{"id":37,"date":"2026-04-12T14:51:49","date_gmt":"2026-04-12T14:51:49","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-vpn-gateway-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn\/"},"modified":"2026-04-12T14:51:49","modified_gmt":"2026-04-12T14:51:49","slug":"alibaba-cloud-vpn-gateway-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-vpn-gateway-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn\/","title":{"rendered":"Alibaba Cloud VPN Gateway Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking and CDN"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Networking and CDN<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>VPN Gateway<\/strong> is a managed networking service that helps you build secure encrypted connections between an Alibaba Cloud <strong>VPC<\/strong> (Virtual Private Cloud) and external networks such as on-premises data centers, branch offices, or client devices.<\/p>\n\n\n\n<p>In simple terms: <strong>VPN Gateway lets your private Alibaba Cloud networks communicate with your on-premises network or remote users over the public Internet using encrypted VPN tunnels<\/strong>, without exposing internal resources directly to the Internet.<\/p>\n\n\n\n<p>Technically, VPN Gateway provides <strong>site-to-site IPsec VPN<\/strong> and (in many regions\/editions) <strong>remote-access SSL VPN<\/strong> capabilities. It terminates VPN tunnels on the Alibaba Cloud side, integrates with VPC route tables, and supports common VPN standards (IKE\/IPsec). You typically pair it with a \u201ccustomer gateway\u201d device (your on-prem firewall\/router or a VM acting as a VPN endpoint), and define encryption, authentication, and traffic selectors (CIDRs) for protected communication.<\/p>\n\n\n\n<p>VPN Gateway solves a classic hybrid-cloud problem: <strong>how to connect private networks securely when you don\u2019t have private WAN connectivity<\/strong> (like leased lines), or when you need a fast, cost-conscious way to build hybrid connectivity for development, disaster recovery, branch connectivity, or remote administration.<\/p>\n\n\n\n<blockquote>\n<p>Service name note: This tutorial uses <strong>VPN Gateway<\/strong> as the official service name in Alibaba Cloud. Alibaba Cloud occasionally introduces new editions, specs, or console workflows. If any labels differ in your console, <strong>verify in the official docs<\/strong> linked in Section 17.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is VPN Gateway?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Alibaba Cloud <strong>VPN Gateway<\/strong> provides managed VPN connectivity for VPCs. Its primary goal is to establish <strong>encrypted tunnels<\/strong> over the Internet so that workloads in Alibaba Cloud can communicate securely with external networks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities<\/h3>\n\n\n\n<p>Common capabilities (verify exact availability by region\/spec in official docs):\n&#8211; <strong>IPsec-VPN (site-to-site)<\/strong>: Connect a VPC to an on-premises network or another environment using IKE\/IPsec.\n&#8211; <strong>SSL-VPN (remote access)<\/strong>: Provide secure access for remote clients (users\/devices) into a VPC (availability depends on region\/edition).\n&#8211; <strong>Route integration<\/strong>: Works with VPC route tables so that traffic to on-premises CIDRs is routed into the VPN tunnel.\n&#8211; <strong>High availability options<\/strong>: Many deployments use redundant tunnels\/endpoints (design patterns differ by spec\/region; verify in docs).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (conceptual)<\/h3>\n\n\n\n<p>While console naming may vary slightly, you will commonly work with:\n&#8211; <strong>VPN Gateway<\/strong>: The Alibaba Cloud-side managed VPN endpoint attached to a VPC.\n&#8211; <strong>Customer Gateway<\/strong>: A representation of the on-premises VPN device (typically identified by a public IP address).\n&#8211; <strong>IPsec Connection \/ Tunnel<\/strong>: The configuration for IKE\/IPsec parameters, pre-shared key\/certificates (where supported), and protected subnets (CIDRs).\n&#8211; <strong>SSL Server and Clients (for SSL-VPN)<\/strong>: The SSL server configuration (server certificate, client CIDR pool, etc.) and client profiles.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed networking service<\/strong> under <strong>Networking and CDN<\/strong>.<\/li>\n<li>Operates as a <strong>VPC-connected<\/strong> managed endpoint rather than requiring you to run VPN software on ECS for the cloud side.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope: regional vs global<\/h3>\n\n\n\n<p>VPN Gateway is typically <strong>regional<\/strong> and <strong>attached to a specific VPC in that region<\/strong>. You design your connectivity per region\/VPC, then optionally combine with other network constructs (for example, Cloud Enterprise Network) for broader connectivity. <strong>Verify the exact scope and cross-region patterns in official docs<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Fit in the Alibaba Cloud ecosystem<\/h3>\n\n\n\n<p>VPN Gateway is commonly used alongside:\n&#8211; <strong>VPC<\/strong> (required)\n&#8211; <strong>ECS<\/strong> instances, ACK clusters, RDS\/Redis, etc. as private workloads inside the VPC\n&#8211; <strong>Cloud Enterprise Network (CEN)<\/strong> for multi-VPC \/ multi-region network topology (optional)\n&#8211; <strong>Express Connect<\/strong> for private dedicated connectivity (alternative\/complement)\n&#8211; <strong>Cloud Firewall<\/strong> and security services for centralized control (optional)\n&#8211; <strong>CloudMonitor<\/strong> and <strong>ActionTrail<\/strong> for monitoring and auditing (common for operations)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use VPN Gateway?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster hybrid connectivity<\/strong>: Stand up secure connectivity in hours rather than procuring private circuits.<\/li>\n<li><strong>Lower upfront cost<\/strong>: Typically cheaper to start than dedicated connectivity, especially for dev\/test or small offices.<\/li>\n<li><strong>Supports migration and DR<\/strong>: Useful for staged cloud migrations and disaster recovery where bandwidth needs are moderate.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Standards-based encryption<\/strong>: Uses widely supported IPsec\/IKE parameters compatible with many on-prem devices.<\/li>\n<li><strong>Private IP connectivity<\/strong>: Enables private routing between on-premises RFC1918 networks and Alibaba Cloud VPCs.<\/li>\n<li><strong>Controlled network segmentation<\/strong>: You define which CIDRs are reachable and can enforce least privilege at the network layer.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed termination on cloud side<\/strong>: Avoid running\/patching a VPN concentrator on ECS just to terminate tunnels.<\/li>\n<li><strong>Repeatable configuration<\/strong>: Customer gateway + tunnel definitions are consistent and auditable.<\/li>\n<li><strong>Integration with routing<\/strong>: VPC route tables can direct traffic to the VPN without manual per-instance changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Encryption in transit<\/strong>: Helps meet baseline security requirements for data traversing the public Internet.<\/li>\n<li><strong>Auditable changes<\/strong>: Using RAM + ActionTrail supports change tracking and approval workflows.<\/li>\n<li><strong>Network boundary control<\/strong>: Reduce exposure compared to opening public endpoints on internal services.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scale via specs and design<\/strong>: VPN Gateway usually offers different specifications (bandwidth\/connection scale) and patterns like multiple tunnels.<\/li>\n<li><strong>Predictable routing<\/strong>: Site-to-site routing is typically more stable than ad-hoc NAT + public access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose VPN Gateway<\/h3>\n\n\n\n<p>Choose VPN Gateway when:\n&#8211; You need <strong>site-to-site connectivity<\/strong> between on-prem and Alibaba Cloud over the Internet.\n&#8211; You need <strong>remote access<\/strong> for admins\/developers (SSL-VPN) and want a managed entry point.\n&#8211; Your bandwidth requirements are moderate and you can tolerate Internet variability, while still requiring encryption.\n&#8211; You want to start quickly and expand later to dedicated connectivity if needed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Avoid or reconsider VPN Gateway when:\n&#8211; You require <strong>guaranteed bandwidth\/latency<\/strong> and strict SLAs: consider <strong>Express Connect<\/strong> (dedicated private connectivity).\n&#8211; You need very high throughput beyond what VPN Gateway specs support: consider dedicated circuits or specialized designs.\n&#8211; Your organization requires all connectivity to be private and not traverse the Internet: prefer Express Connect and\/or private WAN.\n&#8211; You need advanced next-gen firewall features at the VPN edge: you might combine VPN Gateway with <strong>Cloud Firewall<\/strong> or use a self-managed security appliance\u2014evaluate carefully.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is VPN Gateway used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Finance and insurance (encrypted branch access, secure admin)<\/li>\n<li>Retail and logistics (store-to-cloud connectivity)<\/li>\n<li>Manufacturing (plant networks to cloud analytics)<\/li>\n<li>SaaS and ISVs (secure access to internal platforms, partner connectivity)<\/li>\n<li>Education and research (hybrid lab access)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform\/Infrastructure teams building hybrid cloud foundations<\/li>\n<li>Network engineers standardizing site connectivity<\/li>\n<li>SRE\/DevOps teams enabling secure operations access<\/li>\n<li>Security teams enforcing encrypted transport and segmented access<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hybrid applications where part of the stack remains on-prem<\/li>\n<li>Centralized logging\/monitoring pipelines<\/li>\n<li>Backup\/restore and DR replication (within bandwidth limits)<\/li>\n<li>Access to private services (databases, internal APIs) without public exposure<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single VPC \u2194 single on-prem<\/li>\n<li>Hub-and-spoke (with optional CEN\/central VPC patterns)<\/li>\n<li>Multi-branch connectivity into a shared services VPC<\/li>\n<li>Remote access for administrators into a management subnet<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dev\/test<\/strong>: quick connectivity for integration testing, staging environments, or migration rehearsals.