The VPN connection is a kind of mode to connect your IDC and private network through the encrypted channel of public network.

Operation Procedures

The VPC-IPsec VPN instance can be configured by full self-service on the console. You can make the VPN connection valid only by the following steps:

Create VPN Gateway

1. Select the VPN gateway on the navbar to the left of the virtual private cloud console, and enter the list of VPN gateway instance.

   Note

   • To create an VPC gateway in the non-default VPC, you should first create one subnet in the VPC. For details, please refer to Create Subnet.
   • Each VPC supports the creation of a maximum of 3 VPN gateways. If you need to create more VPN gateways, you can submit a Ticket for application.

2. Select "VPN Gateway" in the navigation bar, and click the "Create VPN Gateway" key.

3. Fill in the following configuration information:

   Configuration items	Description
   Current region	Support North China - Beijing, Baoding, South China - Guangzhou, East China - Shanghai, Suzhou, Central China - Wuhan, Hong Kong and Singapore, switching through the upper left corner. Among them, the enhanced VPN is available in Beijing, Guangzhou, Shanghai, Suzhou and Wuhan.
   Network	Virtual Private Cloud (VPC) to which the VPN belongs
   VPN gateway name	Customized VPN gateway name
   Specification of VPN gateway	Users select the maximum forwarding capacity supported by VPN gateway, among which the ordinary VPN gateway has the maximum forwarding capacity of 200Mbps; and the enhanced VPN gateway has the maximum forwarding capacity of 1000Mbps.
   VPN description	Description information of the VPN gateway.
   VPN public network bandwidth	Elastic IP (EIP) bound by the user.

4. Select the purchased duration, and click "Next".
5. Confirm the order details, and pay the order to create the VPN gateway.

Create VPN Tunnel

1. In the page of VPN gateway list, select the VPN gateway, and click the arrow under the "Tunnel Number". The VPN tunnel list appears.

   

   Note Each VPN gateway supports the creation of 10 VPN tunnels. If you need to create more VPN tunnels, you can submit a Ticket for application.

2. Click "Create a VPN Tunnel", and enter the following configuration information:

   Basic Configurations

   Configuration items	Description
   Virtual Private Cloud	Virtual Private Cloud (VPC) to which the VPN belongs
   VPN tunnel name	Customized VPN tunnel name
   Shared key	A shared key is a Unicode string to verify the IPSec connection, and the same pre-shared key must be used by the local terminal and the opposite terminal.
   Public network IP of local VPN gateway	The local VPN gateway is used in the public network IP/bandwidth for the encrypted communication of the public network. If the selected VPN gateway is of an enhanced type, the public network IP/bandwidth used by the local shall be purchased with reference to the detailed rules for the procurement of bandwidth for elastic IP, please see details.
   Local network	The VPC of Baidu AI Cloud needs to enter the subnet of the VPN tunnel.
   Public network IP of opposite terminal VPN gateway	The opposite terminal gateway refers to the IPsec VPN service gateway of the IDC machine room, and should be used in coordination with the VPN gateway of Baidu AI Cloud.
   Opposite terminal network	The opposite terminal should pass the segment connected by the VPN tunnel.
   Description	Description information of the VPN tunnel.

   Advanced Configurations:IKE Configure

   Configuration items	Description
   Version	Select the version of the IKE protocol. Currently, IKE V1 and IKE V2 are supported.
   Consultation mode	Select the consultation mode of the IKE V1 version. - Main mode (main): The consultation process is highly secure. - Aggressive mode (aggressive): The consultation is quick and the consultation success ratio is high. After the consultation is successful, the security of information transmission by the two modes is the same.
   Encryption algorithm	Select the encryption algorithm used consulted at the first phase. It supports aes, aes192, aes256 and 3des.
   Authentication algorithm	The authentication algorithm used consulted at the first phase. The sha1, md5, sha2_256, sha2_384 and sha2_512 are available.
   Local identification	It supports IP address and FQDN (full domain name), and the "local identification" shall be consistent with the "remote identification" configured by tunnel peer.
   Peer identification	It supports IP address and FQDN (full domain name), and the "Remote Identification" shall be consistent with the "Local Identification" configured by tunnel peer.
   DH grouping	Select the Diffie-Hellman key exchange algorithm consulted at the first phase.
   SA lifecycle (second)	Set the SA life cycle consulted at the first phase. The default value is 28,800 seconds.

