This solution guide aims to provide a walkthrough on how to establish an IPSec Tunnel between Microsoft Azure and Alibaba Cloud using VPN Gateway.

By Lin En Shu, Solutions Architect

A Virtual Private Network (VPN) provides a means for securely communicating among remote hosts and private networks across a public WAN such as the Internet. Two private networks can be securely connected through site-to-site VPN. To secure VPN communication while passing through the WAN, the two sites create an IP Security (IPsec) VPN tunnel.

IPSec VPN tunnel protects IP packets exchanged between remote networks or hosts and VPN gateway located at the edge of private network. IPSec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session.

This solution guide aims to provide a walkthrough on how to establish an IPSec Tunnel between Microsoft Azure and Alibaba Cloud using VPN Gateway.

Solution Architecture

In this guide, the IPSec VPN Tunnel setup between Microsoft Azure and Alibaba Cloud using VPN Gateway will be based upon the following solution architecture.

Pre-Requisites and Preparation

An Alibaba Cloud Account A Microsoft Azure Account Required environmental setup information Reference: Azure IPSec/IKE parameters for Site to Site VPN Gateway https://docs.microsoft.com/en-gb/azure/vpn-gateway/vpn-gateway-about-vpn-devices

Create an Alibaba Cloud VPC Refer to this guide: https://www.alibabacloud.com/help/product/27706.htm

Alibaba Cloud - Setup VPN Gateway

1. Create VPN Gateway

Go to Products -> Virtual Private Cloud -> VPN Gateway and click the Create VPN Gateway button

Choose the region, peak bandwidth and VPC (which has been created) and press Buy Now.

Go back to VPN Gateway console to find the VPN Gateway IP address.

2. Create Customer Gateway

Customer Gateway is the VPN gateway IP in Microsoft Azure.

Go to Virtual Private Cloud -> Customer Gateway and press Create Customer Gateway button

Enter Azure's VPN Gateway IP into the IP Address field.

Go back to the Customer Gateway console to verify Customer Gateway IP has been registered correctly.

3. Create VPN Connection

Once the VPN Gateway in Alibaba Cloud and Customer Gateway for Azure has been configured, next is to setup the VPN connection.

Go to Virtual Private Cloud -> VPN Connection and press Create VPN Connection button

Fill in the information for the advanced configuration based on this table. It is a must to use the same values highlighted in Green (Azure's IPSec/IKE configuration) otherwise the IPSec tunnel cannot be established.

4. Add Route Entry in VPC

In order for the ECS within this Alibaba Cloud VPC to reach the VMs in Azure Virtual Network, a route entry needs to be added to route the traffic to remote private network (Azure) through this VPN Gateway.

Once the VPN connection has been created, select the VPC and go to VRouters to add a route entry.

Enter the CIDR (Address Space) of Azure Virtual Network to destination CIDR Block, choose VPN Gateway as the next hop type and select the VPN Gateway created.

The IPSec VPN Tunnel setup in Alibaba Cloud side is now completed!

Microsoft Azure - Setup Virtual Network Gateway

1. Create Virtual Network

The steps here are similar as Azure Virtual Network is Alibaba Cloud's VPC equivalent. The first step is to setup Azure Virtual Network by pressing New -> Networking -> Virtual Network.

Enter the all the required information and most important information here is Address Space, which is the CIDR of Azure's private network.

Go to Virtual Networks to verify that it has been created successfully.

2. Create Virtual Network Gateway

Similarly, Azure Virtual Network Gateway is Alibaba Cloud's VPN Gateway equivalent.

Create Azure Virtual Network Gateway by pressing New -> Networking -> Virtual Network Gateway.

Enter the all the required information and most important information here is to choose the Virtual Network created earlier.

3. Create Local Network Gateway

Azure Local Network Gateway is Alibaba Cloud's Customer Gateway equivalent.

Create Azure Local Network Gateway by pressing New -> Networking -> Local Network Gateway.

Enter the all the required information and most important information here are:



IP address: Alibaba Cloud's VPN Gateway IP Address space: Alibaba Cloud's VPC CIDR



4. Create VPN Connection

Create an Azure VPN Connection by going to Virtual Network Gateway -> Connections -> +Add

Enter the all the required information and most important information here are:



Connection type: Site to site (IPSec) Shared key (PSK): This pre-shared key must be the same with the one entered in Alibaba Cloud during VPN Connection creation.

Site-to-Site IPSec VPN Tunnel Test

1. VPN Connectivity Verification

The IPSec VPN Tunnel setup in Microsoft Azure side is now completed!

Verify both side's VPN connection status. Alibaba Cloud side's VPN Connection should have the status of "Phase 2 of IKE Tunnel Negotiation Succeeded".

Microsoft Azure side's VPN Connection should have the status of "Connected".

2. Provision servers to test VPN Tunnel

In Alibaba Cloud, setup an ECS server in the same region and same VPC of VPN gateway.

Refer to this guide to setup a Linux ECS server.

In Microsoft Azure, setup a virtual machine in the same region and same virtual network of Virtual Network Gateway.

Refer to this guide to setup an Azure Virtual Machine.

3. Test IPSec VPN Tunnel Connectivity Using Telnet

As a summary, here are the server information of test servers provisioned

Site Server Private IP Alibaba Cloud 172.21.223.245 Microsoft Azure 10.1.0.4

Login to Alibaba Cloud server and telnet to Azure server's private IP and SSH port 22. The result should show "Connected to < Azure VM's private IP > ".

Login to Azure server and telnet to Alibaba Cloud server's private IP and SSH port 22. The result should show "Connected to < Alibaba Cloud ECS private IP > ".

Conclusion

This site-to-site IPSec VPN Tunnel solution allows customer who are consuming services in both Alibaba Cloud and Microsoft Azure to be able have a secure connectivity between both sites over internet.

Related Products