How does the hybrid cloud realize the IP sec VPN cloud networking dedicated line to realize the interworking between the active and standby intranet?

Business scenario :

As shown in the figure below , The user is in VPC and IDC The central government has deployed business , In order to realize the business interaction between the cloud and the cloud , Users need to deploy network connection services to realize business interoperability , For high availability communication , The deployment scheme is as follows ：

• Cloud networking （ Lord ）： Local IDC Through the physical line , Connect to the cloud connected private line gateway , Dedicated line gateway and VPC Are connected to the cloud network , So as to realize the full service communication under the cloud and on the cloud . When the physical dedicated line link is normal . Local IDC And VPC All communication flows between the are forwarded through the cloud network via the physical dedicated line .
• VPN Connect （ To prepare ）： Ben The earth IDC And on the cloud VPC Through establishment VPN Secure tunnel to realize cloud on cloud and cloud off cloud business communication , When the leased line link is abnormal , The traffic can be switched to this link , Ensure business availability ：

Prerequisite

• User local IDC The gateway device has IPsec VPN function , It can also be used as the user side VPN Gateway device , And VPC Side VPN Equipment setup IPsec Tunnel communication .
• user IDC Side gateway device Configured static IP. You can also set BFD static state IP
• Data preparation is as follows ： Configuration item example value network configuration VPC Information subnet CIDR192.168.1.0/24VPN Gateway public network IP203.xx.xx.82IDC Information subnet CIDR10.0.1.0/24, Gateway public network IP202.xx.xx.5

Operation process

• 1 Configure dedicated line access
• 2 To configure VPN Connect
• 3 Configure network probe
• 4 Configure alarms
• 5 Switch between active and standby routes

Operation steps

Step one ： To configure IDC Through the cloud network

1. Sign in Dedicated line access console , Click... On the left navigation bar 【 Physics line 】 Create a physical line .
2. Click... On the left navigation bar 【 Dedicated gateway 】 Create a dedicated gateway , This example selects cloud networking
3. Click cloud networking private line gateway ID Enter details page , stay 【IDC gateway 】 Enter the user in IDC Network segment , for example 10.0.1.0/24.
4. Sign in Cloud networking console , single click 【 newly build 】 Create an instance of cloud networking .
5. Sign in Dedicated channel console , single click 【 newly build 】 Create a dedicated channel to connect to the cloud networking dedicated gateway , Configure the channel name here 、 Select cloud networking as the access network , Select the created cloud networking private line gateway 、 Configure the interconnection between Tencent cloud side and user side IP、 Routing method selection BGP Routing, etc. , After the configuration is completed, download the configuration guide and click IDC The device is configured .
6. take VPC Associate with the dedicated line gateway to the cloud networking instance , That is to say VPC and IDC Networking through the cloud 、 Cloud networking dedicated line gateway for interworking . explain ： For more detailed configuration, please refer to IDC Through the cloud network .

Step two ： To configure IDC adopt VPN Connect to the cloud

1. Sign in VPN Gateway console , single click 【 newly build 】 establish VPN gateway , In this example, the associated network selects the private network .
2. Click... On the left navigation bar 【 Peer gateway 】, Configure the peer gateway （ namely IDC Side VPN The logical object of the gateway ）, Fill in IDC Side VPN The gateway's public network IP Address , for example 202.xx.xx.5.
3. Click... On the left navigation bar 【VPN passageway 】, Please configure SPD Strategy 、IKE、IPsec Other configuration .
4. stay IDC Configure on the local gateway device VPN Channel information , The configuration here requires and step 3 Medium VPN The channel information is consistent , otherwise VPN The tunnel cannot be connected normally .
5. stay VPC Configure the next hop in the routing table associated with the communication subnet as VPN gateway 、 The destination is IDC Communication network segment The routing strategy of . explain ： For more detailed configuration, please refer to ：
   • If it is 1.0 and 2.0 Version of VPN gateway , Please refer to establish VPC To IDC The connection of （SPD Strategy ）.
   • If it is 3.0 Version of VPN gateway , Please refer to establish VPC To IDC The connection of （ Routing table ）

Step three ： Configure network probe

explain ： After the above two steps are configured ,VPC Go to IDC There are already two paths , The next hop is cloud networking 、VPN gateway , According to the route default priority ： Cloud networking > VPN gateway , Cloud networking is the main path ,VPN The gateway is an alternate path .

To understand the connection quality of the active and standby paths , You need to configure network probes for two paths respectively , Real time monitoring of the delay to the network connection 、 Key indicators such as packet loss rate , To detect the availability of active and standby routes .

1. Sign in Network probe console .
2. single click 【 newly build 】, Create a network probe , Fill in the network probe name , choice Private networks 、 subnet 、 Detection purpose IP, And specify the next hop route at the source , Such as cloud networking .
3. Please execute again step 2, Specify that the next hop route at the source end is VPN gateway . When the configuration is complete , You can view cloud networking and VPN Network detection delay and packet loss rate of connecting the active and standby paths . explain ： For more detailed configuration, please refer to Network detection .

Step four ： Configure alarms

In order to detect the abnormal link in time , Configurable alarm strategy for network detection , In order to detect the abnormal link , The alarm information can be obtained in time through e-mail and SMS , Help you to forewarn risks in advance .

1. Log in to... Under cloud monitoring Alarm strategy console .
2. single click 【 newly build 】, Fill in the strategy name 、 Policy type selection 【 Private networks / Network detection 】, Alarm object selection Specific examples of network detection , Configure triggering conditions, alarm notification and other information , And click 【 complete 】 that will do .

Step five ： Switch between active and standby routes

When the network detection abnormal alarm of the main path of cloud networking is received , You need to manually disable the primary route , Switch the flow to VPN Gateway backup route .

1. Sign in Routing table console .
2. single click VPC Communication subnet associated routing table ID, Enter the routing details page , Click open

Disable the next hop as the primary route for cloud networking , here VPC Go to IDC Traffic will switch from cloud networking to VPN gateway .

PS： When we practice , Find out IDC Transparent network segment , There are limits , We need to pay attention to , Can't publish 0.0.0.0/0 To the cloud , Split required ; Pit point