The cross-regional resource interconnection of JD Cloud is realized through VPN connection

In this Tutorial, we will describe how to create the secure intranet access from JD Cloud & AI VPC to cross-regional VPC through JD Cloud & AI IPsec VPN. It is recommended to use VPC Peering for access in the same region or directly use the BGW for interconnection.

Business Scenarios

From the perspective of service availability, customers deploy services to multiple different regions of JD Cloud, and services in multiple regions need to access each other or implement failover/disaster recovery.

Precondition

In JD Cloud & AI, the segment in the VPC of the home terminal cannot overlap the segment in the cross-regional VPC of the opposite terminal.

Precautions

• Only the static routing can be used for the interconnection of VPN connections of JD Cloud & AI. The BGWs on both terminal have the same BGP ASN and the tunnel’s inner layer address does not support the customization, so dynamic routing cannot be established based on EBGP;

Detailed Steps

Step 1. Create a BGW in the home terminal region of JD Cloud & AI

a) Log into BGW Console;
b) Select the home terminal region using VPN and click to create a BGW;
c) The border gateway supports running BGP routing protocol. The BGP ASN of current JD Cloud border gateway is fixed to 65000, which will be open to modify in the future;

For more contents, refer to Border Gateway Management.

Step 2. Create a VPC attachment in the home terminal region of JD Cloud & AI

a)Login VPC Interface Control Console;
b) Select the home terminal region using VPN and click to create a VPC attachment;
c) Select the border gateway created in Step 1, select the VPC that passes the route traffic of this border gateway, and select the VPC segment to be transmitted to this border gateway. After the VPC attachment is created, the segment selected will be automatically added to the transmission route table of this border gateway, and the Next Hop will point to the VPC attachment created in this step;

For more contents, refer to VPC Attachment Management.

Step 3. Create a CGW in the home terminal region of JD Cloud & AI

a) Log into CGW Console;
b) Select the home terminal region using VPN and click to create a CGW;
c) The customer gateway is the logical representation of the client VPN device in the cloud, and the customer will create a VPN connection based on the border gateway and the customer gateway. The customer gateway only represents the relevant information of the client device (only involves the public network address and BGP ASN, without the concept of specific geographical location). In theory, there is no geographical region attribute, but as almost all resources in the cloud have geographical region attribute, the customer gateway is also assigned with the region attribute. Customer gateways with the same configuration can be created repeatedly in different regions, and are only available in the regions where the resources are created, and the regions do not affect each other.
d) If the client device supports the BGP routing protocol, it is recommended to use BGP routing. The client’s BGP ASN should be designated, and the BGW of JD Cloud & AI only supports the fixed BGP ASN now, so the EBGP routing cannot operate between 2 BGWs and only static routing can be supported;
e) The client is configured with 2 public network addresses and 2 routable public network addresses are randomly designated, and after the public network address is assigned to the VPN Connection of the opposite terminal region, the CGW public network address of the home terminal region of JD Cloud & AI is required to be updated;

For more contents, refer to Customer Gateway Management.

Step 5. Create a BGW in the opposite terminal region of JD Cloud & AI

a) Log into BGW Console;
b) Select the opposite terminal region using VPN and click to create a BGW;
c) The border gateway supports running BGP routing protocol. The BGP ASN of current JD Cloud border gateway is fixed to 65000, which will be open to modify in the future;

For more contents, refer to Border Gateway Management.

Step 6. Create a VPC attachment in the opposite terminal region of JD Cloud & AI

a)Login VPC Interface Control Console;
b) Select the opposite terminal region using VPN and click to create a VPC attachment;
c) Select the border gateway created in Step 5, select the VPC that passes the route traffic of this border gateway, and select the VPC segment to be transmitted to this border gateway. After the VPC attachment is created, the segment selected will be automatically added to the transmission route table of this border gateway, and the Next Hop will point to the VPC attachment created in this step;

For more contents, refer to VPC Attachment Management.

