VPN Gateway creates encrypted tunnels between your on-premises data center, office network, or clients and your virtual private cloud (VPC).
Use cases
Use case 1: Connect an on-premises data center to a VPC with IPsec-VPN
IPsec-VPN creates a Site-to-Site encrypted tunnel between an on-premises data center and a VPC, ideal for hybrid cloud networking and Express Connect backup.
IPsec-VPN comes in two deployment options:
-
Attach to a VPN gateway: Connects your on-premises network to a single VPC.
-
Attach to a transit router (TR): Connects your on-premises network to multiple VPCs.
Use case 2: Allow employees to remotely access a VPC with SSL-VPN
SSL-VPN creates a Client-to-Site encrypted connection between individual devices and a VPC, ideal for remote work. After an administrator grants access, employees install client software on their laptops or mobile devices to securely access applications deployed in the VPC.
Benefits
-
Secure: Encrypts data in transit with IPsec or SSL to ensure data integrity.
-
Stable: Active-active architecture with failover in seconds ensures session continuity.
-
Simple: Ready on activation. Configurations take effect in real time for rapid deployment.
-
Cost-effective: Uses Internet-based encrypted tunnels as a lower-cost alternative to Express Connect.
Choose a VPN type and get started
|
Comparison |
IPsec-VPN |
SSL-VPN |
|
Connection targets |
Fixed sites, such as corporate data centers and branch offices. |
Individual clients, such as personal computers or mobile devices for remote work. |
|
Typical use cases |
Site-to-Site: Connects an on-premises network to a VPC to build a hybrid cloud environment. |
Client-to-Site: Authorized employees securely access cloud applications, office systems, or development environments from any location. |
|
Client requirements |
Requires IPsec-compatible network devices such as routers or firewalls. |
Users only need to install lightweight client software on their devices. |
|
Protocol |
Standard IPsec protocol (Network Layer). |
SSL/TLS protocol (Application Layer). |
|
Configuration complexity |
High. Requires coordinated configuration on both cloud and on-premises devices. |
Very low. After the administrator completes cloud-side setup, end users only install the client and log in. |
Get started with IPsec-VPN
An IPsec-VPN connection must be attached to a VPN gateway or a TR:
|
Component |
Description |
|
VPN gateway |
Cloud-side gateway for connecting an on-premises network to a single VPC. Has a public IP address to communicate with the on-premises gateway device. |
|
TR |
Cloud-side gateway for connecting an on-premises network to multiple VPCs. Requires a VPN connection on the TR with an associated IPsec-VPN connection. |
You also need a customer gateway and an IPsec-VPN connection:
|
Component |
Description |
|
Customer gateway |
A logical object on Alibaba Cloud that stores the public IP of your on-premises gateway device. Required to create an IPsec-VPN connection. |
|
IPsec-VPN connection |
The encrypted tunnel from the VPN gateway/TR to the customer gateway. Configure parameters for both ends: encryption algorithm, authentication algorithm, and Pre-Shared Key (PSK). |
For more information, see the following documents:
Get started with SSL-VPN
An SSL-VPN connection involves the following key components:
|
Component |
Description |
|
VPN gateway |
Serves as the cloud-side gateway for the VPN connection. It has a public IP address to communicate with clients. |
|
SSL server |
A service instance created on the VPN gateway after you enable SSL-VPN. Defines the protocol, port, encryption algorithm, and client CIDR block for connections. |
|
SSL client |
Software on an employee's computer or mobile device that establishes an encrypted connection with the SSL server, enabling access to cloud resources. |
For more information, see the following documents: