Friday, September 28, 2018

How to create a VPN connection between two VPCs on Alibaba Cloud

How to create a VPN connection between two VPCs on Alibaba Cloud
Here’s my Scenario,


VPC name
CIDR block
VPC ID
Cloud products
VPN gateway
IP address
Customer gateway
VPC1 - Singapore
192.168.0.0/16
vpc-xxxxl8
ECS1- ping2germany
vpn-t4newx5ozbu4qv3jvjgbl
47.74.237.210
connect2germany
VPC2 - Germany
10.0.0.0/8
vpc-xxxnkf
ECS2 - ping2singapore
vpn-gw8u6ia3djbzkpcnxrs7h
47.254.132.106
connect2singapore















Login to you console and navigate to Network > Virtual Private Cloud. Then Click on Activate.
Create VPC.
VPC 1 in Singapore
VPC 2 in Germany
The one listed in the below image is a system created VPC.

Check the table at the top to see the CIDR of both the VPCs.











Fill the Basic information for Creating the VPC.
VPC name
Description (optional)
CIDR










Once you create VPC, next step is to create vSwtich. You can create multiple vSwitch back to back.
Be sure about the CIDR for your VPC and vSwtiches that it does not clash with the another VPC with we will connect to over VPN.
Create VPC 2 for Germany region as we did for Singapore.




Create vSwitch in VPC 2(Germany) as we did in VPC 1 (Singapore)


Create VPN gateways
Be on the VPC page and Navigate to  VPN > VPN Gateway.
Click on Create VPN Gateway from top right corner.



Create the VPN Gateway with the below details.
Configuration
Description
Region
Select the region where the VPN gateway is created.
VPC
Select a VPC to create the VPN gateway for.
Peak Bandwidth
Select a peak bandwidth. Two specifications are available: 10 MB and 100 MB.
Billing Method
You are charged based on the actual traffic usage.
Quantity
Select the number of VPN gateways to be created.
Billing Cycle
VPN gateways are billed on an hourly basis.
Repeat the previous steps to create another VPN gateway for VPC2.

You will get one public IP’s for each VPN gateway.
The relationship between the VPCs and VPN gateways is shown in the table at the top.



















Create customer gateways
Log on to the VPC console, navigate to VPN > Customer Gateway.
Click Create Customer Gateway.
Enter the public IP address assigned to the VPN gateway of the opposite VPC.
Repeat the previous steps to create another customer gateway for the other VPC.
Create VPN connections
Log on to the VPC console, navigate to VPN > VPN Connection.
Click Create VPN connection.


In the Create VPN Connection dialog box, configure the following:
I am creating this VPN connection from Germany, so the customer Gateway should be of Singapore.
Local Network is the CIDR block of the selected VPC. (Germany)
Remote Network is the CIDR block of the peer VPC to be connected. (Singapore)
Click on Advanced Configurations to Change the IPsec and IKE configurations as required.
Make sure the Pre-Shared key is same on both the side.


Repeat the above step in the VPC 2 as well (singapore). Once the information is filled and submit. You can see teh connection status will change to succeeded.






Configure routing
Log on to the VPC console,Navigate  VPC > click the ID of the target VPC > VRouter
and then click Add Route Entry.
In the Add Route Entry dialog box,
Enter the CIDR block of the VPC in the other region.
Select VPN Gateway as the next hop and Select the VPN gateway for the current VPC.






Repeat the above step for 2nd VPC.
Once the network configuration is done. Create one ECS instance on each region to test the connectivity. Make sure it is in proper VPC and vSwitch.
Here’s my test from one ECS on Singapore region to the ECS on Germany resion.


at 2 comments:

Thursday, December 14, 2017

Site to Site VPN from Alibaba Cloud (FLEXGW) to OnPremises (CyberRoam)

Introduction

This article shows you how to use the on premises "CyberRoam" Firewal to create a Site-to-Site VPN gateway connection and Deploy a VPN gateway appliance (FLEXGW) from your Alibaba Cloud portal and connect it to the VNet.
Flex is a one of its kind Internet Gateway that provides added flexibility and manageability compared to any other public access Internet Gateways. It is easy to install and manage with multiple customization options for an excellent user experience in high demand public wired and Wi-Fi Internet access
This guide will provide quick steps to configure Site-to-Site.


Configuration of the Alibaba Cloud Portal
Login to you Alibaba Cloud Portal and open another browser tab. Look for Alibaba cloud marketplace.
Go to the search space at right-hand corner and find “FlexGW IPsec VPN on CentOS”
Deploy the appliance as an instance in the default VPC.

Once deployed, reset the password and restart the VM.