Step 7. Create a CGW in the opposite terminal region of JD Cloud & AI

a) Log into CGW Console;
b) Select the opposite terminal region using VPN and click to create a CGW;
c) The customer gateway is the logical representation of the client VPN device in the cloud, and the customer will create a VPN connection based on the border gateway and the customer gateway. The customer gateway only represents the relevant information of the client device (only involves the public network address and BGP ASN, without the concept of specific geographical location). In theory, there is no geographical region attribute, but as almost all resources in the cloud have geographical region attribute, the customer gateway is also assigned with the region attribute. Customer gateways with the same configuration can be created repeatedly in different regions, and are only available in the regions where the resources are created, and the regions do not affect each other.
d) If the client device supports the BGP routing protocol, it is recommended to use BGP routing. The client’s BGP ASN should be designated, and the BGW of JD Cloud & AI only supports the fixed BGP ASN now, so the EBGP routing cannot operate between 2 BGWs and only static routing can be supported;
e) The client is configured with 2 public network addresses and 2 routable public network addresses are randomly designated, and after the public network address is assigned to the VPN Connection of the home terminal region, the CGW public network address of the opposite terminal region of JD Cloud & AI is required to be updated;

For more contents, refer to Customer Gateway Management.

Step 8. Create a VPN connection in the opposite terminal region of JD Cloud & AI

a)Login VPN Interface Control Console;
b) Select the opposite terminal region using VPN and click to create a VPN connection;
c) Select the BGW used to create the VPN connection;
d) Select the customer gateway representing the client VPN device;
e) Select the connection type. Currently, only the inner and outer layer addresses configured with IPv4 Address Family are supported, and IPv6 Address Family will be supported in future;
f) Select whether the BGP routing is enabled or not. In consideration of high business availability, the BGP routing is enabled by default and the static routing still can be valid, so it is recommended to uncheck “Enable BGP Routing”;
g) After the VPN connection is created, two cloud public network addresses will be automatically allocated for setting up a VPN tunnel to client public network addresses;

For more contents, refer to VPN Connection Management.

Step 9. Update the CGW public network address in the home terminal region of in JD Cloud & AI

Based on two cloud public network addresses assigned to the VPN Connection of the opposite terminal region, update two public network addresses of CGW in the home terminal region.

Step 10. Create a VPN connection in the home terminal region of JD Cloud & AI

a)Login VPN Interface Control Console;
b) Select the home terminal region using VPN and click to create a VPN connection;
c) Select the BGW used to create the VPN connection;
d) Select the customer gateway representing the client VPN device;
e) Select the connection type. Currently, only the inner and outer layer addresses configured with IPv4 Address Family are supported, and IPv6 Address Family will be supported in future;
f) Select whether the BGP routing is enabled or not. In consideration of high business availability, the BGP routing is enabled by default and the static routing still can be valid, so it is recommended to uncheck “Enable BGP Routing”;
g) After the VPN connection is created, two cloud public network addresses will be automatically allocated for setting up a VPN tunnel to client public network addresses;

For more contents, refer to VPN Connection Management.

Step 11. Update the CGW public network address in the opposite terminal region of in JD Cloud & AI

Based on two cloud public network addresses assigned to the VPN Connection of the home terminal region, update two public network addresses of CGW in the opposite terminal region.

Step 12. Create a VPN tunnel in the home terminal region of JD Cloud & AI

a)Login VPN Interface Control Console;
b) Select the home terminal region using VPN and select a VPN connection;
c) Click “Add Tunnel in the “Resource Information” tab to automatically initialize the creation page of 2 tunnels. The public network addresses of both ends of the first tunnel are the first one of the cloud public network addresses of VPN connection and the first one of the CGW public network addresses, and the public network addresses of both ends of the second tunnel are the second one of the cloud public network addresses and the second one of the CGW public network addresses;
d) All VPN tunnels under the same VPN connection use the same routing mode, which is the routing mode set in VPN connection;
e) Each VPN tunnel is configured with the parameters used in the two-stage negotiation, including IKE version, pre-shared key, gateway identifiers on two ends of tunnel, inner layer IP of tunnel (used for routing data packet in tunnel; static routing uses the point-to-point tunneling, so the inner layer address is not valid, and a conflict will occur in this scenario, and it can be ignored), as well as authentication algorithm, encryption algorithm and SA statement cycle at the two stages;