<\/li>\n<li><strong>Production<\/strong>: common for branch offices or as a failover path, provided you implement redundancy, monitoring, and well-defined security controls.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Alibaba Cloud VPN Gateway fits well.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Hybrid application connectivity (on-prem app + cloud services)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: An application remains on-prem but needs to use cloud databases, queues, or internal APIs privately.<\/li>\n<li><strong>Why VPN Gateway fits<\/strong>: Provides encrypted site-to-site tunnels and private routing without opening public endpoints.<\/li>\n<li><strong>Example<\/strong>: On-prem Java app connects to a private API on ECS instances in a VPC over IPsec.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Secure admin access to private ECS and databases (remote access)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Admins need secure access to private subnets without exposing SSH\/RDP to the Internet.<\/li>\n<li><strong>Why VPN Gateway fits<\/strong>: SSL-VPN (where available) can provide client-based secure access into the VPC.<\/li>\n<li><strong>Example<\/strong>: SREs connect via SSL-VPN to a bastion or management subnet, then access RDS privately.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Branch office to cloud ERP\/CRM<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Branch offices need consistent access to cloud-hosted internal applications.<\/li>\n<li><strong>Why VPN Gateway fits<\/strong>: Site-to-site IPsec connectivity is compatible with branch firewalls\/routers.<\/li>\n<li><strong>Example<\/strong>: Retail stores connect to a VPC hosting ERP services.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Migration bridge (temporary connectivity during cloud adoption)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Need a fast bridge while migrating workloads gradually.<\/li>\n<li><strong>Why VPN Gateway fits<\/strong>: Quick to deploy, manageable cost, easy to adjust CIDRs as workloads move.<\/li>\n<li><strong>Example<\/strong>: Database remains on-prem; application tier moves to ECS\/ACK; VPN connects them.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Disaster recovery access path<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: During an outage, you must access DR systems in Alibaba Cloud from on-prem.<\/li>\n<li><strong>Why VPN Gateway fits<\/strong>: Can act as a failover connectivity method or part of DR runbooks.<\/li>\n<li><strong>Example<\/strong>: DR VPC is reachable via VPN so operations can run failover tools.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Secure partner connectivity (limited subnet sharing)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A partner needs access to a small set of private services.<\/li>\n<li><strong>Why VPN Gateway fits<\/strong>: You can restrict protected subnets and enforce security group policies.<\/li>\n<li><strong>Example<\/strong>: Partner network gets access only to a \/28 of service endpoints.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Centralized security and logging ingestion<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: On-prem logs must be sent securely to a logging platform in Alibaba Cloud.<\/li>\n<li><strong>Why VPN Gateway fits<\/strong>: Private IP connectivity over encrypted tunnels reduces exposure and simplifies firewall rules.<\/li>\n<li><strong>Example<\/strong>: On-prem syslog forwarders send logs to collectors on ECS in VPC.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) CI\/CD runners in cloud needing access to on-prem systems<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Cloud-hosted build runners must access on-prem artifact repositories or licensing servers.<\/li>\n<li><strong>Why VPN Gateway fits<\/strong>: Provides private access without exposing on-prem endpoints publicly.<\/li>\n<li><strong>Example<\/strong>: Git runners in VPC connect to on-prem Nexus\/Artifactory.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Secure access to legacy systems (no public interface)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Legacy systems cannot be safely exposed to the Internet.<\/li>\n<li><strong>Why VPN Gateway fits<\/strong>: Keeps traffic private and encrypted with IP allowlists + network ACLs.<\/li>\n<li><strong>Example<\/strong>: Cloud apps call on-prem SOAP services over VPN.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Multi-environment connectivity for regulated workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Separate VPCs for prod\/non-prod need controlled access to on-prem.<\/li>\n<li><strong>Why VPN Gateway fits<\/strong>: You can build separate VPN Gateways or separate tunnels per environment and apply distinct policies.<\/li>\n<li><strong>Example<\/strong>: Production VPC VPN is monitored and restricted; dev VPN is isolated.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) SaaS operations: private access for support engineers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Support engineers need access to internal tools without public exposure.<\/li>\n<li><strong>Why VPN Gateway fits<\/strong>: SSL-VPN provides controlled access with revocable credentials (where supported).<\/li>\n<li><strong>Example<\/strong>: Support connects to internal dashboards on private ECS.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Connectivity for edge compute \/ IoT gateways<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Edge gateways need secure connectivity for control-plane and telemetry.<\/li>\n<li><strong>Why VPN Gateway fits<\/strong>: IPsec tunnels can secure traffic from edge sites to cloud.<\/li>\n<li><strong>Example<\/strong>: Factory gateways connect to VPC endpoints for device management.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Feature availability and names can vary by region and VPN Gateway specification. <strong>Verify in official docs<\/strong> for your target region.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">1) IPsec site-to-site VPN<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Establishes encrypted tunnels between your VPC and a customer gateway (on-prem VPN device).<\/li>\n<li><strong>Why it matters<\/strong>: Enables hybrid networking without exposing internal services to the Internet.<\/li>\n<li><strong>Practical benefit<\/strong>: Private IP connectivity for apps, admin, and data transfer.<\/li>\n<li><strong>Caveats<\/strong>: Throughput depends on the VPN Gateway spec and Internet conditions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) IKE\/IPsec parameter control<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Lets you choose IKE version and crypto suites (encryption, integrity, DH groups), lifetimes, DPD, etc.<\/li>\n<li><strong>Why it matters<\/strong>: Compatibility and security posture depend on correct parameter alignment.<\/li>\n<li><strong>Practical benefit<\/strong>: Works with enterprise firewalls and software VPN endpoints (e.g., strongSwan).<\/li>\n<li><strong>Caveats<\/strong>: Misaligned proposals are the most common cause of tunnel failure.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Protected subnets (traffic selectors)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Defines which local and remote CIDRs should traverse the VPN tunnel.<\/li>\n<li><strong>Why it matters<\/strong>: Limits lateral movement and reduces blast radius.<\/li>\n<li><strong>Practical benefit<\/strong>: Only specific networks are reachable, improving security and operational clarity.<\/li>\n<li><strong>Caveats<\/strong>: Overlapping CIDRs between VPC and on-prem can break routing; plan IP addressing carefully.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Customer gateway abstraction<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Represents the peer endpoint (public IP + metadata).<\/li>\n<li><strong>Why it matters<\/strong>: Separates peer identity from tunnel parameters for clearer management.<\/li>\n<li><strong>Practical benefit<\/strong>: Reuse peer definitions across tunnels (depending on console support).<\/li>\n<li><strong>Caveats<\/strong>: If your on-prem public IP changes, you must update the customer gateway\/tunnel design (or use a stable IP).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) VPC routing integration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Routes traffic from VPC subnets to the VPN gateway for specified remote CIDRs.<\/li>\n<li><strong>Why it matters<\/strong>: Without correct routes, instances won\u2019t send traffic to the tunnel.<\/li>\n<li><strong>Practical benefit<\/strong>: Central route control rather than per-instance configuration.<\/li>\n<li><strong>Caveats<\/strong>: Route propagation\/association options vary; confirm whether routes are automatic or must be added manually.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) SSL-VPN remote access (where supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides client VPN access into the VPC using SSL.<\/li>\n<li><strong>Why it matters<\/strong>: Reduces need to expose bastions publicly and provides centralized access control.<\/li>\n<li><strong>Practical benefit<\/strong>: Engineers can reach private endpoints from laptops securely.<\/li>\n<li><strong>Caveats<\/strong>: Client IP pools, split tunneling, and certificate management must be designed carefully.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Monitoring and operational visibility (baseline)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides tunnel status and operational indicators via console; often integrates with CloudMonitor for metrics.