DocsICP FilingConsole
官方文档
首页

Connect an Azure database to Alibaba Cloud

更新时间:
复制 MD 格式
产品详情
我的收藏

To use an Azure database as the source or destination in a Data Transmission Service (DTS) task, you must configure network connectivity between Azure and Alibaba Cloud.

  • Public IP address: Enable public access on Azure, then add DTS server IP addresses to your database security settings.

  • Virtual private cloud (VPC): Establish an IPsec-VPN connection between your Azure virtual network (VNet) and an Alibaba Cloud VPC through VPN Gateway.

Connect over a public IP address

  1. Enable public access for your database on the Azure platform.

  2. Add the CIDR blocks of DTS servers in the corresponding region to your database security settings (security group rules, firewalls, and whitelists). The specific IP addresses depend on your DTS task type: data migration, data synchronization, or data validation.

Important

If the source database is an Azure SQL Managed Instance, you must use this method to connect the source database to Alibaba Cloud.

Connect over a VPC

Create a secure tunnel between an Azure VNet and an Alibaba Cloud VPC by using an IPsec-VPN connection.

Estimated time: 60 to 120 minutes (including gateway provisioning on both sides).

What you accomplish:

  • Create a VPN Gateway instance on Alibaba Cloud

  • Deploy VPN resources (gateway subnet, virtual network gateway, local network gateways, site-to-site connections) on Azure

  • Create customer gateways and an IPsec-VPN connection on Alibaba Cloud

  • Verify network connectivity between the two environments

Scenario

image

In this example, an enterprise has the following setup:

  • A VNet in the Germany West Central region on Azure with a VM instance.

  • A VPC in the Germany (Frankfurt) region on Alibaba Cloud with an Elastic Compute Service (ECS) instance.

  • The enterprise wants to connect the Azure VNet and the Alibaba Cloud VPC through an IPsec-VPN connection associated with a VPN Gateway.

Prerequisites

Before you begin, make sure you have:

  • A virtual network in the Germany West Central region on Azure, with a VM instance deployed in it. For instructions, see the Azure portal documentation.

  • A VPC in the Germany (Frankfurt) region on Alibaba Cloud, with an ECS instance.

  • Non-overlapping CIDR blocks for the Azure VNet and the Alibaba Cloud VPC.

Important

Plan CIDR blocks so that the Azure VNet and the Alibaba Cloud VPC address spaces do not overlap. The following example values are used throughout this guide:

Resource

CIDR block

Instance IP address

Alibaba Cloud VPC

10.0.0.0/16

ECS: 10.0.0.1

Azure VNet

192.168.0.0/16

VM: 192.168.0.1

Security requirements

Configure security settings on both platforms to allow traffic between the VPC and VNet.

  • Alibaba Cloud: Security group rules must allow inbound and outbound traffic between the VPC (10.0.0.0/16) and the Azure VNet (192.168.0.0/16). For details, see Add a security group rule and Query security group rules.

  • Azure: Network security group rules must allow traffic from the Alibaba Cloud VPC CIDR block. For details, contact Azure support.

  • DTS-specific: Add the 100.104.0.0/16 CIDR block to the Azure local network gateways (Step 2) and to the Local Network field of the Alibaba Cloud IPsec-VPN connection (Step 3). DTS uses IP addresses in this block for data transmission. For the full list, see Add the CIDR blocks of DTS servers to a whitelist.

Step 1: Create a VPN Gateway instance on Alibaba Cloud

After creation, the VPN Gateway instance is assigned two IP addresses for the IPsec-VPN connection with the Azure VNet.

  1. Go to the and configure the following parameters. Only key parameters are listed here. For all parameters, see Create and manage a VPN Gateway instance.

    Parameter

    Description

    Example

    Name

    Name for the VPN Gateway instance.

    VPN Gateway

    Region for the VPN Gateway instance.

    Germany (Frankfurt)

    Gateway Type

    Gateway type.

    Standard

    Network Type

    Network type.

    Public

    Tunnels

    Tunnel mode. For dual-tunnel vs. single-tunnel, see IPsec-VPN dual-tunnel mode.

    Dual-tunnel (default)

    VPC to associate with the VPN Gateway instance.