   Advanced Configurations:IPSec Configure

   Configuration items	Description
   Encryption algorithm	Select the encryption algorithm used consulted at the second phase. It supports aes, aes192, aes256 and 3des.
   Authentication algorithm	Select the authentication algorithm used consulted at the second phase. The sha1, md5, sha2_256, sha2_384 and sha2_512 are available.
   DH grouping	Select the Diffie-Hellman key exchange algorithm consulted at the second phase.
   SA lifecycle (second)	Set the SA life cycle consulted at the second phase. The default value is 28,800 seconds.

Create the Client VPN Gateway and Parameter

The client gateway (opposite terminal gateway) refers to the IPsec VPN service gateway of the client machine room, and should be used in coordination with the VPN gateway of Baidu AI Cloud. When you configure the client gateway, refer to the advanced configuration of the VPN tunnel.

Note The NAT traversal should be enabled for the VPN gateway devices of the local IDC.

Up to this point, the VPN is accessed.

Configuration of Route Table for the VPN

After the VPN is connected, you should respectively configure route tables at both ends of the VPN tunnel to realize the traffic interoperability between the cloud environment and the client network. The followings are steps to configure the routing table in Baidu AI Cloud:

1. Select “Routing Table” in the navigation bar, and in the list of routing tables, click “Add Route”.

2. Enter the routing table associated with accessing the user-side network.

   • Source network segment
   • Enter destination network segment
   • For the route type, select "VPN Gateway".
   • For the next-hop instance, select the created VPN gateway.
3. Click “OK” to complete the routing table configuration. When the BCC in the sub-net associated with this routing table accesses the user-side network, the traffic will point to the express VPN gateway.

VPN Gateway Network Address Translation (NAT) Configuration

The network address translation (NAT) is a solution to IP address conflict in hybrid cloud scenarios. The VPN gateway supports four translation rules, including the cloud static NAT, IDC-end static NAT, IDC-end DNAT and cloud DNAT, and can solve the problem in IP address conflict of VPN gateway, and hidden IP address to achieve security requirements.

The local in the following schematic diagram refers to the virtual private cloud on the cloud, and the peer refers to the user's IDC end.

Note

• NAT rules can be added only when the VPN gateway is in available mode.
• Currently, the NAT function supported by VPN gateway is under the phase of open Beta Test, you can submit a Ticket for application if you need to use it.

Static NAT on the Cloud

• Cloud (Local) IP translation: It refers to the mapping of the original IP in the virtual private cloud into a new IP, and exchange visit with VPN peer with the new IP identity.
• The cloud (local) IP translation does not restrict the direction of the network request, which can be the virtual private cloud to actively access the VPN peer, or the VPN peer to actively access the virtual private cloud.

IDC-end Static NAT

• The IDC-end (peer) static NAT refers to the mapping of the original IP in the user's IDC into a new IP, and exchange visit with the IP in the virtual private cloud with the new IP identity.
• The IDC-end (peer) static NAT translation does not restrict the direction of the network request, which can be the virtual private cloud to actively access the VPN peer, or supports VPN peer to actively access the virtual private cloud.

IDC-end DNAT

The IDC-end DNAT, that is, local target IP port translation, is a method that the IDC-end takes the initiative to access the virtual private cloud, and maps the designated port of the designated IP in the virtual private cloud into a new IP and port, and the IDC-end can only communicate with the designated IP port in the virtual private cloud through the IP port after the access mapping, and other IP ports are not exposed to the IDC-end.

Cloud DNAT

The cloud DNAT maps the designated IP port in the IDC (peer) into a new IP port, and the VPC end can only communicate with the designated IP port in IDC with the IP port after the access mapping.

View of Monitoring Data

VPN Gateway Monitoring

1. Log in the administrative console, select "Product Service>Virtual Private Cloud (VPC)", select VPN gateway in the navbar to the left, and enter the list of VPN gateway instances.
2. Select "Monitor" behind the instance, and the monitoring floating window at the right side of the page appears.
3. Click "View More" to enter the monitoring of the details page of the instance.
4. Click the "Alarm Details" in the monitoring page to enter the page of alarm strategy configuration and manage the alarm strategy of the VPN gateway. Please see BCM Administration Alarm for detailed operating steps.

VPN Tunnel Monitoring

1. Log in the administrative console, select "Product Service>Virtual Private Cloud (VPC)", select VPN gateway in the navbar to the left, and enter the list of VPN gateway instances.
2. In the created VPN gateway instance list, click the arrow under the "Tunnel Number". The VPN tunnel list appears.
3. Select "Monitor" behind the VPN tunnel, and the pop-up window of "View Monitoring Data" appears.
4. Click the "Alarm Details" in the list operations to enter the page of alarm strategy configuration and manage the alarm strategy of the VPN tunnel. Please see BCM Administration Alarm for detailed operating steps.