<\/li>\n<li><strong>Why it matters<\/strong>: VPN issues are often intermittent (ISP\/latency\/packet loss). Monitoring is essential.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster troubleshooting and alerting.<\/li>\n<li><strong>Caveats<\/strong>: Granular logs may require additional configuration or services; <strong>verify in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Scalability via specifications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: VPN Gateway commonly offers multiple \u201cspecs\u201d (bandwidth\/connection scale).<\/li>\n<li><strong>Why it matters<\/strong>: You can right-size cost and capacity.<\/li>\n<li><strong>Practical benefit<\/strong>: Start small for dev\/test, scale for production.<\/li>\n<li><strong>Caveats<\/strong>: Upgrades\/downgrades may have constraints; check region-specific docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Compatibility with common on-prem devices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Uses standards compatible with many devices: strongSwan, Cisco, Fortinet, Palo Alto, etc.<\/li>\n<li><strong>Why it matters<\/strong>: Hybrid environments often have existing hardware.<\/li>\n<li><strong>Practical benefit<\/strong>: Lower integration effort.<\/li>\n<li><strong>Caveats<\/strong>: Some vendors require specific NAT-T\/fragmentation settings; test thoroughly.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level service architecture<\/h3>\n\n\n\n<p>At a high level, Alibaba Cloud VPN Gateway sits at the edge of your VPC and performs these roles:\n1. <strong>Control plane<\/strong>: You configure VPN objects (gateway, customer gateway, tunnels, routes) using the console\/API.\n2. <strong>Data plane<\/strong>: Encrypted traffic is exchanged with the on-prem peer over the Internet using IKE\/IPsec (or SSL-VPN for remote access).\n3. <strong>Routing<\/strong>: VPC route tables send traffic for remote CIDRs to the VPN Gateway, which then encrypts and forwards it to the peer.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Data flow (IPsec site-to-site)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>An ECS instance in VPC sends packets to a destination in the on-prem CIDR.<\/li>\n<li>VPC route table matches the on-prem CIDR and forwards traffic to the VPN Gateway.<\/li>\n<li>VPN Gateway encrypts packets using IPsec and sends them to the customer gateway public IP.<\/li>\n<li>Customer gateway decrypts, forwards to on-prem destination, and return traffic follows reverse path.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Control flow (configuration)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You create\/configure:<\/li>\n<li>VPC and subnets (existing or new)<\/li>\n<li>VPN Gateway attached to the VPC<\/li>\n<li>Customer Gateway (peer public IP)<\/li>\n<li>IPsec connection\/tunnel with IKE\/IPsec parameters and protected subnets<\/li>\n<li>Route entries for remote subnets pointing to the VPN Gateway (or enable route propagation if available)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VPC<\/strong>: Required. VPN Gateway attaches to a VPC.<\/li>\n<li><strong>EIP<\/strong>: Often required for Internet-facing endpoints (customer gateway is typically a public IP; VPN Gateway has a public endpoint managed by Alibaba Cloud).<\/li>\n<li><strong>CEN<\/strong> (optional): For connecting multiple VPCs\/regions to shared on-prem connectivity patterns.<\/li>\n<li><strong>CloudMonitor<\/strong> (common): For monitoring tunnel health and related metrics.<\/li>\n<li><strong>ActionTrail<\/strong> (common): For auditing configuration changes.<\/li>\n<li><strong>Log Service (SLS)<\/strong> (optional\/region-dependent): Some environments support exporting logs\u2014<strong>verify in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VPC and at least one route table<\/li>\n<li>Security groups\/NACLs on ECS instances<\/li>\n<li>A customer gateway device\/software capable of IPsec\/IKE or SSL client capability<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Access control<\/strong>: Managed via Alibaba Cloud <strong>RAM<\/strong> policies for VPN Gateway management actions.<\/li>\n<li><strong>Tunnel authentication<\/strong>: Commonly <strong>pre-shared keys (PSK)<\/strong> for IPsec; certificate-based options may exist depending on features\u2014<strong>verify in docs<\/strong>.<\/li>\n<li><strong>Encryption<\/strong>: IPsec provides encryption and integrity for in-transit traffic.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Policy-based VPN<\/strong> is common: protected subnets define what traffic is encrypted.<\/li>\n<li>Ensure <strong>non-overlapping CIDRs<\/strong> between VPC and on-prem.<\/li>\n<li>You must allow traffic in:<\/li>\n<li>VPC security groups (inbound\/outbound)<\/li>\n<li>on-prem firewall policies<\/li>\n<li>any intermediate firewall\/NAT on the customer gateway side<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor:<\/li>\n<li>Tunnel up\/down state<\/li>\n<li>Traffic patterns (if metrics available)<\/li>\n<li>Latency\/packet loss (end-to-end synthetic checks)<\/li>\n<li>Audit:<\/li>\n<li>RAM changes to VPN configuration via ActionTrail<\/li>\n<li>Governance:<\/li>\n<li>Tag VPN gateways\/connections by environment and owner<\/li>\n<li>Standardize crypto parameters and naming conventions<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  subgraph OnPrem[\"On-Premises Network\"]\n    CGW[\"Customer Gateway\\n(Firewall\/Router or strongSwan)\\nPublic IP\"]\n    LAN[\"On-prem subnet\\n192.168.1.0\/24\"]\n    CGW --- LAN\n  end\n\n  Internet[\"Public Internet\"]\n\n  subgraph AliCloud[\"Alibaba Cloud (Region)\"]\n    VPC[\"VPC\\n172.16.0.0\/16\"]\n    VGW[\"VPN Gateway\\n(IPsec termination)\"]\n    ECS[\"ECS private instance\\n172.16.0.10\"]\n    ECS --- VPC\n    VGW --- VPC\n  end\n\n  CGW --- Internet --- VGW\n  ECS &lt;--&gt; VGW\n  LAN &lt;--&gt; CGW\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<p>This diagram shows a more production-oriented pattern with redundancy and centralized controls. Exact features (dual tunnels, BGP, log export) vary\u2014<strong>verify in official docs<\/strong>.<\/p>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Branches[\"Branches \/ Data Centers\"]\n    DC1[\"DC1 Customer Gateway\\nHA Firewall Pair\"]\n    DC2[\"DC2 Customer Gateway\\nHA Firewall Pair\"]\n    Users[\"Admins\/Operators\\n(SSL-VPN clients optional)\"]\n  end\n\n  subgraph Internet[\"Internet\"]\n    NET[\"ISP \/ Public Internet\"]\n  end\n\n  subgraph AliCloudRegion[\"Alibaba Cloud Region\"]\n    subgraph SharedVPC[\"Shared Services VPC\"]\n      VGW1[\"VPN Gateway\\nPrimary\"]\n      Workloads[\"Private Workloads\\nECS\/ACK\/RDS\"]\n      Bastion[\"Bastion \/ Jump Host\"]\n    end\n\n    CM[\"CloudMonitor\\nAlerts\/Dashboards\"]\n    AT[\"ActionTrail\\nAudit Events\"]\n    FW[\"(Optional) Cloud Firewall\\nCentral Policy\"]\n  end\n\n  DC1 --- NET --- VGW1\n  DC2 --- NET --- VGW1\n\n  Users -. SSL-VPN .- VGW1\n  VGW1 --- Workloads\n  VGW1 --- Bastion\n\n  VGW1 --&gt; CM\n  VGW1 --&gt; AT\n  FW --- SharedVPC\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account and billing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Alibaba Cloud account<\/strong> with billing enabled.<\/li>\n<li>You may need to activate <strong>VPC<\/strong> and <strong>VPN Gateway<\/strong> service in your account (if prompted).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM (RAM)<\/h3>\n\n\n\n<p>You need RAM permissions to manage:\n&#8211; VPC (create VPC, vSwitch, route tables)\n&#8211; ECS (create instances for testing)\n&#8211; EIP (allocate\/associate, if used)\n&#8211; VPN Gateway (create and manage VPN gateways, customer gateways, IPsec connections)<\/p>\n\n\n\n<p>If your organization uses least privilege:\n&#8211; Create a RAM user\/role with scoped permissions to VPC\/VPN resources in the target region.\n&#8211; For managed policies, names can differ; <strong>verify in official docs<\/strong> and your console\u2019s policy library.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tools (optional but helpful)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud Console (sufficient for this lab)<\/li>\n<li>Alibaba Cloud CLI (<code>aliyun<\/code>) (optional)<\/li>\n<li>SSH client for Linux instances<\/li>\n<li>A software VPN endpoint (in this lab: <strong>strongSwan<\/strong> on Linux)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VPN Gateway availability and feature set can vary by region\/spec. Confirm your chosen region supports the needed mode (IPsec, SSL-VPN) in the console or docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<p>Common quota dimensions (varies by region\/spec):\n&#8211; Number of VPN gateways per account\/region\n&#8211; Number of IPsec connections per VPN gateway\n&#8211; Throughput\/bandwidth per spec\n&#8211; SSL client connections (if using SSL-VPN)<\/p>\n\n\n\n<p>Check quotas in your account and request increases if needed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VPC<\/strong> with at least one vSwitch\/subnet<\/li>\n<li>At least one test workload (e.g., ECS) in the VPC<\/li>\n<li>A reachable customer gateway public IP for IPsec (e.g., on-prem device or a public ECS instance simulating on-prem)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Alibaba Cloud VPN Gateway pricing is <strong>usage- and specification-based<\/strong> and can differ by region and purchasing model. Do not rely on fixed numbers in blogs\u2014always check the official pricing page for your region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (typical)<\/h3>\n\n\n\n<p>Common cost dimensions for VPN Gateway include (verify exact dimensions in your region):\n&#8211; <strong>VPN Gateway instance\/spec fee<\/strong>: The base cost depends on the chosen specification\/capacity.\n&#8211; <strong>Bandwidth<\/strong>: Many VPN gateway offerings include a bandwidth setting that affects cost.\n&#8211; <strong>Connection or tunnel count<\/strong>: Some pricing models charge per IPsec connection or have tiered limits per spec.\n&#8211; <strong>SSL-VPN (if used)<\/strong>: May introduce additional charges (e.g., based on connection count or configuration).