User Guide - docs.otc.t-systems.com · 1 Overview 1.1 Virtual Private Network A Virtual Private...

Virtual Private Network

User Guide

Date 2019-02-22

Contents

1 Overview....................................................................................................................................11.1 Virtual Private Network........................................................................................................................................................ 11.2 IPsec VPN................................................................................................................................................................................... 11.3 Application Scenarios............................................................................................................................................................. 21.4 Reference Standards and Protocols...................................................................................................................................31.5 Region and AZ.......................................................................................................................................................................... 4

2 Getting Started........................................................................................................................ 62.1 (Optional) Create a VPC....................................................................................................................................................... 62.2 (Optional) Create a Subnet for the VPC....................................................................................................................... 102.3 Creating a VPN...................................................................................................................................................................... 132.4 (Optional) Configure Security Group Rules.................................................................................................................202.4.1 Creating a Security Group.............................................................................................................................................. 202.4.2 Adding a Security Group Rule....................................................................................................................................... 222.4.3 Deleting a Security Group Rule.................................................................................................................................... 24

3 Management.......................................................................................................................... 263.1 Viewing a VPN....................................................................................................................................................................... 263.2 Modifying a VPN................................................................................................................................................................... 273.3 Deleting a VPN...................................................................................................................................................................... 273.4 Managing VPN Tags............................................................................................................................................................ 28

4 VPN Best Practice.................................................................................................................. 304.1 Connecting to a VPC Through a VPN............................................................................................................................ 30

5 FAQs..........................................................................................................................................325.1 How Many IPsec VPNs Can I Have?............................................................................................................................... 325.2 Do IPsec VPNs Support Automatic Negotiation?...................................................................................................... 325.3 What Do I Do If VPN Setup Fails?...................................................................................................................................325.4 How Can I Handle the Failure in Accessing the ECSs from My Data Center or LAN Even If the VPNHas Been Set Up?.........................................................................................................................................................................335.5 What Do I Do If I Cannot Access My Data Center or LAN from the ECSs After a VPN Connection HasBeen Set Up?................................................................................................................................................................................. 335.6 Does a VPN Allow for Communication Between Two VPCs?................................................................................ 335.7 What Is the Limitation on the Number of Local and Remote Subnets of a VPN?........................................ 335.8 Why Is Not Connected Displayed as the Status for a Successfully Created VPN?......................................... 33

Virtual Private NetworkUser Guide Contents

2019-02-22 ii

5.9 How Long Is Required for Issued VPN Configurations to Take Effect?.............................................................. 345.10 How Do I Configure a Remote Device for a VPN?................................................................................................. 345.11 Which Remote VPN Devices Are Supported?........................................................................................................... 365.12 What Can I Do If the VPN Fails or the Network Speed of the VPN Is Slow?................................................365.13 Are SSL VPNs Supported?................................................................................................................................................ 365.14 What Is the VPN Quota?................................................................................................................................................. 37

A Change History...................................................................................................................... 38

Virtual Private NetworkUser Guide Contents

2019-02-22 iii

1 Overview

1.1 Virtual Private NetworkA Virtual Private Network (VPN) establishes an encrypted, Internet-basedcommunications tunnel between a user and a Virtual Private Cloud (VPC). WithVPN, you can connect to a VPC and access service resources in it.

By default, ECSs in a VPC cannot communicate with your data center or privatenetwork. To enable communication between them, use a VPN.

A VPN consists of a VPN gateway and one or more VPN connections. A VPNgateway provides an Internet egress for a VPC and works together with theremote gateway in the local data center. A VPN connection uses the Internet-based encryption technology to connect the VPN gateway and the remotegateway to enable communication between the local data center and VPC. TheVPN connection allows you to quickly build secure hybrid cloud environment.Figure 1-1 shows the VPN networking.

Figure 1-1 VPN networking

1.2 IPsec VPNThe Internet Protocol Security (IPsec) VPN is an encrypted tunneling technologythat uses encrypted security services to establish confidential and securecommunication tunnels between different networks.

In Figure 1-2, a VPC has two subnets: 192.168.1.0/24 and 192.168.2.0/24. On yourrouter deployed in your physical data center, you also have two subnets:

Virtual Private NetworkUser Guide 1 Overview

2019-02-22 1

192.168.3.0/24 and 192.168.4.0/24. You can use VPN to enable subnets in yourVPC to communicate with those in your data center.

Figure 1-2 IPsec VPN

Currently, the site-to-site VPN and hub-spoke VPN are supported. You need to setup VPNs in both your data center and the VPC to establish the VPN connection.

You must ensure that the VPN in your VPC and that in your data center use thesame IKE and IPsec policy configurations. Before creating a VPN, familiarizeyourself with the protocols described in Table 1-1 and ensure that your devicemeets the requirements and configuration constraints of the involved protocols.

