Connecting IDC to CCN

Last updated: 2021-09-03 19:11:57

    The VPN gateway for CCN can be associated with the Cloud Connect Network (CCN) to establish an encrypted communication between the IDC and CCN. This document introduces how to associate the VPN gateway for CCN with CCN.

    Background

    A VPN gateway for CCN can be associated with CCN and create multiple encrypted VPN tunnels. Each VPN tunnel can connect one local IDC.

    The steps to associate the VPN gateway for CCN with CCN are as follows:

    1. Create a VPN gateway for CCN: a VPN gateway is an egress gateway used by CCN along with the customer gateway to establish VPN connections.
    2. Associate CCN instances: associate the VPN gateway for CCN with CCN instances.
    3. Create a customer gateway: a customer gateway is a logical object used with a Tencent Cloud VPN gateway to record the fixed public IP address of the IPsec VPN gateway on the IDC side. A VPN gateway can establish encrypted VPN tunnels with multiple customer gateways.
    4. Create a VPN tunnel: VPN tunnel supports IPsec encryption protocol, which ensures secure data transmission.
    5. Configure the VPN gateway route: configure the VPN gateway route to the customer gateway.
    6. Configure the IDC devices: configure the VPN tunnel for Tencent Cloud on the local gateway of the IDC.
    7. Enable the IDC IP range: add the IDC IP range of the SPD policy to CCN.

    Directions

    Step 1: create a VPN gateway for CCN

    1. Log in to the VPC console.
    2. Select VPN Connection > VPN Gateway on the left sidebar.
    3. Select a region at the top of the VPN Gateway page and click +New.
    4. In the Create a VPN gateway pop-up window, enter the gateway name, such as TomVPNGw. Select the associate network, bandwidth cap, billing method, and click Create. After the VPN gateway is created, the system randomly assigns it a public IP address such as 203.195.147.82.
      Note:

      To create a VPN gateway for CCN in the specified availability zone, please submit a ticket.

      • Gateway Name: enter a VPN gateway name, which cannot exceed 60 characters.
      • Associate Network: select CCN.
      • Bandwidth Cap: select the maximum bandwidth for the VPN gateway as needed.
      • Billing Method: select the billing mode for the VPN gateway as needed.
      • Bill-by-traffic: this mode is suitable for scenarios where the bandwidth fluctuates greatly.

    Step 2: associate CCN instances

    • You can associate an existing CCN instance by the following steps:
      1. Return to the VPN Gateway page, click the ID of an existing VPN gateway for CCN in the list to view its details.
      2. Under the Basic Information tab, click next to Network, select a CCN instance you want to associate from the drop-down list, and then click Save.
    • You can associate a new CCN instance by the following steps:
      1. Click Cloud Connect Network in the left sidebar to go to the CCN page.
      2. Select a region at the top of the CCN page and click +New.
      3. In the pop-up window, complete the following configurations and click OK.
        1. Enter the name and description for the CCN instance. Select its billing mode, service quality, and bandwidth limit mode.
        2. Select VPN Gateway under Associated Instances, and search for regions and IDs of existing VPN gateways for CCN.

    Step 3: create a customer gateway

    1. Log in to the VPC console.
    2. Select VPN Connection > Customer Gateway on the left sidebar to access the Customer Gateway page.
    3. Select a region at the top of the Customer Gateway page and click +New.
    4. In the Create Customer Gateway pop-up window, enter the name and public IP of the customer gateway on the IDC side, and click Create.

    Step 4: create a VPN tunnel

    1. Log in to the VPC console.
    2. Select VPN Connection > VPN Tunnel on the left sidebar to access the VPN Tunnel page.
    3. Select a region at the top of the VPN Tunnel page and click +New.
    4. On the Create VPN tunnel page, enter the tunnel name and pre-shared key (such as 123456), select CCN for VPN Gateway type, choose the customer gateway, and click Next.
    5. Enter an SPD policy to specify which subnet IP ranges and IDC IP ranges can communicate with each other.
      Note:

      • IDC IP ranges in each rule cannot overlap.
      • Rules for tunnels in the same gateway cannot overlap.
      • IDC IP ranges of the SPD policy can be added to CCN.
    6. (Optional) Configure IKE parameters. Click Next if no advanced configuration is required.
    7. (Optional) Configure IPsec parameters. Click Completed if no configuration is required.
    8. After the VPN tunnel is successfully created, return to the VPN Tunnel list page and click More -> Download config file under the Operation column.

    Step 5: configure the VPN gateway route

    After the VPN tunnel configuration is complete, configure the VPN gateway route to the customer gateway.

    1. Select VPN Connection > VPN Gateway on the left sidebar to access the VPN Gateway page. Locate the VPN gateway just created, and click the ID/Name to enter its details page.
    2. Select the Route Table tab and click Add a route.
    3. Configure the routing policy of the VPN gateway to the customer gateway.
      Configuration Item Description
      Destination Enter the IDC IP range configured in the customer gateway for the public access.
      Next hop type It defaults to VPN Tunnel.
      Next hop Select a VPN tunnel that has been created.
      Weight Enter an integer within 0-100. The smaller the value, the higher the priority.
    4. Click OK.

    Step 6: configure the IDC devices

    After the preceding steps, the VPN gateway and VPN tunnel on the Tencent Cloud are configured. Then, you need to configure the VPN tunnel on the local gateway of the IDC. For detailed directions, see Local Gateway Configurations.

    Step 7: enable IDC IP ranges

    Note:

    • This step is only applicable to VPN gateways v1.0 and v2.0. The Route Table tab of a VPN gateway v.3.0 is as shown in the following figure.
    • If you use a VPN gateway v3.0 for CCN and already associated it with a CCN instance, the routing policy with CCN as the next hop will be automatically obtained and displayed in the route table, without manual configuration. The routing policy configured on the VPN gateway will be automatically synced to CCN.

    The route table of a VPN gateway 3.0 is shown below:

    For VPN gateways v1.0 and v2.0, enable the IDC IP ranges as follows:

    1. Log in to the VPC console.
    2. Select VPN Connection > VPN Gateway on the left sidebar.
    3. Click the ID/Name of the VPN gateway for CCN in the list to view its details.
    4. Select the IDC IP Range tab, and enable the IP range you need.

    Result Validation

    1. Log in to the VPC console.
    2. Choose Cloud Connect Network in the left sidebar to go to the CCN page.
    3. In the list, click the ID/Name of the CCN instance associated with the VPN gateway for CCN to view its details.
    4. Select the Route table tab. If the table shows the enabled IP range with a Valid status and the Next hop is a VPN gateway for CCN, the CCN instance is successfully associated.