\n&#8211; <strong>Public IP\/EIP costs<\/strong>: If you allocate EIPs for customer gateways (lab simulation) or related components, those are billed separately.\n&#8211; <strong>Outbound Internet traffic<\/strong>: Data transfer over the Internet may incur charges depending on where traffic egresses (for example, EIP outbound charges on ECS used as a customer gateway).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<p>Alibaba Cloud free tiers vary and change. VPN Gateway is typically not \u201cfree tier\u201d for production-grade usage. Check:\n&#8211; Official promotions\/free trial pages (if any)\n&#8211; Region-specific pricing details<br\/>\nIf uncertain, assume <strong>no free tier<\/strong> and design a short-lived lab with cleanup.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Bandwidth selection<\/strong> on the VPN Gateway (and peak usage patterns).<\/li>\n<li><strong>Number of tunnels<\/strong> and environments (prod + staging + dev).<\/li>\n<li><strong>Data transfer volume<\/strong>: backups, replication, large file sync.<\/li>\n<li><strong>Always-on connectivity<\/strong> vs scheduled use.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ECS instances<\/strong> used for testing (both sides if you simulate on-prem).<\/li>\n<li><strong>EIPs<\/strong> attached to ECS (customer gateway simulation).<\/li>\n<li><strong>Operational overhead<\/strong>: monitoring tools, log retention (if exporting logs).<\/li>\n<li><strong>Cross-region traffic<\/strong> if you add CEN or connect multiple regions (not required for basic VPN Gateway).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IPsec encryption adds overhead; effective throughput is often lower than raw bandwidth.<\/li>\n<li>Internet variability affects latency and packet loss; consider this in SLOs.<\/li>\n<li>If you backhaul significant traffic from on-prem to cloud, you may pay both:<\/li>\n<li>cloud egress\/ingress charges (depending on billing)<\/li>\n<li>on-prem ISP bandwidth costs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with the smallest VPN Gateway spec that meets your throughput and tunnel requirements, then scale based on metrics.<\/li>\n<li>Use VPN primarily for:<\/li>\n<li>control-plane\/admin<\/li>\n<li>low\/medium throughput integration<br\/>\n  Prefer dedicated connectivity for heavy data pipelines.<\/li>\n<li>Minimize always-on replication unless needed; schedule bulk transfers off-peak.<\/li>\n<li>Reduce blast radius and traffic volume by narrowing protected CIDRs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (no exact numbers)<\/h3>\n\n\n\n<p>A typical low-cost starter lab might include:\n&#8211; 1 small VPN Gateway spec (minimum bandwidth)\n&#8211; 1 IPsec connection\n&#8211; 2 small ECS instances (one in VPC, one simulating customer gateway)\n&#8211; 1 EIP for the customer gateway ECS\n&#8211; A few GB of data transfer for testing<\/p>\n\n\n\n<p>Because every region and billing model differs, <strong>use the official pricing page and calculator<\/strong>:\n&#8211; Pricing calculator: https:\/\/www.alibabacloud.com\/pricing\/calculator (verify)\n&#8211; VPN Gateway product\/pricing entry: https:\/\/www.alibabacloud.com\/product\/vpn-gateway (verify pricing section)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>For production, expect cost to be driven by:\n&#8211; Higher VPN Gateway spec\/bandwidth\n&#8211; Redundant tunnels and potentially multiple VPN gateways across environments\n&#8211; Higher data volumes\n&#8211; Centralized monitoring\/log retention<\/p>\n\n\n\n<p>A practical approach:\n&#8211; Model baseline (average) traffic + burst traffic\n&#8211; Decide whether VPN is primary connectivity or backup\n&#8211; Compare with <strong>Express Connect<\/strong> for predictable performance at scale<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab builds a real <strong>site-to-site IPsec VPN<\/strong> using Alibaba Cloud VPN Gateway on one side and <strong>strongSwan<\/strong> on a Linux ECS instance on the other side (simulating an on-premises customer gateway). This is a common, low-cost way to validate the workflow without requiring physical hardware.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Create an Alibaba Cloud <strong>VPN Gateway<\/strong> in a VPC and establish an <strong>IPsec tunnel<\/strong> to a Linux-based customer gateway (strongSwan). Then verify private connectivity between:\n&#8211; A private ECS instance in the VPC (cloud side)\n&#8211; The customer gateway ECS private IP (simulated on-prem subnet)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will create:\n1. <strong>VPC-A (cloud VPC)<\/strong> with a private ECS instance.\n2. <strong>VPN Gateway<\/strong> attached to VPC-A.\n3. <strong>VPC-B (simulated on-prem)<\/strong> with an ECS instance that has:\n   &#8211; a <strong>public EIP<\/strong> (for IPsec endpoint)\n   &#8211; a private IP in a different CIDR (to represent on-prem subnet)\n4. A <strong>Customer Gateway<\/strong> object using the EIP of the VPC-B ECS.\n5. An <strong>IPsec connection<\/strong> between VPN Gateway and the customer gateway.\n6. <strong>Routes and security rules<\/strong> to allow ICMP\/SSH for testing.<\/p>\n\n\n\n<blockquote>\n<p>Notes before you start<br\/>\n&#8211; If your organization already has an on-prem VPN device, you can replace VPC-B ECS with your real customer gateway.<br\/>\n&#8211; Some UI labels differ across regions. Follow the intent: create VPN gateway \u2192 customer gateway \u2192 IPsec connection \u2192 routing.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Plan IP ranges and choose a region<\/h3>\n\n\n\n<p>Choose a single Alibaba Cloud region for the lab.<\/p>\n\n\n\n<p>Use two non-overlapping CIDRs:\n&#8211; <strong>Cloud VPC (VPC-A)<\/strong>: <code>172.16.0.0\/16<\/code>\n&#8211; <strong>Simulated on-prem (VPC-B)<\/strong>: <code>192.168.1.0\/24<\/code><\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>: You have a clear IP plan with no overlap.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create VPC-A (cloud) and a private ECS instance<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the Alibaba Cloud Console, create:\n   &#8211; VPC: <code>vpc-a<\/code> with CIDR <code>172.16.0.0\/16<\/code>\n   &#8211; vSwitch: <code>vsw-a<\/code> (for example <code>172.16.1.0\/24<\/code>) in one zone<\/li>\n<li>Create an ECS instance in <code>vpc-a\/vsw-a<\/code>:\n   &#8211; Name: <code>ecs-a-private<\/code>\n   &#8211; Private IP: auto-assign (note it)\n   &#8211; Public IP: <strong>none<\/strong> (keep it private)\n   &#8211; Security group: allow <strong>ICMP<\/strong> and <strong>SSH<\/strong> <em>from the on-prem CIDR (<code>192.168.1.0\/24<\/code>)<\/em> for test purposes<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>:\n&#8211; <code>ecs-a-private<\/code> exists with a private IP like <code>172.16.1.x<\/code>\n&#8211; It cannot be reached from the public Internet (good)<\/p>\n\n\n\n<p><strong>Verification<\/strong>:\n&#8211; Confirm ECS is running.\n&#8211; Confirm its security group rules include:\n  &#8211; inbound ICMP from <code>192.168.1.0\/24<\/code>\n  &#8211; inbound SSH (22) from <code>192.168.1.0\/24<\/code> (optional but helpful)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create VPC-B (simulated on-prem) and customer gateway ECS with EIP<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create a second VPC:\n   &#8211; VPC: <code>vpc-b<\/code> with CIDR <code>192.168.1.0\/24<\/code>\n   &#8211; vSwitch: <code>vsw-b<\/code> in the same region (zone can differ)<\/li>\n<li>Create an ECS instance in <code>vpc-b\/vsw-b<\/code>:\n   &#8211; Name: <code>ecs-b-cgw<\/code>\n   &#8211; OS: a mainstream Linux (e.g., Alibaba Cloud Linux \/ CentOS \/ Ubuntu)\n   &#8211; Ensure you can SSH into it (create or use an SSH key pair)<\/li>\n<li>Allocate an <strong>EIP<\/strong> and associate it to <code>ecs-b-cgw<\/code>.<\/li>\n<\/ol>\n\n\n\n<p>Security group for <code>ecs-b-cgw<\/code>:\n&#8211; Allow <strong>UDP 500<\/strong> (IKE)\n&#8211; Allow <strong>UDP 4500<\/strong> (NAT-T)\n&#8211; Allow <strong>ESP (IP protocol 50)<\/strong> if your environment requires it (many setups use UDP encapsulation; still, verify based on your IKE\/IPsec mode)\n&#8211; Allow SSH from your admin IP for configuration\n&#8211; Allow ICMP from <code>172.16.0.0\/16<\/code> for testing<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>:\n&#8211; <code>ecs-b-cgw<\/code> has:\n  &#8211; a private IP like <code>192.168.1.x<\/code>\n  &#8211; a public EIP like <code>X.X.X.X<\/code> (note it carefully)<\/p>\n\n\n\n<p><strong>Verification<\/strong>:\n&#8211; SSH to the ECS using the EIP.\n&#8211; Confirm the instance can reach the Internet (for package installs).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create a VPN Gateway in VPC-A<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to <strong>VPN Gateway<\/strong> in the Alibaba Cloud Console.<\/li>\n<li>Create a VPN Gateway:\n   &#8211; Attach it to <code>vpc-a<\/code>\n   &#8211; Choose a spec\/bandwidth appropriate for lab (smallest available to reduce cost)\n   &#8211; Name: <code>vpg-a<\/code><\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>:\n&#8211; A VPN Gateway exists and is in an \u201cAvailable\/Running\u201d state.\n&#8211; It has an Alibaba Cloud-managed public endpoint for IPsec (shown in console).<\/p>\n\n\n\n<p><strong>Verification<\/strong>:\n&#8211; Confirm VPN Gateway status is healthy\/available in the console.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Create a Customer Gateway object<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In VPN Gateway console, create a <strong>Customer Gateway<\/strong>:\n   &#8211; Name: <code>cgw-b<\/code>\n   &#8211; IP address: the <strong>EIP<\/strong> of <code>ecs-b-cgw<\/code> (e.g., <code>X.X.X.X<\/code>)<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>:\n&#8211; Customer gateway object exists referencing your simulated on-prem endpoint.<\/p>\n\n\n\n<p><strong>Verification<\/strong>:\n&#8211; Confirm the IP is correct. If wrong, the tunnel will never establish.