Table 1-1 Involved protocols

Protocol Description Constraint

RFC 2409 Defines the IKE protocol, whichnegotiates and verifies keyinformation to safeguard VPNs.

● Use the pre-shared key(PSK) to reach an IKEpeer agreement.

● Use the main mode fornegotiation.

RFC 4301 Defines the IPsec architecture, thesecurity services that IPsec offers, andthe collaboration betweencomponents.

Use the IPsec tunnel to setup a VPN connection.

1.3 Application ScenariosWith the VPN between the VPC and your traditional data center, you can easilyuse the ECSs and block storage resources provided by the cloud platform.Applications can be migrated to the cloud and additional web servers can bedeployed to increase the computing capacity on a network. In this way, a hybridcloud is built, which reduces IT O&M costs and protects enterprise core data frombeing leaked.

The VPN service allows you to set up site-to-site VPN connections or VPNconnections from one site to multiple sites.


2019-02-22 2

Site-to-site VPN connection

You can set up a VPN to connect a local data center to a VPC, thus building ahybrid cloud. Figure 1-3 shows a site-to-site VPN connection.

Figure 1-3 Site-to-site VPN connection

VPN connection from one site to multiple sites

You can also set up a VPN to connect multiple local data centers to a VPC, thusbuilding a hybrid cloud. Figure 1-4 shows a VPN connection from one site tomultiple sites.

The subnet CIDR blocks of each site involved in the VPN connection cannot overlap.

Figure 1-4 VPN connection from one site to multiple sites

1.4 Reference Standards and ProtocolsThe following standards and protocols are associated with the IPsec VPN:

● RFC 4301: Security Architecture for the Internet Protocol● RFC 2403: The Use of HMAC-MD5-96 within ESP and AH● RFC 2409: The Internet Key Exchange (IKE)


2019-02-22 3

● RFC 2857: The Use of HMAC-RIPEMD-160-96 within ESP and AH● RFC 3566: The AES-XCBC-MAC-96 Algorithm and its use with IPsec● RFC 3625: More Modular Exponential (MODP) Diffie-Hellman groups for

Internet Key Exchange (IKE)● RFC 3664: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange

Protocol (IKE)● RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange

(IKE) Peers● RFC 3748: Extensible Authentication Protocol (EAP)● RFC 3947: Negotiation of NAT-Traversal in the IKE● RFC 4109: Algorithms for Internet Key Exchange version 1 (IKEv1)● RFC 3948: UDP Encapsulation of IPsec ESP Packets● RFC 4305: Cryptographic Algorithm Implementation Requirements for

Encapsulating Security Payload (ESP) and Authentication Header (AH)● RFC 4306: Internet Key Exchange (IKEv2) Protocol● RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange

Version 2 (IKEv2)● RFC 4322: Opportunistic Encryption using the Internet Key Exchange (IKE)● RFC 4359: The Use of RSA/SHA-1 Signatures within Encapsulating Security

Payload (ESP) and Authentication Header (AH)● RFC 4434: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange

Protocol (IKE)● RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2)● RFC 5996: Internet Key Exchange Protocol Version 2 (IKEv2)

1.5 Region and AZ

ConceptA region and availability zone (AZ) identify the location of a data center. You cancreate resources in a specific region and AZ.

● A region is a physical data center, which is completely isolated to improvefault tolerance and stability. The region that is selected during resourcecreation cannot be changed after the resource is created.

● An AZ is a physical location where resources use independent power suppliesand networks. A region contains one or more AZs that are physically isolatedbut interconnected through internal networks. Because AZs are isolated fromeach other, any fault that occurs in an AZ will not affect other AZs.

Figure 1-5 shows the relationship between regions and AZs.


2019-02-22 4

Figure 1-5 Regions and AZs

Selecting a RegionSelect a region closest to your target users for low network latency and quickaccess.

Selecting an AZWhen deploying resources, consider your applications' requirements on disasterrecovery (DR) and network latency.

● For high DR capability, deploy resources in different AZs within the sameregion.

● For low network latency, deploy resources in the same AZ.

Regions and EndpointsBefore you use an API to call resources, specify its region and endpoint. For moredetails, see Regions and Endpoints.


2019-02-22 5

https://docs.otc.t-systems.com/endpoint/index.html

2 Getting Started

2.1 (Optional) Create a VPC

ScenariosA VPC provides an isolated virtual network for ECSs. You can configure andmanage the network as required.

Create a VPC by following the procedure provided in this section. Then, createsubnets, security groups, and VPNs, and assign EIPs by following the procedureprovided in subsequent sections based on your actual network requirements.

Procedure1. Log in to the management console.

2. Click in the upper left corner and select the desired region and project.3. On the console homepage, under Network, click Virtual Private Cloud.4. Click Create VPC.5. On the Create VPC page, set parameters as prompted.

