tencent cloud


Creating a Dedicated Tunnel

Last updated: 2021-09-30 16:45:08

    A dedicated tunnel is a network link segmentation of a connection. You can create dedicated tunnels that connect to different direct connect gateways to enable communication between your on-premises IDC and multiple VPCs. After a dedicated tunnel is created, its event alarms will be automatically configured to facilitate your monitoring and OPS of it. This document describes how to apply for a dedicated tunnel.


    The shared connection feature of new dedicated tunnels has stopped accepting new applications since August 1, 2020 at 00:00:00. If you are using a shared connection, it will not be affected by this change, but if you delete it, you will not be able to apply for new dedicated tunnels with shared connection after August 1, 2020 at 00:00:00.



    Step 1: apply for a dedicated tunnel

    1. Log in to the Direct Connect - Dedicated Tunnel console.
    2. Click +New at the top of the Dedicated Tunnels page, complete the basic configurations such as name, connection type, access network, region and associated direct connect gateway, and click Next.
      Field Configuration
      Name Enter a name for your dedicated tunnel.
      Tunnel Type Set to 1.0 or 2.0 depending on the associated connection you select.
      Connections Select a connection you have applied for.
      Access Network
      • For a 1.0 tunnel, select from CCN, BM Network and Virtual Private Cloud.
      • For a 2.0 tunnel, select either CCN or Virtual Private Cloud.
      • If CCN is selected as the access network, the region is where the CCN-based direct connect gateway resides by default.
      • If VPC is selected as the access network, you can only select the region where the connection resides for a 2.0 tunnel and select any region for a 1.0 tunnel.
      • If BM Network is selected as the access network, you can select any region for a 1.0 tunnel.
      VPC Select the VPC instance to be connected to by the dedicated tunnel.
      Direct Connect Gateway Associate an existing direct connect gateway with the dedicated tunnel. A 2.0 tunnel does not support a NAT-type direct connect gateway.
    3. Configure the following parameters on the Advanced Configuration page.
      Field Configuration
      VLAN ID A VLAN corresponds to a tunnel. Enter a value within the range of 0-3000. Entering “0” means one dedicated tunnel can be created. If MSTP connection passes through to multiple VLANs, the carrier needs to enable the Trunk mode.
      Bandwidth Specify the bandwidth cap of the dedicated tunnel, which cannot exceed the maximum bandwidth of the associated connection. If the billing mode is pay-as-you-go by monthly 95th percentile, this parameter does not mean the billable bandwidth.
      Tencent Cloud Primary IP Enter the connection IP address on the Tencent Cloud side. DO NOT use the following IP ranges or addresses:,,, -, and -
      Tencent Cloud Secondary IP Enter the secondary IP address of the connection on the Tencent Cloud side. The secondary IP will be automatically used to ensure the normal operation of your business when the Tencent Cloud primary IP fails and becomes unavailable. This field is not supported when the mask of the secondary IP address is 30 or 31.
      CPE Peer IP Configure the connection IP address on the user (or carrier) side.
      Routing Mode Select:
      • BGP Routing: applicable to the exchange of routing information and network accessibility across autonomous systems (AS).
      • Static Routing: applicable to a simper network environment.
      BGP ASN Enter the BGP neighbor ASN on the CPE side. Note that the Tencent Cloud ASN is 45090. If this field is left empty, a random ASN will be assigned.
      BGP Key Enter the MD5 value of the BGP neighbor, which defaults to "tencent". If it is left empty, no BGP key is required. It cannot contain 6 special characters such as ?, &, space, ", \, and +.
      CPE IP Range Enter the IP ranges of your IDC, with one IP range per line.
      If the new tunnel and existing tunnel are redundant, it is recommended to publish other IP ranges for CPE IP Range, and complete test for new tunnel with the IDC devices. And then publish the final service IP range via Change Tunnel, to prevent effects against traffic in running redundant tunnel.

      If Static is selected as the routing mode, do not directly publish the following routes:,,,,,,` when configuring IDC IP ranges. Instead, you need to first split them as follows

      • is split into +
      • is split into +
      • is split into +
      • is split into +
      • is split into +
      • is split into +
      • is split into +
      • is split into +
    1. Configure IDC devices. You can click Download configuration guide to download related files and complete the configurations as instructed in the guide.
      Parameter Configuration Remarks
      CPE IP Range Enter the customer IP range if Static is selected as the routing mode. This parameter cannot conflict with the VPC IP range in a non-NAT mode. You can update the IP range later via Change Tunnel on the console.
    2. Click Submit.

    Step 2: set the alarm recipient

    After a dedicated tunnel is created, Tencent Cloud automatically configures four event alarms such as DirectConnectTunnelDown, DirectConnectTunnelBFDDown, DirectConnectTunnelBGPSessionDown, and DirectConnectTunnelRouteTableOverload, helping you monitor and manage your dedicated tunnels. For more information on the event alarms, see Alarm Overview.
    This default alarm policy does not configure recipient information, so you can only view alarms on the console. To configure a recipient, take the following steps.

    1. Log in to the Cloud Monitor console and choose Alarm Configuration > Alarm Policy on the left sidebar.
    2. In the upper-right corner of the Alarm Policy page, click Advanced Filter to select All for Monitor Type and Dedicated Line channel for Policy type.
    3. Perform the following operations as needed.
      • Configure alarm objects
        1. Click the name of the target default policy in the alarm policy list.
        2. Click Edit next to Alarm Object, and select the objects to monitor. You can also click Add Object to create more alarm objects.
      • Modify an alarm policy
        1. Click the name of the target default policy in the alarm policy list.
        2. Click Edit next to the Trigger Condition and modify the trigger conditions for metric alarms and event alarms in the pop-up window. For more information on alarms, please see Alarm Overview. After the modification is complete, click Save.
      • Set alarm notification
        1. Click the name of the target default policy in the alarm policy list.
        2. Select a template in the Alarm Notification section.
          Click Edit Recipient to configure alarm recipients in the template. If existing templates are not suitable, you can click Create Template and configure it as prompted. Then you can select the template to configure alarm recipients.
      • Set a default policy
        If the default alarm policy cannot meet your needs, you can select a custom alarm policy and click Set to Default Policy in the Operation column. Then the selected alarm policy will automatically apply to dedicated tunnels created afterwards.

    Connection Status

    After the dedicated tunnel is created, it will be displayed on the Dedicated Tunnels page in the Applying status.

    The possible connection statuses of a dedicated channel include:

    • Applying
      The system has received your application for a new dedicated tunnel and is ready to start the creation.
    • Configuring
      The system is delivering the parameter configuration. If this status lasts for a long time, a failure may occur. In this case, contact your architect or submit a ticket for assistance.
    • Configured
      The system has completed the configuration based on the specified parameters but is unable to ping to the IP address of your IDC. A dedicated tunnel in this status can be deleted.
    • Connected
      The system pings to your IDC device successfully. However, this does not mean that your business is connected. You have to configure the route table of the VPC or CCN instance to implement the connection.
    • Deleting
      If you delete your dedicated tunnel on the console, the connection status of the dedicated tunnel becomes Deleting. If this status lasts for a long time, a failure may occur. In this case, contact your architect or submit a ticket for assistance.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support