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Create an IPsec connection (VPN tunnel)<\/h3>\n\n\n\n<p>Create an <strong>IPsec Connection<\/strong> between:\n&#8211; VPN Gateway: <code>vpg-a<\/code>\n&#8211; Customer Gateway: <code>cgw-b<\/code><\/p>\n\n\n\n<p>Use lab-friendly, broadly compatible settings. Exact fields differ by console version; map these values accordingly:<\/p>\n\n\n\n<p>Traffic selectors:\n&#8211; <strong>Local CIDR<\/strong> (VPC-A): <code>172.16.0.0\/16<\/code> (or restrict to <code>172.16.1.0\/24<\/code> for tighter scope)\n&#8211; <strong>Remote CIDR<\/strong> (VPC-B): <code>192.168.1.0\/24<\/code><\/p>\n\n\n\n<p>IKE (Phase 1) suggested baseline:\n&#8211; Version: IKEv2 (use IKEv1 if needed for compatibility)\n&#8211; Authentication: Pre-shared key (PSK)\n&#8211; Encryption: AES-256 (or AES-128 if required)\n&#8211; Integrity: SHA-256\n&#8211; DH Group: 14 (or as supported on both sides)\n&#8211; Lifetime: leave default unless you need strict alignment<\/p>\n\n\n\n<p>IPsec (Phase 2) suggested baseline:\n&#8211; ESP encryption: AES-256\n&#8211; ESP integrity: SHA-256 (or as supported)\n&#8211; PFS: enabled with same DH group (if both sides support)\n&#8211; Lifetime: leave default<\/p>\n\n\n\n<p>Other options:\n&#8211; DPD (Dead Peer Detection): enabled (recommended)\n&#8211; NAT traversal: enabled (common when behind NAT; safe for Internet paths)<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>:\n&#8211; The IPsec connection is created but might show \u201cdown\u201d until the strongSwan side is configured.<\/p>\n\n\n\n<p><strong>Verification<\/strong>:\n&#8211; Note the VPN Gateway public IP (cloud side) displayed in the tunnel details.\n&#8211; Confirm your PSK is stored securely; you\u2019ll need it in strongSwan config.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Configure routes in VPC-A to reach remote subnet<\/h3>\n\n\n\n<p>You must ensure VPC-A knows to send traffic for <code>192.168.1.0\/24<\/code> to the VPN Gateway.<\/p>\n\n\n\n<p>Depending on the console workflow, you will either:\n&#8211; Associate\/advertise routes via the IPsec connection, <strong>or<\/strong>\n&#8211; Manually add a route entry in the VPC route table:\n  &#8211; Destination CIDR: <code>192.168.1.0\/24<\/code>\n  &#8211; Next hop: VPN Gateway <code>vpg-a<\/code><\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>:\n&#8211; VPC-A route table has a route to <code>192.168.1.0\/24<\/code> via VPN Gateway.<\/p>\n\n\n\n<p><strong>Verification<\/strong>:\n&#8211; Open VPC route table and confirm the route exists and is effective.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Install and configure strongSwan on ecs-b-cgw<\/h3>\n\n\n\n<p>SSH into <code>ecs-b-cgw<\/code> and install strongSwan.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Example (Ubuntu\/Debian)<\/h4>\n\n\n\n<pre><code class=\"language-bash\">sudo apt-get update\nsudo apt-get install -y strongswan\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Example (RHEL\/CentOS\/Alibaba Cloud Linux)<\/h4>\n\n\n\n<p>Package names vary; use your distro\u2019s repository tooling. For example:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo yum install -y strongswan\n<\/code><\/pre>\n\n\n\n<p>If packages are not available by default, <strong>verify in official distro repos<\/strong>.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>: strongSwan is installed.<\/p>\n\n\n\n<p><strong>Verification<\/strong>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ipsec version || strongswan version\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 9: Configure strongSwan tunnel parameters<\/h3>\n\n\n\n<p>You must match:\n&#8211; Cloud-side VPN Gateway public IP\n&#8211; Your local public IP (EIP)\n&#8211; Protected subnets\n&#8211; PSK and proposals<\/p>\n\n\n\n<p>Assume:\n&#8211; Cloud VPN Gateway public IP: <code>CLOUD_VPN_IP<\/code>\n&#8211; Customer gateway EIP (ecs-b-cgw): <code>ONPREM_EIP<\/code>\n&#8211; VPC-A CIDR: <code>172.16.0.0\/16<\/code>\n&#8211; VPC-B CIDR: <code>192.168.1.0\/24<\/code>\n&#8211; PSK: <code>REPLACE_WITH_STRONG_PSK<\/code><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Configure <code>\/etc\/ipsec.conf<\/code><\/h4>\n\n\n\n<pre><code class=\"language-conf\">config setup\n  uniqueids=no\n\nconn alicloud-vpn\n  auto=start\n  keyexchange=ikev2\n  type=tunnel\n\n  left=%defaultroute\n  leftid=ONPREM_EIP\n  leftsubnet=192.168.1.0\/24\n\n  right=CLOUD_VPN_IP\n  rightsubnet=172.16.0.0\/16\n\n  ike=aes256-sha256-modp2048!\n  esp=aes256-sha256!\n\n  dpdaction=restart\n  dpddelay=30s\n  dpdtimeout=120s\n\n  reauth=no\n<\/code><\/pre>\n\n\n\n<p>Replace:\n&#8211; <code>ONPREM_EIP<\/code> with the EIP of <code>ecs-b-cgw<\/code>\n&#8211; <code>CLOUD_VPN_IP<\/code> with the VPN Gateway public IP<\/p>\n\n\n\n<blockquote>\n<p>If your Alibaba Cloud IPsec connection uses IKEv1, change <code>keyexchange=ikev2<\/code> to <code>keyexchange=ikev1<\/code> and adapt proposals accordingly. Always match what you set in the console.<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\">Configure <code>\/etc\/ipsec.secrets<\/code><\/h4>\n\n\n\n<pre><code class=\"language-conf\">ONPREM_EIP CLOUD_VPN_IP : PSK \"REPLACE_WITH_STRONG_PSK\"\n<\/code><\/pre>\n\n\n\n<p>Protect secrets:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo chmod 600 \/etc\/ipsec.secrets\n<\/code><\/pre>\n\n\n\n<p>Restart strongSwan:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo systemctl restart strongswan || sudo systemctl restart ipsec\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>:\n&#8211; strongSwan initiates the tunnel.\n&#8211; Alibaba Cloud console starts showing the tunnel as <strong>up<\/strong> after negotiation succeeds.<\/p>\n\n\n\n<p><strong>Verification (on ecs-b-cgw)<\/strong>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo ipsec statusall\n<\/code><\/pre>\n\n\n\n<p>Look for an established IKE SA and a CHILD SA with the correct subnets.<\/p>\n\n\n\n<p><strong>Verification (in Alibaba Cloud console)<\/strong>:\n&#8211; IPsec connection status shows \u201cEstablished\/Up\u201d (wording varies).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 10: Allow traffic (security groups + OS firewall)<\/h3>\n\n\n\n<p>Ensure ICMP is allowed:\n&#8211; Security group of <code>ecs-a-private<\/code>: allow ICMP from <code>192.168.1.0\/24<\/code>\n&#8211; Security group of <code>ecs-b-cgw<\/code>: allow ICMP from <code>172.16.0.0\/16<\/code><\/p>\n\n\n\n<p>Also check the OS firewall on <code>ecs-b-cgw<\/code>:\n&#8211; If <code>ufw<\/code>\/<code>firewalld<\/code> is enabled, allow ICMP and IPsec-related traffic.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>: Traffic is permitted end-to-end.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 11: Test connectivity (ping over the tunnel)<\/h3>\n\n\n\n<p>To test, you need a way to send traffic from VPC-A. If <code>ecs-a-private<\/code> has no public access, use one of these approaches:\n&#8211; Use a bastion in VPC-A (temporary) to SSH into <code>ecs-a-private<\/code>, or\n&#8211; Temporarily attach an EIP to a bastion only (recommended), not to the private instance, or\n&#8211; Use Alibaba Cloud\u2019s session\/bastion tooling if available in your org<\/p>\n\n\n\n<p>Once you have a shell on <code>ecs-a-private<\/code>, ping the on-prem ECS private IP:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ping -c 4 192.168.1.X\n<\/code><\/pre>\n\n\n\n<p>Also ping from on-prem side to cloud side:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ping -c 4 172.16.1.X\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>:\n&#8211; ICMP replies succeed in both directions (assuming security rules allow).\n&#8211; <code>ipsec statusall<\/code> shows traffic counters increasing (depending on strongSwan version).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:\n&#8211; [ ] IPsec connection shows <strong>Up\/Established<\/strong> in Alibaba Cloud console\n&#8211; [ ] <code>ipsec statusall<\/code> on <code>ecs-b-cgw<\/code> shows IKE SA + CHILD SA established\n&#8211; [ ] VPC-A route table has route to <code>192.168.1.0\/24<\/code> via VPN Gateway\n&#8211; [ ] Security groups allow ICMP\/SSH as needed\n&#8211; [ ] Ping works from <code>ecs-a-private<\/code> to <code>ecs-b-cgw<\/code> private IP and vice versa<\/p>\n\n\n\n<p>If ping fails but tunnel is up:\n&#8211; Test TCP instead (e.g., SSH) and confirm ICMP is not blocked.\n&#8211; Check routes and security groups carefully.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1) Tunnel stays down (no establishment)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Likely causes<\/strong>:<\/li>\n<li>Wrong peer IP (customer gateway EIP) or wrong cloud VPN IP<\/li>\n<li>PSK mismatch<\/li>\n<li>IKE\/ESP proposal mismatch (AES\/SHA\/DH group)<\/li>\n<li><strong>Fix<\/strong>:<\/li>\n<li>Compare the Alibaba Cloud IPsec parameters with <code>ipsec statusall<\/code> and logs:\n    <code>bash\n    sudo journalctl -u strongswan --no-pager -n 200<\/code><\/li>\n<li>Align IKE\/ESP proposals exactly.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">2) Tunnel is up, but no traffic passes<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Likely causes<\/strong>:<\/li>\n<li>Missing VPC route entry to remote CIDR<\/li>\n<li>Wrong traffic selectors (local\/remote CIDR mismatch)<\/li>\n<li>Security group or OS firewall blocks ICMP\/TCP<\/li>\n<li><strong>Fix<\/strong>:<\/li>\n<li>Confirm routes in VPC route table.<\/li>\n<li>Ensure <code>leftsubnet\/rightsubnet<\/code> match console local\/remote CIDR definitions.<\/li>\n<li>Temporarily allow ICMP to isolate routing vs firewall issues.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">3) One-way traffic<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Likely causes<\/strong>:<\/li>\n<li>Asymmetric routing<\/li>\n<li>Incorrect local\/remote subnet definitions<\/li>\n<li><strong>Fix<\/strong>:<\/li>\n<li>Ensure both sides agree on protected subnets.<\/li>\n<li>Ensure security rules allow return traffic.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">4) NAT traversal issues<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Likely causes<\/strong>:<\/li>\n<li>Intermediate NAT device or ISP filtering<\/li>\n<li><strong>Fix<\/strong>:<\/li>\n<li>Ensure UDP 4500 is allowed.