During VPC creation, a default subnet will be created and you can also clickAdd Subnet to create more subnets for the VPC.

Virtual Private NetworkUser Guide 2 Getting Started

2019-02-22 6

Table 2-1 VPC parameter description

Category

Parameter Description Example Value

BasicInformation

Region Specifies the desiredregion. Regions aregeographic areas isolatedfrom each other. Resourcesare region-specific andcannot be used acrossregions through internalnetwork connections. Forlow network latency andquick resource access,select the nearest region.

eu-de

BasicInformation

Name Specifies the VPC name. VPC-001

BasicInformation

CIDR Block Specifies the CIDR blockfor the VPC. The CIDRblock of a subnet can bethe same as the CIDRblock for the VPC (for asingle subnet in the VPC)or a subset (for multiplesubnets in the VPC).The following CIDR blocksare supported:10.0.0.0 – 10.255.255.255172.16.0.0 –172.31.255.255192.168.0.0 –192.168.255.255

192.168.0.0/16

BasicInformation

Tag Specifies the VPC tag,which consists of a key andvalue pair. You can add amaximum of ten tags toeach VPC.The tag key and valuemust meet therequirements listed inTable 2-2.

● Key: vpc_key1● Value: vpc-01


2019-02-22 7

Category


SubnetSettings

Name Specifies the subnet name. Subnet

SubnetSettings

CIDR Block Specifies the CIDR blockfor the subnet. This valuemust be within the VPCCIDR range.

192.168.0.0/24

SubnetSettings

Gateway Specifies the gatewayaddress of the subnet.

192.168.0.1

SubnetSettings

DNS ServerAddress

The external DNS serveraddress is used by default.If you need to change theDNS server address, ensurethat the configured DNSserver address is available.

192.168.1.0

SubnetSettings

NTP ServerAddress

Specifies the NTP server IPaddress. A maximum offour IP addresses can beconfigured. Multiple IPaddresses must beseparated using commas(,).

192.168.2.1

SubnetSettings

Tag Specifies the subnet tag,which consists of a key andvalue pair. You can add amaximum of ten tags toeach subnet.The tag key and valuemust meet therequirements listed inTable 2-3.

● Key: subnet_key1● Value: subnet-01


2019-02-22 8

Table 2-2 VPC tag key and value requirements

Parameter Requirements ExampleValue

Key ● Cannot be left blank.● Must be unique for the same VPC and can be

the same for different VPCs.● Can contain a maximum of 36 characters.● Can contain only the following character

types:– Uppercase letters– Lowercase letters– Digits– Special characters, including hyphens (-)

and underscores (_)

vpc_key1

Value ● Can contain a maximum of 43 characters.● Can contain only the following character

types:– Uppercase letters– Lowercase letters– Digits– Special characters, including hyphens (-)

and underscores (_)

vpc-01

Table 2-3 Subnet tag key and value requirements

Parameter Requirements Example Value

Key ● Cannot be left blank.● Must be unique for each subnet.● Can contain a maximum of 36

characters.● Can contain only the following

character types:– Uppercase letters– Lowercase letters– Digits– Special characters, including

hyphens (-) and underscores (_)

subnet_key1


2019-02-22 9


Value ● Can contain a maximum of 43characters.

● Can contain only the followingcharacter types:– Uppercase letters– Lowercase letters– Digits– Special characters, including


subnet-01

6. The external DNS server address is used by default. If you need to change the

DNS server address, select Custom for Advanced Settings and configure theDNS server addresses. You must ensure that the configured DNS serveraddresses are available.

7. Click Create Now.

2.2 (Optional) Create a Subnet for the VPC

ScenariosYou can add subnets during VPC creation. If required, you can also create subnetsfor an existing VPC.

The created subnet is configured with DHCP by default. After an ECS using thisVPC starts, the ECS automatically obtains an IP address using DHCP.


2. Click in the upper left corner and select the desired region and project.3. On the console homepage, under Network, click Virtual Private Cloud.4. In the navigation pane on the left, click Virtual Private Cloud.5. On the Virtual Private Cloud page, locate the VPC for which a subnet is to

be created and click the VPC name.6. On the displayed Subnets tab, click Create Subnet.7. In the Create Subnet area, set parameters as prompted.


2019-02-22 10

Figure 2-1 Create Subnet

Table 2-4 Parameter description


Name Specifies the subnet name. Subnet

CIDR Block Specifies the CIDR block for the subnet.This value must be within the VPC CIDRrange.

192.168.0.0/24

Gateway Specifies the gateway address of thesubnet.

192.168.0.1

NTP ServerAddress

Specifies the NTP server IP address. Amaximum of four IP addresses can beconfigured. Multiple IP addresses mustbe separated using commas (,).

