Tencent Cloud VPN Connections provides a complete solution to guarantee the high availability of your business. Not only the VPN gateway itself supports a high availability, but also primary/secondary tunnels are supported. The VPN gateway uses health check to identify the tunnel status and triggers the traffic switch between the primary and secondary tunnels based on their status. This document describes how to configure health check.
Note
We recommend you use a route-based tunnel for health check. If you use an SPD policy-based tunnel, you need to configure an SPD policy for
0.0.0.0/0.Health Check Principle
The monitoring check of the VPN tunnel uses the NQA mechanism and defaults to using Ping. The VPN gateway periodically uses the local address of the health check to Ping (encrypted within the tunnel) the peer address to determine its connectivity. After multiple consecutive Ping failures, the VPN gateway determines that the tunnel connectivity is abnormal and will switch the main channel traffic to the backup channel. At this time, the peer gateway also needs a similar mechanism to switch the traffic to the backup channel concurrently. Therefore, you need to configure or use the system to automatically allocate two IP addresses that can Ping each other within the tunnel for health checks. The subnets of these two addresses should not conflict with the VPC or IDC subnets.
Prerequisites
Created VPN Gateway and Configured Peer Gateway, and the VPN gateway is version 3.0 or above.
Business scenarios require primary and backup channels.
You have planned health check addresses or use the addresses automatically assigned by the system.
Health check has been enabled on the client side.
Configuring the Health Checks When Creating VPN Tunnels
This section only introduces the parameters for health checks. For other steps for creating a VPN tunnel, see Creating a VPN Tunnel.
1. Log in to the VPC console.
2. In the left-side menu, click VPN Connections > VPN Tunnel to enter the management page.
3. In the VPN Tunnel management page, click Create.
4. In the pop-up Create VPN Tunnel dialog box, after completing the basic configuration, enable health check and configure the health check IP and NQA in Advanced Configuration.
Note:
It is not recommended to modify the local address for health checks.
Avoid IP conflicts when modifying the peer address for health checks.
Parameters | Description |
Health Check Local Address | It defaults to an IP within the range of 169.254.128.0/17. You can also specify an available IP outside the VPC, but it must be outside the VPC range, within 224.0.0.0 to 239.255.255.255, or 0.0.0.0. |
Health Check Remote Address | It defaults to an IP within the range of 169.254.128.0/17. You can also specify an available on-premises IP. |
ICMP | NQA. |
Health Check Interval | Interval between two Tencent Cloud health checks. Range [1000ms, 5000ms], default 5000ms, unit ms. |
Number of health checks | Number of route switches executed after a health check failure. Range of check counts [3, 8], default value 3. |
Health check latency | Detection timeout time. Range [10ms - 5000ms], default value 150ms. |
5. After configuring, click Create. The health check configuration takes effect immediately after the tunnel is created.
Configuring the Health Check After Creating VPN Tunnels
You can also configure health check on the VPN tunnel details page after the tunnel is created.
Note
After configuring the health check this way, your business may experience brief interruptions. We recommend using the first method.
1. Log in to the VPC console.
2. In the left-side menu, click VPN Connections > VPN Tunnel to enter the management page.
3. In the VPN Tunnels management page, locate and click the target VPN tunnel instance, then click the specific instance name and click Basic Information tab, then click Edit.
4. Enable the health check and configure the relevant parameters.
Note:
It is not recommended to modify the local address for health checks.
Avoid IP conflicts when modifying the health check remote address.
Parameters | Description |
Health Check Local Address | It defaults to an IP within the range of 169.254.128.0/17. You can also specify an available IP outside the VPC, but it must be outside the VPC range, within 224.0.0.0 to 239.255.255.255, or 0.0.0.0. |
Health Check Remote Address | It defaults to an IP within the range of 169.254.128.0/17. You can also specify an available on-premises IP. |
ICMP | NQA. |
Health Check Interval | Interval between two Tencent Cloud health checks. Range [1000ms, 5000ms], default 5000ms, unit ms. |
Number of health checks | Number of route switches executed after a health check failure. Range of check counts [3, 8], default value 3. |
Health check latency | Detection timeout time. Range [10ms - 5000ms], default value 150ms. |
5. We recommend you select Destination route for the communication mode. If Destination Route is unavailable, we recommend you enter
0.0.0.0/0 for the local and peer IP ranges in the SPD policy to ensure that the communication between the local and peer health check IPs is encrypted based on the VPN tunnel.6. Click OK.