<\/li>\n<li>Enable NAT-T in the tunnel settings (if configurable).<\/li>\n<li>If you must use ESP (protocol 50), ensure it is allowed end-to-end (often it\u2019s blocked; NAT-T is safer).<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">5) MTU\/fragmentation problems (intermittent)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Symptoms<\/strong>: small pings succeed; large transfers stall.<\/li>\n<li><strong>Fix<\/strong>:<\/li>\n<li>Test PMTU:\n    <code>bash\n    ping -M do -s 1400 192.168.1.X<\/code><\/li>\n<li>Reduce MTU on interfaces if needed; verify IPsec fragmentation settings.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges:\n1. Delete IPsec connection.\n2. Delete Customer Gateway object (optional).\n3. Delete VPN Gateway.\n4. Release EIP attached to <code>ecs-b-cgw<\/code>.\n5. Terminate ECS instances (<code>ecs-a-private<\/code>, <code>ecs-b-cgw<\/code>).\n6. Delete VPCs (<code>vpc-a<\/code>, <code>vpc-b<\/code>) and related vSwitches\/security groups if no longer needed.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>: All billable resources from the lab are removed.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Avoid overlapping CIDRs<\/strong>: Plan IP ranges for on-prem and VPCs early; overlap is one of the hardest issues to fix later.<\/li>\n<li><strong>Minimize the protected network scope<\/strong>: Prefer smaller, specific CIDRs instead of advertising entire RFC1918 ranges.<\/li>\n<li><strong>Use a hub design carefully<\/strong>: If multiple VPCs need on-prem access, consider a hub VPC (and optionally CEN) rather than duplicating tunnels everywhere. Validate supported patterns in Alibaba Cloud docs.<\/li>\n<li><strong>Plan redundancy<\/strong>: For production, design for device\/ISP failures (dual customer gateways, multiple tunnels, separate ISPs). Align with Alibaba Cloud-supported HA patterns.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>RAM least privilege<\/strong>: separate roles for network admins vs read-only auditors.<\/li>\n<li>Require <strong>MFA<\/strong> for privileged users managing VPN configurations.<\/li>\n<li>Store PSKs and certificates in secure secret storage, not in tickets or chat.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Right-size VPN Gateway bandwidth\/spec based on measured usage.<\/li>\n<li>Use VPN for control-plane and moderate traffic; use dedicated connectivity for sustained high throughput.<\/li>\n<li>Schedule bulk data transfers and reduce \u201calways-on\u201d replication where possible.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep encryption proposals modern but compatible; avoid weak algorithms.<\/li>\n<li>Watch MTU: use PMTU testing and tune if needed.<\/li>\n<li>Monitor latency\/packet loss between sites; VPN performance depends heavily on Internet path quality.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use DPD and appropriate rekey lifetimes.<\/li>\n<li>Implement health checks:<\/li>\n<li>Tunnel status checks<\/li>\n<li>Synthetic ping\/TCP checks between endpoints<\/li>\n<li>Automate incident runbooks: how to fail over, rotate PSKs, or re-initiate tunnels.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tag resources consistently: <code>env<\/code>, <code>owner<\/code>, <code>cost-center<\/code>, <code>purpose<\/code>.<\/li>\n<li>Use ActionTrail to audit changes, especially PSK updates and CIDR changes.<\/li>\n<li>Keep a compatibility matrix for on-prem devices (supported IKE versions, crypto proposals).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<p>A simple naming convention:\n&#8211; VPN Gateway: <code>vpg-&lt;env&gt;-&lt;region&gt;-&lt;vpc&gt;<\/code>\n&#8211; Customer Gateway: <code>cgw-&lt;site&gt;-&lt;isp&gt;<\/code>\n&#8211; IPsec connection: <code>ipsec-&lt;site&gt;-&lt;env&gt;-&lt;purpose&gt;<\/code><\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>RAM<\/strong> to control who can create\/modify\/delete:<\/li>\n<li>VPN gateways<\/li>\n<li>customer gateways<\/li>\n<li>IPsec\/SSL configurations<\/li>\n<li>route changes in VPC<\/li>\n<li>Separate duties:<\/li>\n<li>Network team manages VPN<\/li>\n<li>App team consumes connectivity<\/li>\n<li>Security team audits via ActionTrail\/read-only access<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer modern crypto:<\/li>\n<li>AES-256 (or AES-128 where necessary)<\/li>\n<li>SHA-256 (avoid SHA-1 unless legacy constraints)<\/li>\n<li>DH group 14+ (or stronger where supported)<\/li>\n<li>Rotate PSKs periodically, especially after personnel changes.<\/li>\n<li>Consider certificate-based authentication if supported and required (verify availability).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Do not open broad inbound access from on-prem to all cloud resources.<\/li>\n<li>Use:<\/li>\n<li>security groups<\/li>\n<li>NACLs (if used)<\/li>\n<li>host firewalls<br\/>\n  to constrain traffic to required ports and hosts.<\/li>\n<li>Avoid routing entire corporate networks into all VPCs. Segment by environment and sensitivity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treat PSKs like passwords:<\/li>\n<li>store in a secret manager<\/li>\n<li>limit visibility<\/li>\n<li>rotate and revoke as needed<\/li>\n<li>Avoid putting PSKs in IaC state files without encryption and access controls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable <strong>ActionTrail<\/strong> to log VPN configuration changes.<\/li>\n<li>Use CloudMonitor metrics\/alerts for tunnel health.<\/li>\n<li>If VPN logs can be exported to Log Service in your region, enable with appropriate retention and access controls (<strong>verify in official docs<\/strong>).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Document:<\/li>\n<li>crypto suite standards<\/li>\n<li>key rotation procedures<\/li>\n<li>access review processes<\/li>\n<li>incident response procedures<\/li>\n<li>Ensure segmentation between prod and non-prod (separate VPN gateways\/tunnels or separate routes\/policies).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using weak PSKs or reusing PSKs across environments<\/li>\n<li>Advertising overly broad CIDRs<\/li>\n<li>Allowing unrestricted inbound SSH\/RDP from on-prem networks<\/li>\n<li>Not monitoring tunnel status (silent failures become outages)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with least-access: only required CIDRs and ports.<\/li>\n<li>Require change approval for:<\/li>\n<li>adding new remote subnets<\/li>\n<li>changing encryption parameters<\/li>\n<li>enabling broad route propagation<\/li>\n<li>Test failover and recovery regularly.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>These are common constraints and surprises to plan for. Exact values differ by region\/spec\u2014<strong>verify in official docs<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations \/ quotas (typical categories)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Throughput\/bandwidth limits<\/strong> tied to VPN Gateway specification.<\/li>\n<li><strong>Number of IPsec connections\/tunnels<\/strong> per VPN gateway.<\/li>\n<li><strong>SSL client limits<\/strong> if SSL-VPN is used.<\/li>\n<li><strong>Route limits<\/strong> in VPC route tables.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some regions may not support SSL-VPN or may have different specs.<\/li>\n<li>Console workflows can differ slightly by region.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Forgetting to delete VPN gateways after testing (ongoing instance\/spec charges).<\/li>\n<li>Paying for EIPs and ECS instances used as customer gateways in labs.<\/li>\n<li>Data transfer costs for large cross-site replication.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Vendor devices may require specific IKE proposals, NAT-T settings, or fragmentation behavior.<\/li>\n<li>Some devices default to IKEv1; others prefer IKEv2.<\/li>\n<li>If your on-prem is behind NAT, ensure NAT traversal works consistently.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tunnel \u201cup\u201d does not guarantee application connectivity\u2014routes and security rules still matter.<\/li>\n<li>MTU issues can cause partial failures.<\/li>\n<li>Changes to CIDRs require careful coordination on both sides and may disrupt traffic.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Moving from self-managed VPN on ECS to VPN Gateway requires:<\/li>\n<li>readdressing or reselecting protected CIDRs<\/li>\n<li>changing peer endpoints<\/li>\n<li>coordinating downtime\/overlap<\/li>\n<li>Plan staged cutovers and rollback paths.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some devices use policy-based vs route-based terminology differently.<\/li>\n<li>If you need BGP\/dynamic routing, confirm whether your VPN Gateway spec supports it and how it is configured (<strong>verify in official docs<\/strong>).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Alternatives inside Alibaba Cloud<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Express Connect<\/strong>: Dedicated private connectivity for predictable performance and SLAs.<\/li>\n<li><strong>Cloud Enterprise Network (CEN)<\/strong>: A global network interconnect for VPCs and regions; often used with Express Connect or VPN as part of larger topologies.<\/li>\n<li><strong>Self-managed VPN on ECS<\/strong>: Run strongSwan or a commercial VPN appliance yourself.