- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practices
- IPsec VPN
- Hybrid Cloud Primary/Secondary Communication (DC and VPN)
- Connecting IDC to CCN
- Local Gateway Configurations
- Connecting IDC to a Single Tencent Cloud VPC for Primary/Secondary Disaster Recovery
- Establishing a VPN Connection between Tencent Cloud and Azure China
- Establishing Connection Between IDC and Cloud Resources (Dynamic BGP)
- SSL VPN
- IPsec VPN
- API Documentation
- FAQs
- Troubleshooting
- Service Agreement
- Contact Us
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practices
- IPsec VPN
- Hybrid Cloud Primary/Secondary Communication (DC and VPN)
- Connecting IDC to CCN
- Local Gateway Configurations
- Connecting IDC to a Single Tencent Cloud VPC for Primary/Secondary Disaster Recovery
- Establishing a VPN Connection between Tencent Cloud and Azure China
- Establishing Connection Between IDC and Cloud Resources (Dynamic BGP)
- SSL VPN
- IPsec VPN
- API Documentation
- FAQs
- Troubleshooting
- Service Agreement
- Contact Us
- Glossary
Tencent Cloud VPN Connections provides a complete solution to guarantee the high availability of your business. Not only the VPN gateway itself supports a high availability, but also primary/secondary tunnels are supported. The VPN gateway uses health check to identify the tunnel status and triggers the traffic switch between the primary and secondary tunnels based on their status. This document describes how to configure health check.
Note:
We recommend you use a route-based tunnel for health check. If you use an SPD policy-based tunnel, you need to configure an SPD policy for
0.0.0.0/0.How Health Check Works
VPN tunnel health check uses the NQA mechanism and the
ping command by default. In this way, the VPN gateway regularly uses the local address of health check to ping (encrypted in the tunnel) the peer address, so as to determine the connectivity. If the ping fails multiple times in a row, the VPN gateway will consider the tunnel as abnormal and switch the traffic from the primary tunnel to the secondary tunnel. At the same time, the customer gateway also needs to implement a similar mechanism to switch the traffic to the secondary tunnel. To this end, you need to configure two IP addresses that are mutually pingable in the tunnel or adopt such two IP addresses automatically assigned by the system for health check. The IP ranges of the two addresses cannot conflict with those of the VPC and IDC. Prerequisites
You have created a VPN gateway as instructed in Creating a VPN Gateway and configured the customer gateway as instructed in Creating Customer Gateways. The version of the VPN gateway must be v3.0 or later.
You have created the primary and secondary tunnels.
You have planned health check addresses or use the addresses automatically assigned by the system.
Configuring the Health Checks When Creating VPN Tunnels
This section only introduces the parameters for health checks. For other steps for creating a VPN tunnel, see Creating a VPN Tunnel.
1. Log in to the VPC console.
2. Click VPN Connection > VPN Tunnel in the left sidebar.
3. In the VPN Connections page, click Create.
4. Configure the basic information in the pop-up dialog box. Then, enable health check and configure the IPs in Advanced configuration.
5. The health check configuration takes effect upon the tunnel creation.
Configuring the Health Check After Creating VPN Tunnels
You can also configure health check on the VPN tunnel details page after the tunnel is created.
Note:
Note that your business may be interrupted for a short time.
1. Log in to the VPC console.
2. Click VPN Connection > VPN Tunnel in the left sidebar.
3. In the VPN Tunnels page, locate and click the target VPN tunnel to , and click Edit on the Basic Information tab.
4. Enable the health check and configure the relevant parameters.
Parameter | Description |
VPN gateway IP for health check | It defaults to an IP within the range of 169.254.128.0/17. You can also specify 0.0.0.0or an IP within 224.0.0.0- 239.255.255.255but outside the VPC IP range. |
Customer gateway IP for health check | It defaults to an IP within the range of 169.254.128.0/17. You can also specify an available on-premises IP. |
5. We recommend you select Destination route for the communication mode. If Destination Route is unavailable, we recommend you enter
0.0.0.0/0 for the local and peer IP ranges in the SPD policy to ensure that the communication between the local and peer health check IPs is encrypted based on the VPN tunnel.6. Click Save.
Yes
No
Was this page helpful?