 Go back to the ECS console and check that your ECS instance is up and running:
Change the default security group rules to enhance your application security:

 Similarly add ports : 443 / 500 / 4500.
Open your browser and paste the Public IP of the instance at https://publicip/

Create a VPN tunnel Create an appropriate VPN tunnel by providing the necessary details:

























Save and finish the configuration. Check the tunnel list:


 On CyberRoam (on-prem) Firewall:

 Login to your CyberRoam Firewall and Navigate to Objects > Hosts, and create new for record for Alibaba Cloud's local subnet.

 Navigate to VPN > Policy and create a new policy. Make sure you match the Algorithm parameters in this policy with the one in FlexGW.



save the configuration.
Navigate to VPN > IPSEC and enter the public IP and local subnet information properly.
Make sure the preshared key is same on both the side.

 Save the configuration and go back to your FlexGW to check if the Tunnel is online.

To test it further, you can deploy a virtual machine on both sides and do a ping test.

at 3 comments:

Thursday, December 7, 2017

Site to Site VPN between Alibaba Cloud and Microsoft Azure



Introduction

This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection and Deploy a VPN gateway appliance from your Alibaba Cloud portal and connect it to the VNet.
This guide will provide quick steps to configure Site-to-Site.
On Azure:
1. Create a virtual network
To create a VNet in the Resource Manager deployment model by using the Azure portal, follow the steps below.

 1. From a browser, navigate to the Azure portal and sign in with your Azure account.
2. Click New. In the Search the marketplace field, type 'virtual network'. Locate Virtual network from the returned list and click to open the Virtual Network page.
3. Near the bottom of the Virtual Network page, from the Select a deployment model list, select Resource Manager, and then click Create. This opens the 'Create virtual network' page.
   
2. Create the gateway subnet
  • In the portal, navigate to the virtual network for which you want to create a virtual network gateway.
  • In the Settings section of your VNet page, click Subnets to expand the Subnets page.
  • On the Subnets page, click +Gateway subnet at the top to open the Add subnet page.
  • The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. The GatewaySubnet value is required in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range values to match your configuration requirements.
  • To create the subnet, click OK at the bottom of the page.


3. Create the VPN gateway
  • On the left side of the portal page, click + and type 'Virtual Network Gateway' in the search box. In Results, locate and click Virtual network gateway.
  • At the bottom of the 'Virtual network gateway' page, click Create. This opens the Create virtual network gateway page.
  • On the Create virtual network gateway page, specify the values for your virtual network gateway.


 4. Create the local network gateway
The local network gateway typically refers to your on-premises location. But here we are connecting to Alibaba cloud VPN gateway appliance. So You give the site a name by which Azure can refer to it, then specify the IP address of the Alibaba cloud VPN device to which you will create a connection.
Create the VPN connection
Create the Site-to-Site VPN connection between your virtual network gateway and your Alibaba cloud VPN device.
  • Navigate to and open the blade for your virtual network gateway. There are multiple ways to navigate. In our example, we navigated to the gateway 'VNet1GW' by going to TestVNet1 -> Overview -> Connected devices -> VNet1GW.
  • On the blade for VNet1GW, click Connections. At the top of the Connections blade, click +Add to open the Add connection blade.
Configuration of the Alibaba Cloud Portal
Login to you Alibaba Cloud Portal and open another browser tab. Look for Alibaba cloud marketplace.
Go to the search space at right-hand corner and find “FlexGW IPsec VPN on CentOS”
Deploy the appliance as an instance in the default VPC.
Once deployed, reset the password and restart the VM.
Open your browser and paste the Public IP of the instance at https://publicip/






Navigate to IPSEC VPN and click on create a tunnel.
 
Make sure the PSK (Shared Key) is same on both the sides.
Click on Save and it should start connecting to the Azure VPN gateway and you should be able to see the status as below
On Azure Portal:
To test it further, you can deploy a virtual machine on both sides and do a ping test.
I deployed an Ubuntu VM on Azure and on Alibaba.
The virtual machine on Azure with the below private IP:
Virtual Machine on Alibaba with its private IP:
Note: the catch is since, on Alibaba Cloud we have deployed VPN GW as an instance, we have to make sure the “Route Entry” is added to use the ECS instance to reach a particular CIDR.
And there you go:
Ping from Alibaba to Azure

                                            Thank you for reading
at 9 comments:
Subscribe to: Posts (Atom)

How to create a VPN connection between two VPCs on Alibaba Cloud

How to create a VPN connection between two VPCs on Alibaba Cloud Here’s my Scenario, VPC name CIDR block VPC ID Cloud prod...