  In overall consideration of the security and performance, JD Cloud gives default tunnel IKE and IPsec configurations, so customers are recommended establishing VPN tunnels according to the recommended configurations through negotiation.

f) When a number of tunnels are created, other tunnels can duplicate the IKE and IPsec configuration parameters of Tunnel 1 to simply the configuration process. Users can also customize the IKE and IPsec configuration parameters of each tunnel;

For more contents, refer to VPN Tunnel Management.

Step 13. Create a VPN tunnel in the opposite terminal region of JD Cloud & AI

a)Login VPN Interface Control Console;
b) Select the opposite terminal region using VPN and select a VPN connection;
c) Click “Add Tunnel in the “Resource Information” tab to automatically initialize the creation page of 2 tunnels. The public network addresses of both ends of the first tunnel are the first one of the cloud public network addresses of VPN connection and the first one of the CGW public network addresses, and the public network addresses of both ends of the second tunnel are the second one of the cloud public network addresses and the second one of the CGW public network addresses;
d) All VPN tunnels under the same VPN connection use the same routing mode, which is the routing mode set in VPN connection;
e) Based on the configuration designated during the creation of a VPN tunnel in the home terminal region, each VPN tunnel is configured with the parameters used in the two-stage negotiation, including IKE version, pre-shared key, gateway identifiers on two ends of tunnel, inner layer IP of tunnel (used for routing data packet in tunnel; static routing uses the point-to-point tunneling, so the inner layer address is not valid, and a conflict will occur in this scenario, and it can be ignored), as well as authentication algorithm, encryption algorithm and SA statement cycle at the two stages;

  In overall consideration of the security and performance, JD Cloud gives default tunnel IKE and IPsec configurations, so customers are recommended establishing VPN tunnels according to the recommended configurations through negotiation.

f) When a number of tunnels are created, other tunnels can duplicate the IKE and IPsec configuration parameters of Tunnel 1 to simply the configuration process. Users can also customize the IKE and IPsec configuration parameters of each tunnel;

For more contents, refer to VPN Tunnel Management.

Step 8. Configure the route in JD Cloud & AI

a) The VPN connection of JD Cloud & AI supports the application of static routing/BGP dynamic routing between the cloud and the client. Please use static routing here;
b) Configuration of different routes:

• Configure static route. In the configuration of static route to client in the static route table of border gateway, the Target End should be client segment and the Next Hop should be VPN connection. In the configuration of static route to cloud in client VPN device, the Target End should be cloud segment and the Next Hop should be attachment to VPN tunnel;
  *Configure BGP dynamic route. After BGP sessions are established between border gateway and client VPN device, the border gateway will automatically release all routes configured to Peer client, and the client needs to release the client segment route to Peer cloud.
  c) Whichever routing protocol is run between border gateway and client VPN device, because a VPC attachment is created between border gateway and VPC as well as setting route transmission, the route to client segment will also be automatically transmitted to VPC route table. Refer to VPC Attachment Route Transmission;
  

For more contents, refer to Border Gateway Route Configuration and VPC Route Configuration.

Step 9. Test connectivity

a) Log intoVirtual Machine Console of JD Cloud & AI. In the region where a VPN connection is created, create a virtual machine in the home terminal VPC interconnected with the VPC intranet segment in the opposite terminal region, and confirm that the routing correctly leading to the VPC intranet segment of the opposite region exists in the route table of the subnet where this virtual machine is created;
b) Use the method described in a to create a virtual machine in the VPC of the opposite terminal region and configure the corresponding routing leading to the VPC of the home terminal region;
b) Use the virtual machine created in a to ping the intranet address of the virtual machine created in b and verify whether the intranet communication is normal, and after passing the verification, execute the reverse ping test, and after passing the test, use it normally;