    Select the VPC in Germany (Frankfurt).

    vSwitch

    A vSwitch from the VPC. In dual-tunnel mode, two vSwitches are required. The system creates an elastic network interface (ENI) in each vSwitch for traffic exchange. Each ENI uses one IP address from its vSwitch. After a VPN Gateway is created, the associated vSwitches cannot be changed.

    Select a vSwitch in the VPC.

    vSwitch 2

    A second vSwitch. For zone-disaster recovery, select vSwitches in different zones. If the VPC has only one zone, select two different vSwitches in the same zone for high availability. If no second vSwitch exists, create one.

    Select a second vSwitch.

    IPsec-VPN

    Enable or disable IPsec-VPN.

    Enable (default)

    SSL-VPN

    Enable or disable SSL-VPN.

    Disable (default)

  2. Return to the VPN Gateway page. The instance state is initially Provisioning and changes to Active after 1 to 5 minutes, indicating the instance is ready for use.

  3. Note the two IP addresses assigned to the VPN Gateway instance. These are used in later steps.

    VPN Gateway instance

    IP address

    VPN Gateway (vpn-gw8dickm386d2qi2g\*\*\*\*)

    IPsec address 1 (active): 8.XX.XX.130

    IPsec address 2 (standby): 8.XX.XX.75

Step 2: Deploy VPN resources on Azure

Configure the following VPN resources on Azure to establish the IPsec-VPN connection. For details, see the Azure portal documentation or contact Azure support.

  1. Create a gateway subnet in the virtual network. This subnet is required for the virtual network gateway.

    网关子网

  2. Create a virtual network gateway. Associate the gateway with the virtual network that connects to Alibaba Cloud. Enable active-active mode and create two public IP addresses. Use default values for other parameters. After creation, view the two public IP addresses assigned to the gateway on the Public IP addresses page. In this example: 4.XX.XX.224 and 4.XX.XX.166.

    Note

    Azure virtual network gateway creation can take 45 minutes or more. Monitor the deployment status on the gateway Overview page.

    创建虚拟网络网关

    资源关联

  3. Create two local network gateways. Each local network gateway corresponds to one IP address of the Alibaba Cloud VPN Gateway instance. Add the following CIDR blocks to each local network gateway:

    • Alibaba Cloud VPC: 10.0.0.0/16

    • DTS CIDR block: 100.104.0.0/16

    Important

    The 100.104.0.0/16 CIDR block is required for DTS data transmission. For more information, see Add the CIDR blocks of DTS servers to a whitelist.

    本地网络网关

  4. Create two site-to-site VPN connections. For each connection: For the second connection, associate it with the other local network gateway. Keep all other settings the same.

    • Set Connection type to Site-to-site (IPsec).

    • Associate the connection with the virtual network gateway.

    • Select the corresponding local network gateway.

    • Set the shared key. Use the same shared key for the corresponding Alibaba Cloud IPsec-VPN tunnel.

    • Use default values for other parameters.

    Important

    Both Alibaba Cloud and Azure support dual-tunnel mode, but they differ in tunnel architecture. An Azure IPsec-VPN connection binds both tunnels to the same local network gateway by default, while Alibaba Cloud assigns different IP addresses to each tunnel. To enable both tunnels, create two separate site-to-site VPN connections on Azure, each associated with a different local network gateway.

    VPN链接上

    VPN链接下

Step 3: Create an IPsec-VPN connection on Alibaba Cloud

After deploying Azure VPN resources, configure the Alibaba Cloud side to complete the IPsec-VPN connection.

3a. Create customer gateways

Create two customer gateways, one for each public IP address of the Azure virtual network gateway.

  1. Go to the page. In the top navigation bar, select Germany (Frankfurt).

  2. In the Create Customer Gateway panel, configure the following parameters and click OK. Only key parameters are listed. For all parameters, see Customer gateways.

    Parameter

    Customer Gateway 1

    Customer Gateway 2

    Name

    Customer Gateway 1

    Customer Gateway 2

    IP Address

    4.XX.XX.224

    4.XX.XX.166

3b. Create an IPsec-VPN connection

  1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  2. On the IPsec Connections page, click Bind VPN Gateway.

  3. On the Create IPsec-VPN Connection (VPN Gateway) page, configure the following parameters and click OK.

    Important

    Add 100.104.0.0/16 to Local Network because DTS uses IP addresses in this CIDR block for data transmission.