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Alternatives in other clouds (for context)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AWS Site-to-Site VPN \/ AWS Client VPN<\/strong><\/li>\n<li><strong>Azure VPN Gateway<\/strong><\/li>\n<li><strong>Google Cloud VPN<\/strong><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Open-source \/ self-managed alternatives<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>strongSwan<\/strong>, <strong>OpenVPN<\/strong>, or vendor appliances on virtual machines<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Comparison table<\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Alibaba Cloud VPN Gateway<\/strong><\/td>\n<td>Managed site-to-site IPsec and (where available) SSL remote access into VPC<\/td>\n<td>Managed cloud-side termination, VPC route integration, faster setup than dedicated lines<\/td>\n<td>Internet variability, throughput\/spec constraints, must coordinate parameters with peer<\/td>\n<td>Hybrid connectivity with moderate throughput and quick deployment<\/td>\n<\/tr>\n<tr>\n<td><strong>Express Connect (Alibaba Cloud)<\/strong><\/td>\n<td>High-throughput, predictable enterprise connectivity<\/td>\n<td>Private circuit, stable performance, enterprise patterns<\/td>\n<td>Provisioning time and cost, physical connectivity requirements<\/td>\n<td>Mission-critical workloads, strict latency\/bandwidth needs<\/td>\n<\/tr>\n<tr>\n<td><strong>CEN (Alibaba Cloud)<\/strong><\/td>\n<td>Multi-VPC, multi-region network topologies<\/td>\n<td>Centralized interconnect patterns<\/td>\n<td>Not a replacement for on-prem connectivity by itself<\/td>\n<td>When you must connect many VPCs\/regions and want centralized routing<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed VPN on ECS<\/strong><\/td>\n<td>Maximum control\/custom features<\/td>\n<td>Full control over software, can add custom routing\/NAT, can be cheaper in some cases<\/td>\n<td>You manage availability, patching, scaling, security hardening<\/td>\n<td>When you need features not supported by VPN Gateway, or custom network functions<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS\/Azure\/GCP VPN services<\/strong><\/td>\n<td>Multi-cloud designs<\/td>\n<td>Similar managed VPN capabilities<\/td>\n<td>Different IAM\/network models; cross-cloud complexity<\/td>\n<td>When designing multi-cloud connectivity patterns<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Retail chain hybrid connectivity<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A retail chain has hundreds of stores with on-prem POS networks. They want to centralize analytics and inventory services in Alibaba Cloud while keeping local store systems operational.<\/li>\n<li><strong>Proposed architecture<\/strong>:<\/li>\n<li>Each region has a shared services VPC with <strong>VPN Gateway<\/strong><\/li>\n<li>Store\/branch firewalls act as customer gateways<\/li>\n<li>Store subnets are segmented; only required ports to cloud services are allowed<\/li>\n<li>Central monitoring via CloudMonitor and auditing via ActionTrail<\/li>\n<li>Optional: Cloud Firewall for centralized policy visibility<\/li>\n<li><strong>Why VPN Gateway was chosen<\/strong>:<\/li>\n<li>Faster rollout than dedicated circuits for all stores<\/li>\n<li>IPsec compatibility with existing branch firewalls<\/li>\n<li>Ability to restrict access to specific cloud subnets\/services<\/li>\n<li><strong>Expected outcomes<\/strong>:<\/li>\n<li>Secure encrypted connectivity from stores to cloud<\/li>\n<li>Reduced public exposure of internal APIs<\/li>\n<li>Standardized operational procedures for tunnel health and incident response<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: Secure admin access to private VPC<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A small SaaS team runs private ECS\/ACK services and wants engineers to access internal dashboards and databases without public IPs.<\/li>\n<li><strong>Proposed architecture<\/strong>:<\/li>\n<li>VPN Gateway attached to the production VPC<\/li>\n<li>SSL-VPN (if available) for engineer laptops, or IPsec from a small office firewall<\/li>\n<li>A small management subnet with a bastion and monitoring tools<\/li>\n<li><strong>Why VPN Gateway was chosen<\/strong>:<\/li>\n<li>Managed entry point instead of maintaining a VPN server on ECS<\/li>\n<li>Quick setup and easy scaling with specs<\/li>\n<li><strong>Expected outcomes<\/strong>:<\/li>\n<li>Private access for engineers, reduced attack surface<\/li>\n<li>Improved auditability of VPN configuration changes<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is Alibaba Cloud VPN Gateway a site-to-site VPN or client VPN?<\/strong><br\/>\nIt supports <strong>site-to-site IPsec VPN<\/strong>. Many regions\/specs also support <strong>SSL-VPN for client\/remote access<\/strong>. Verify availability in your region.<\/p>\n\n\n\n<p>2) <strong>Do I need an on-prem hardware firewall?<\/strong><br\/>\nNo. You can use a software endpoint (for example, strongSwan on Linux) as the customer gateway, as shown in the lab.<\/p>\n\n\n\n<p>3) <strong>Can I connect multiple on-prem sites to one VPC?<\/strong><br\/>\nOften yes, by creating multiple customer gateways and IPsec connections, subject to quotas and spec limits. Verify your VPN Gateway limits.<\/p>\n\n\n\n<p>4) <strong>Can I connect one on-prem site to multiple VPCs?<\/strong><br\/>\nYes, but design carefully. You may use multiple VPN gateways or a hub approach (potentially with CEN). Confirm supported routing patterns.<\/p>\n\n\n\n<p>5) <strong>Does VPN Gateway support BGP dynamic routing?<\/strong><br\/>\nSome managed VPN offerings support BGP, but it depends on the product edition\/spec and region. <strong>Verify in official docs<\/strong> for VPN Gateway.<\/p>\n\n\n\n<p>6) <strong>What happens if my on-prem public IP changes?<\/strong><br\/>\nIf the customer gateway public IP changes, the tunnel will fail until you update the customer gateway configuration (or use a stable public IP).<\/p>\n\n\n\n<p>7) <strong>How do I avoid overlapping IP ranges between on-prem and VPC?<\/strong><br\/>\nPlan IP addressing early. If overlap exists, you may need NAT or readdressing. NAT increases complexity; readdressing is often cleaner long-term.<\/p>\n\n\n\n<p>8) <strong>Is traffic encrypted end-to-end?<\/strong><br\/>\nBetween the VPN endpoints, traffic is encrypted with IPsec or SSL. Inside each network, traffic is not automatically encrypted unless you implement it at the application\/host layer.<\/p>\n\n\n\n<p>9) <strong>Can I restrict which on-prem users can reach cloud resources?<\/strong><br\/>\nYes. Use a combination of:\n&#8211; security groups\/NACLs in the VPC\n&#8211; on-prem firewall policies\n&#8211; narrow CIDRs for protected subnets<\/p>\n\n\n\n<p>10) <strong>Do I need to modify instances to use the VPN?<\/strong><br\/>\nUsually no. You configure routes at the VPC level and security rules; instances route normally.<\/p>\n\n\n\n<p>11) <strong>How do I monitor tunnel health?<\/strong><br\/>\nUse VPN Gateway console status, CloudMonitor metrics (where available), and synthetic checks (ping\/TCP) across the tunnel.<\/p>\n\n\n\n<p>12) <strong>Why is my tunnel \u201cup\u201d but ping doesn\u2019t work?<\/strong><br\/>\nMost commonly: missing routes, blocked ICMP in security groups, or incorrect CIDRs in traffic selectors.<\/p>\n\n\n\n<p>13) <strong>Does VPN Gateway provide a static public IP on the cloud side?<\/strong><br\/>\nVPN Gateway exposes a public endpoint shown in the console. Treat it as the peer IP for your customer gateway configuration. For lifecycle\/changes, <strong>verify in official docs<\/strong>.<\/p>\n\n\n\n<p>14) <strong>Can I use VPN Gateway for large data replication?<\/strong><br\/>\nYou can, but costs and performance may be suboptimal versus dedicated connectivity. For sustained high throughput, evaluate Express Connect.<\/p>\n\n\n\n<p>15) <strong>What is the difference between VPN Gateway and running strongSwan on ECS?<\/strong><br\/>\nVPN Gateway is managed (less ops work, integrated routing). Self-managed gives maximum control but you manage scaling, patching, HA, and security hardening.<\/p>\n\n\n\n<p>16) <strong>How long does it take to set up a tunnel?<\/strong><br\/>\nA basic tunnel can be set up within hours. Most time goes into aligning parameters and network\/security rules.<\/p>\n\n\n\n<p>17) <strong>Can I use SSL-VPN for developer access instead of a bastion host?<\/strong><br\/>\nOften yes, if SSL-VPN is available and meets your authentication\/compliance needs. Many organizations still keep a bastion for controlled access.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn VPN Gateway<\/h2>\n\n\n\n<p>Links and availability can change. Prefer official docs for the most accurate, region-specific steps.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td><a href=\"https:\/\/www.alibabacloud.com\/help\/en\/vpn-gateway\">Alibaba Cloud VPN Gateway Documentation<\/a><\/td>\n<td>Primary reference for concepts, configuration steps, limits, and troubleshooting<\/td>\n<\/tr>\n<tr>\n<td>Official product page<\/td>\n<td><a href=\"https:\/\/www.alibabacloud.com\/product\/vpn-gateway\">Alibaba Cloud VPN Gateway Product Page<\/a><\/td>\n<td>Overview of capabilities, typical use cases, and entry points to pricing<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td><a href=\"https:\/\/www.alibabacloud.com\/pricing\/calculator\">Alibaba Cloud Pricing Calculator<\/a><\/td>\n<td>Estimate costs across regions and related services (ECS\/EIP\/VPN)<\/td>\n<\/tr>\n<tr>\n<td>Getting started<\/td>\n<td>VPN Gateway \u201cQuick Start\u201d \/ \u201cGetting Started\u201d section in official docs<\/td>\n<td>Step-by-step workflow aligned to current console; <strong>verify in docs<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>Alibaba Cloud Architecture Center (search: \u201cVPN Gateway\u201d, \u201chybrid connectivity\u201d)<\/td>\n<td>Reference architectures and best practices; availability varies by publication<\/td>\n<\/tr>\n<tr>\n<td>Audit\/governance<\/td>\n<td><a href=\"https:\/\/www.alibabacloud.com\/help\/en\/actiontrail\">ActionTrail Documentation<\/a><\/td>\n<td>Understand how to audit VPN configuration changes<\/td>\n<\/tr>\n<tr>\n<td>Monitoring<\/td>\n<td><a href=\"https:\/\/www.alibabacloud.com\/help\/en\/cloudmonitor\">CloudMonitor Documentation<\/a><\/td>\n<td>Metrics and alerting patterns for tunnel health and operational dashboards<\/td>\n<\/tr>\n<tr>\n<td>Community (trusted)<\/td>\n<td>strongSwan documentation: https:\/\/docs.strongswan.org\/<\/td>\n<td>Deep reference for IKE\/IPsec parameters and Linux endpoint troubleshooting<\/td>\n<\/tr>\n<tr>\n<td>Community (practical)<\/td>\n<td>Vendor firewall configuration guides (Cisco\/Fortinet\/Palo Alto)<\/td>\n<td>Helpful for proposal alignment; validate against Alibaba Cloud requirements<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<p>The following training providers may offer relevant learning paths. Confirm course outlines, instructors, and lab depth on each website.