If your business is deployed in both a local IDC and a Tencent Cloud VPC, you can connect them via Cloud Connect Network (CCN) or VPN. To improve the business availability, you set up both CCN and VPN connections and configure them as the primary and secondary linkage for redundant communication. This document guides you through how to configure the CCN and VPN connection as primary/secondary linkages to connect your IDC to the cloud.
Note
The route priority feature is in beta testing. To try it out, please contact us.
Scenarios
Suppose you have deployed your business in both Tencent Cloud VPC and an IDC. To interconnect them, you need to configure network connection services for high-availability communications as follows:
CCN (primary): connects the local IDC to a CCN-based direct connect gateway through a physical connection, and adds both the direct connect gateway and the VPC to a CCN to enable interconnection. When the connection linkage is normal, all data traffic between the IDC and the VPC are forwarded over CCN through the physical connection.
VPN connection (secondary): establishes an IPsec VPN tunnel to interconnect the local IDC and the Tencent Cloud VPC. When the connection linkage fails, traffic will be forwarded using this linkage to ensure the business availability.
Preparations
+ Your local IDC gateway device should support the IPsec VPN feature and can act as a customer gateway to create a VPN tunnel with the VPN gateway.
+ The IDC gateway device has configured with a static IP address.
+ Sample data and configuration:
Configuration item
Sample value
Network Configuration
VPC information
Subnet CIDR block
192.168.1.0/24
Public IP of the VPN gateway
203.xx.xx.82
IDC
Subnet CIDR block
10.0.1.0/24
Public IP of the gateway
202.xx.xx.5
Instructions
Step 1. Connect IDC to VPC through CCN
1. Log in to the Direct Connect console and click Connections on the left sidebar to create a connection.
2. Click Direct Connect Gateway in the left sidebar to create a Direct Connect gateway, and in this example, choose to connect to the Cloud Connect Network.
3. Click on the CCN-based Direct Connect Gateway ID to enter the details page. In the IDC Gateway section, enter the user's IDC IP range, such as 10.0.1.0/24.
4. Log in to the CCN console and click Create to create a CCN instance.
5. Log in to the Dedicated Tunnel console and click Create to set up a dedicated tunnel connecting to the CCN-based Direct Connect Gateway. Configure the tunnel name, select CCN as the access network, choose the created CCN Direct Connect Gateway, set up the interconnection IPs for both Tencent Cloud and user sides, and select BGP routing as the routing method. After completing the configuration, download the configuration guide and finish the setup on the IDC device.
6. Add the VPC and Direct Connect gateway with the CCN instance to interconnect the VPC and the IDC.
Step 2. Connect IDC to VPC through a VPN connection
1. Log in to the VPN Gateway Console and click Create to set up a VPN gateway. In this example, select Virtual Private Cloud as the associated network.
2. Click on Customer Gateway in the left sidebar to configure the customer gateway (i.e., the logical object of the VPN gateway on the IDC side). Enter the public IP of the VPN gateway on the IDC side, for example, 202.xx.xx.5.
3. Click VPN Tunnel on the left sidebar and then configure the SPD policy, IKE, IPsec, and other settings.
4. Configure the same VPN tunnel as the step 3 on the local gateway device of the IDC to ensure a normal connection.
5. In the route table associated with the VPC subnet for communication, configure a routing policy with the VPN gateway as the next hop and IDC IP range as the destination.
Note
For detailed configurations of VPN gateways in different versions,
After the first two steps, there are two VPC routes to IDC. That is, both CCN and VPN gateway act as the next hop. The CCN route has a higher priority, making it the primary path and the VPN gateway the secondary path.
To stay on top of the primary/secondary connection quality, configure two network probes separately to monitor the key metrics such as latency and packet loss rate and check the availability of primary/secondary routes.
2. Click Create to set up a network probe. Enter the probe name, select the VPC, subnet, and probe destination IP, and specify the next-hop route for the source, such as Cloud Connect Network.
3. Please perform Step 2 again, specifying the source-side next-hop route as the VPN gateway. After configuration, you can view the network latency and packet loss rate for the primary and secondary paths of the CCN and VPN connections.
You can configure an alarm policy for linkage exceptions. When a linkage has an exception, notifications are sent automatically via emails and SMS message.
1. Log in to the Alarm Policy Console under Tencent Cloud Observability Platform.
2. Click Create. Enter the policy name, select VPC/Network Probe for the policy type, specify the network probe instances as the alarm object, and configure trigger conditions, alarm notifications, and other information. Then click Complete.
Step 5. Switch between primary and secondary routes
After receiving a CCN network exception alarm, you need to manually disable the primary route, and forward traffic to the secondary route VPN gateway.
1. Log in to the VPC console and go to the Route Tables page.
2. Click the associated route table ID of the VPC communication subnet to enter the route details page. Click
to disable the primary route with CCN as the next hop. At this point, the VPC traffic to IDC will switch from CCN to the VPN gateway.