    Important

    The pre-shared key for each tunnel must match the shared key of its corresponding Azure site-to-site VPN connection. Mismatched keys prevent the IPsec-VPN connection from being established.

    Parameter

    Description

    Example

    IPsec-VPN Connection Name

    Name for the connection.

    IPsec-VPN Connection

    Region

    Region of the VPN Gateway. The connection is created in the same region.

    Germany (Frankfurt)

    Filter By Resource Group

    Resource group of the VPN Gateway.

    Default resource group

    Associate With VPN Gateway

    VPN Gateway to associate.

    Select VPN Gateway created in Step 1.

    Routing Mode

    Routing mode. Destination Routing Mode routes traffic by destination IP. Protected Data Flows (also referred to as policy-based routing) routes traffic by source and destination IP.

    Protected Data Flows

    Local Network

    CIDR blocks of the VPC associated with the VPN Gateway.

    10.0.0.0/16 and 100.104.0.0/16

    Remote Network

    CIDR block of the Azure VNet.

    192.168.0.0/16

    Effective Immediately

    Start negotiations immediately or wait for inbound traffic.

    Yes

    Enable BGP

    Enable Border Gateway Protocol (BGP) dynamic routing.

    Disabled (default)

    Tunnel 1 (Primary):

    Parameter

    Description

    Example

    Customer Gateway

    Customer gateway for the primary tunnel.

    Customer Gateway 1

    Pre-Shared Key

    Authentication key (1 to 100 characters: digits, letters, and special characters). Must match the corresponding Azure VPN connection shared key. If not specified, the system generates a 16-character key.

    Same key as the Azure VPN connection

    Encryption Configurations

    IKE, IPsec, Dead Peer Detection (DPD), and NAT traversal settings.

    Default values. For details, see IPsec-VPN connections.

    Tunnel 2 (Backup):

    Parameter

    Description

    Example

    Customer Gateway

    Customer gateway for the backup tunnel.

    Customer Gateway 2

    Pre-Shared Key

    Must match the corresponding Azure VPN connection shared key.

    Same key as the Azure VPN connection

    Encryption Configurations

    IKE, IPsec, DPD, and NAT traversal settings.

    Default values

  4. In the Created message, click Cancel.

3c. Publish the policy-based route

After the IPsec-VPN connection is created with Protected Data Flows routing, the system automatically generates a policy-based route. Publish this route to the VPC.

  1. In the left navigation pane, choose Interconnections > VPN > VPN Gateways.

  2. In the top navigation bar, select the region of the VPN Gateway.

  3. Click the ID of the VPN Gateway.

  4. On the details page, click the Policy-based Route Table tab. Find the route and click Advertise in the Actions column.

  5. In the Advertise Route dialog box, click OK.

Step 4: Verify network connectivity

After completing the configuration on both platforms, test the connection.

Important

Before testing, make sure security group rules on both Alibaba Cloud and Azure allow traffic between the VPC and VNet. See Security requirements.

  1. Log in to an Azure VM instance in the Azure VNet. For instructions, see the Azure portal documentation.

  2. Run the ping command to reach the private IP address of the Alibaba Cloud ECS instance: A successful reply confirms that the Azure VNet and the Alibaba Cloud VPC can communicate.

       ping 10.0.0.1

    image

Troubleshooting

If the ping test fails, check the following items:

  1. Check IPsec-VPN connection status. On the Alibaba Cloud VPN Gateway console, verify that the IPsec-VPN connection status is Connected and both tunnels are up.

  2. Verify route advertisement. Confirm that the policy-based route is published to the VPC (Advertised status on the Policy-based Route Table tab).

  3. Check security group rules. On both Alibaba Cloud and Azure, confirm that security group rules allow ICMP traffic and the relevant CIDR blocks.

  4. Verify Azure VPN connection status. On the Azure portal, check the site-to-site VPN connection status. If the connection shows as Not connected, verify that the pre-shared key and encryption settings match between Azure and Alibaba Cloud.

  5. Reset the VPN gateway. If the connection was previously working, try resetting the Azure virtual network gateway. For instructions, see the Azure VPN Gateway documentation.

Next steps

After connectivity is established, add the CIDR blocks of DTS servers to your database security settings (security group rules, firewall policies, and whitelists). The specific IP addresses depend on your DTS task type:

Previous:Connect an AWS database to Alibaba CloudNext:Avoid issues caused by foreign key constraints