<\/p>\n\n\n\n<p>1) <strong>DevOpsSchool.com<\/strong><br\/>\n&#8211; Suitable audience: DevOps engineers, cloud engineers, SREs, platform teams<br\/>\n&#8211; Likely learning focus: Cloud networking foundations, hybrid connectivity, operations practices<br\/>\n&#8211; Mode: check website<br\/>\n&#8211; Website: https:\/\/www.devopsschool.com\/<\/p>\n\n\n\n<p>2) <strong>ScmGalaxy.com<\/strong><br\/>\n&#8211; Suitable audience: Beginners to intermediate engineers learning DevOps and tooling<br\/>\n&#8211; Likely learning focus: DevOps fundamentals that support cloud operations and infrastructure management<br\/>\n&#8211; Mode: check website<br\/>\n&#8211; Website: https:\/\/www.scmgalaxy.com\/<\/p>\n\n\n\n<p>3) <strong>CLoudOpsNow.in<\/strong><br\/>\n&#8211; Suitable audience: Cloud operations and platform teams<br\/>\n&#8211; Likely learning focus: Cloud ops practices, monitoring, reliability, and automation concepts<br\/>\n&#8211; Mode: check website<br\/>\n&#8211; Website: https:\/\/cloudopsnow.in\/<\/p>\n\n\n\n<p>4) <strong>SreSchool.com<\/strong><br\/>\n&#8211; Suitable audience: SREs, operations engineers, reliability-focused teams<br\/>\n&#8211; Likely learning focus: SRE practices, monitoring\/alerting, incident response patterns<br\/>\n&#8211; Mode: check website<br\/>\n&#8211; Website: https:\/\/sreschool.com\/<\/p>\n\n\n\n<p>5) <strong>AiOpsSchool.com<\/strong><br\/>\n&#8211; Suitable audience: Ops teams exploring AIOps and automation<br\/>\n&#8211; Likely learning focus: Observability, automation, and operational analytics concepts<br\/>\n&#8211; Mode: check website<br\/>\n&#8211; Website: https:\/\/aiopsschool.com\/<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<p>These sites may list trainers or training services. Verify credentials, course syllabi, and references directly.<\/p>\n\n\n\n<p>1) <strong>RajeshKumar.xyz<\/strong><br\/>\n&#8211; Likely specialization: DevOps\/cloud coaching and mentoring (verify on site)<br\/>\n&#8211; Suitable audience: Individuals and teams seeking guided learning<br\/>\n&#8211; Website: https:\/\/rajeshkumar.xyz\/<\/p>\n\n\n\n<p>2) <strong>devopstrainer.in<\/strong><br\/>\n&#8211; Likely specialization: DevOps training programs (verify on site)<br\/>\n&#8211; Suitable audience: Beginners to intermediate DevOps engineers<br\/>\n&#8211; Website: https:\/\/devopstrainer.in\/<\/p>\n\n\n\n<p>3) <strong>devopsfreelancer.com<\/strong><br\/>\n&#8211; Likely specialization: Freelance DevOps services and training (verify on site)<br\/>\n&#8211; Suitable audience: Startups and small teams needing practical guidance<br\/>\n&#8211; Website: https:\/\/devopsfreelancer.com\/<\/p>\n\n\n\n<p>4) <strong>devopssupport.in<\/strong><br\/>\n&#8211; Likely specialization: DevOps support and enablement (verify on site)<br\/>\n&#8211; Suitable audience: Teams needing operational assistance and knowledge transfer<br\/>\n&#8211; Website: https:\/\/devopssupport.in\/<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<p>Presented neutrally. Validate scope, references, and contracts directly with each provider.<\/p>\n\n\n\n<p>1) <strong>cotocus.com<\/strong><br\/>\n&#8211; Likely service area: Cloud\/DevOps consulting and implementation (verify on site)<br\/>\n&#8211; Where they may help: Hybrid connectivity design, operationalization, migration planning<br\/>\n&#8211; Consulting use case examples:<br\/>\n  &#8211; Designing a secure VPN Gateway + VPC routing model<br\/>\n  &#8211; Implementing monitoring and alerting for tunnel health<br\/>\n  &#8211; Standardizing IAM policies and change control for network resources<br\/>\n&#8211; Website: https:\/\/cotocus.com\/<\/p>\n\n\n\n<p>2) <strong>DevOpsSchool.com<\/strong><br\/>\n&#8211; Likely service area: DevOps and cloud consulting, training-led enablement<br\/>\n&#8211; Where they may help: Platform engineering, DevOps practices, infrastructure automation<br\/>\n&#8211; Consulting use case examples:<br\/>\n  &#8211; Building repeatable VPN Gateway deployment patterns<br\/>\n  &#8211; Implementing governance and tagging across networking resources<br\/>\n  &#8211; Creating runbooks and SRE-style operations for hybrid connectivity<br\/>\n&#8211; Website: https:\/\/www.devopsschool.com\/<\/p>\n\n\n\n<p>3) <strong>DEVOPSCONSULTING.IN<\/strong><br\/>\n&#8211; Likely service area: DevOps consulting services (verify on site)<br\/>\n&#8211; Where they may help: Delivery support, automation, operational best practices<br\/>\n&#8211; Consulting use case examples:<br\/>\n  &#8211; Hybrid cloud connectivity assessment and roadmap<br\/>\n  &#8211; Secure remote access design using VPN Gateway + bastion patterns<br\/>\n  &#8211; Cost review for VPN vs dedicated connectivity alternatives<br\/>\n&#8211; Website: https:\/\/devopsconsulting.in\/<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before VPN Gateway<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Networking basics: CIDR, routing, NAT, DNS<\/li>\n<li>VPN fundamentals: IKE, IPsec, Phase 1\/2, proposals, PSK\/certificates<\/li>\n<li>Alibaba Cloud VPC fundamentals: VPC, vSwitch, route tables, security groups<\/li>\n<li>Linux basics (helpful): iptables\/nftables, systemd logs, MTU troubleshooting<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after VPN Gateway<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Express Connect for dedicated connectivity patterns<\/li>\n<li>CEN for multi-VPC\/multi-region topologies<\/li>\n<li>Centralized security controls (Cloud Firewall) and segmentation<\/li>\n<li>Observability and governance: CloudMonitor, ActionTrail, log pipelines<\/li>\n<li>IaC automation (Terraform or Alibaba Cloud SDK\/CLI) for repeatable VPN deployments (verify official tooling guidance)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud\/Network Engineer<\/li>\n<li>Solutions Architect<\/li>\n<li>DevOps Engineer \/ Platform Engineer<\/li>\n<li>SRE \/ Operations Engineer<\/li>\n<li>Security Engineer (network security \/ cloud security)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Alibaba Cloud certifications change over time. Look for:\n&#8211; Alibaba Cloud associate\/professional tracks that include VPC and hybrid connectivity topics<br\/>\nVerify current certifications on Alibaba Cloud\u2019s official certification pages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a \u201chybrid lab\u201d with two VPCs and IPsec, then add:<\/li>\n<li>tighter CIDR segmentation (\/28 protected networks)<\/li>\n<li>monitoring alerts for tunnel down<\/li>\n<li>PSK rotation procedure<\/li>\n<li>Create separate dev\/prod VPNs and demonstrate least privilege access via RAM.<\/li>\n<li>Compare VPN Gateway vs self-managed strongSwan on ECS (cost + ops + security).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VPC (Virtual Private Cloud)<\/strong>: A logically isolated network in Alibaba Cloud where you deploy private resources.<\/li>\n<li><strong>vSwitch<\/strong>: A subnet within a VPC, associated with a specific zone.<\/li>\n<li><strong>Route table<\/strong>: Defines how traffic is routed within a VPC (destination \u2192 next hop).<\/li>\n<li><strong>VPN Gateway<\/strong>: Alibaba Cloud managed VPN termination service attached to a VPC.<\/li>\n<li><strong>Customer Gateway (CGW)<\/strong>: The on-premises VPN endpoint (device\/software), represented in Alibaba Cloud by its public IP.<\/li>\n<li><strong>IPsec<\/strong>: A suite of protocols for encrypting IP traffic (confidentiality, integrity, authentication).<\/li>\n<li><strong>IKE (Internet Key Exchange)<\/strong>: Negotiates security associations and keys for IPsec (IKEv1\/IKEv2).<\/li>\n<li><strong>Security Association (SA)<\/strong>: The negotiated security parameters for an IPsec tunnel.<\/li>\n<li><strong>PSK (Pre-Shared Key)<\/strong>: Shared secret used to authenticate peers for IKE (common in site-to-site VPNs).<\/li>\n<li><strong>NAT-T<\/strong>: NAT Traversal; encapsulates IPsec in UDP 4500 to traverse NAT devices.<\/li>\n<li><strong>Traffic selectors \/ Protected subnets<\/strong>: CIDR ranges that define which traffic goes through the VPN.<\/li>\n<li><strong>DPD (Dead Peer Detection)<\/strong>: Detects dead VPN peers and triggers recovery.<\/li>\n<li><strong>MTU (Maximum Transmission Unit)<\/strong>: Largest packet size on a link; VPN overhead can reduce effective MTU.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>VPN Gateway<\/strong> (Networking and CDN category) is a managed service for building <strong>encrypted hybrid connectivity<\/strong> into a VPC using <strong>IPsec site-to-site VPN<\/strong> and, where available, <strong>SSL-VPN remote access<\/strong>. It matters because it enables private networking without exposing internal services publicly, and it can be deployed quickly compared to dedicated circuits.<\/p>\n\n\n\n<p>Cost is driven mainly by the VPN Gateway <strong>spec\/bandwidth<\/strong>, the number of tunnels\/connections, and related network resources like <strong>EIP<\/strong> and data transfer. Security success depends on strong crypto choices, tight CIDR scoping, least-privilege RAM policies, and continuous monitoring\/auditing (CloudMonitor + ActionTrail).<\/p>\n\n\n\n<p>Use VPN Gateway when you need fast, secure hybrid connectivity with moderate throughput requirements. For strict performance guarantees or high sustained bandwidth, evaluate <strong>Express Connect<\/strong> and broader network patterns such as <strong>CEN<\/strong>. Next step: replicate the hands-on lab with your real on-prem device, then add redundancy, monitoring alerts, and a formal key-rotation\/change-control process.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Networking and CDN<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,8],"tags":[],"class_list":["post-37","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-networking-and-cdn"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/37","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=37"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/37\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=37"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=37"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=37"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}