (VPN connection 1) set up between the customer subnet and the active EIP. If VPN connection 1 fails, the outgoing traffic is automatically switched to the other VPN connection (VPN connection 2) set up between the customer subnet and the standby EIP. After VPN connection 1 recovers, the outgoing traffic is automatically switched back to VPN connection 1.	Active-active
   Specification	Two options are available: Professional 1 and Professional 2.	Professional 1
   Bandwidth Name	Specify the name of the EIP bandwidth.	Vpngw-bandwidth2
   Active EIP	EIP used by the VPN gateway to communicate with a customer gateway. Create now: Create an EIP. Use existing: Use an existing EIP.	Create Now
   Bandwidth (Mbit/s)	Bandwidth of the EIP, in Mbit/s. All VPN connections created using the EIP share the bandwidth of the EIP. The total bandwidth consumed by all the VPN connections cannot exceed the bandwidth of the EIP. If network traffic exceeds the bandwidth of the EIP, network congestion may occur and VPN connections may be interrupted. As such, ensure that you configure enough bandwidth. You can configure alarm rules on Cloud Eye to monitor the bandwidth. You can customize the bandwidth within the allowed range.	10 Mbit/s
   Active EIP 2	A VPN gateway needs to be bound to a group of EIPs (active EIP and active EIP 2). You can plan the bandwidth for each EIP. The EIPs can share bandwidth with the EIPs of other network services.	Create Now
   Standby EIP	A VPN gateway needs to be bound to a group of EIPs (active EIP and standby EIP). You can plan the bandwidth for each EIP. The EIPs can share bandwidth with the EIPs of other network services. NOTE: When Billing Mode of the VPN gateway is Pay-per-use and the backup EIP is billed by traffic, you are advised to configure alarm rules on Cloud Eye to monitor the backup EIP. This prevents traffic fee overrun caused by VPN connection switching due to a fault of the active VPN connection. For details about how to configure alarm rules on Cloud Eye, see the Elastic IP User Guide.	Create Now
   Enterprise Project	Enterprise project to which the VPN belongs. An enterprise project facilitates project-level management and grouping of cloud resources and users. The default project is default.	default
   Access VPC	If a VPN gateway needs to connect to different VPCs in the southbound and northbound directions, set the VPC in the northbound direction as the access VPC. The VPC in the southbound direction is the VPC associated with the VPN gateway.	Same as the associated VPC
   Access Subnet	By default, a VPN gateway uses the interconnection subnet to connect to the associated VPC. Set this parameter when another subnet needs to be used.	Same as the interconnection subnet

7. Confirm the VPN gateway information and click Create Now