192.168.2.1

Tag Specifies the subnet tag, which consistsof a key and value pair. You can add amaximum of ten tags to each subnet.The tag key and value must meet therequirements listed in Table 2-5.

● Key:subnet_key1

● Value:subnet-01

DNS ServerAddress

The external DNS server address is usedby default. If you need to change theDNS server address, ensure that theconfigured DNS server address isavailable.

-


2019-02-22 11

Table 2-5 Subnet tag key and value requirements


Key ● Cannot be left blank.● Must be unique for each subnet.● Can contain a maximum of 36

characters.● Can contain only the following



subnet_key1




subnet-01

8. The external DNS server address is used by default. If you need to change the

DNS server address, select Custom for Advanced Settings and configure theDNS server addresses. You must ensure that the configured DNS serveraddresses are available.

9. Click OK.

Precautions

After a subnet is created, five IP addresses in the subnet will be reserved andcannot be used. For example, in a subnet with CIDR block 192.168.0.0/24, thefollowing IP addresses are reserved:

● 192.168.0.0: Network address.● 192.168.0.1: Gateway address.● 192.168.0.253: Reserved for the system interface. This IP address is used by

the VPC for external communication.● 192.168.0.254: DHCP service address.● 192.168.0.255: Network broadcast address.

If you set Advanced Settings to Custom during subnet creation, the reserved IPaddresses may be different from the preceding default ones. The system willreserve five IP addresses based on your subnet settings.


2019-02-22 12

2.3 Creating a VPN

Overview

By default, ECSs in a VPC cannot communicate with your data center or privatenetwork. To enable communication between them, use a VPN. You need to createa VPN in your VPC and update the security group rules.

Description of a Simple IPsec VPN Intranet Topology

In Figure 2-2, a VPC has two subnets: 192.168.1.0/24 and 192.168.2.0/24. On yourrouter deployed in your physical data center, you also have two subnets:192.168.3.0/24 and 192.168.4.0/24. You can create a VPN to enable subnets inyour VPC to communicate with those in your data center.


Currently, the site-to-site VPN and hub-spoke VPN are supported. You need to setup VPNs in both your data center and the VPC to establish the VPN connection.

Ensure that the VPN in your VPC and that in your data center use the sameInternet Key Exchange (IKE) and IPsec policy configurations. Before creating aVPN, familiarize yourself with the protocols described in Table 2-6 and ensure thatyour device meets the requirements and configuration constraints of the involvedprotocols.

Table 2-6 Involved protocols

Parameter Description Constraint

RFC 2409 Defines the IKE protocol, whichnegotiates and verifies keyinformation to safeguard VPNs.

● Use the pre-shared key(PSK) to reach an IKEpeer agreement.

● Use the main modeand aggressive modefor negotiation.


2019-02-22 13

Parameter Description Constraint

RFC 4301 Defines the IPsec architecture, thesecurity services that IPsec offers, andthe collaboration betweencomponents.

Use the IPsec tunnel to setup a VPN connection.

ScenariosPerform the following procedure to create a VPN that sets up a secure, isolatedcommunication tunnel between your data center and cloud services.


2. Click in the upper left corner and select the desired region and project.3. On the console homepage, under Network, click Virtual Private Network.4. On the Virtual Private Network page, click Create VPN.5. Set the parameters as prompted and click Create Now.

Figure 2-3 Creating a VPN


2019-02-22 14

Table 2-7 Basic parameters


Region Specifies the desired region.Regions are geographic areasisolated from each other.Resources are region-specific andcannot be used across regionsthrough internal networkconnections. For low networklatency and quick resourceaccess, select the nearest region.

eu-de

Name Specifies the VPN name. VPN-001

VPC Specifies the VPC name. VPC-001

Local Subnet A local subnet is a VPC subnetthat accesses a customernetwork through a VPN.● Select subnet: If you select

this option, you can thenselect the subnets that needto communicate with yourdata center.

● Specify CIDR block: If youselect this option, you canthen enter the CIDR blocksthat need to communicatewith your data center.

192.168.1.0/24,192.168.2.0/24

Remote Gateway Specifies the public IP address ofthe VPN in your data center oron the private network. This IPaddress is used forcommunicating with the VPN inthe VPC.

N/A

Remote Subnet A remote subnet is a subnet inthe customer data center thataccesses a VPC through a VPN.The remote and local subnetscannot have overlapping ormatching CIDR blocks. Theremote subnet CIDR block cannotoverlap with CIDR blocksinvolved in existing VPC peeringconnections created for the localVPC.

192.168.3.0/24,192.168.4.0/24


2019-02-22 15


PSK Specifies the pre-shared key,which is a private key shared bytwo ends of a VPN connection.The PSK configurations for bothends of a VPN connection mustbe the same. This key is used forVPN connection negotiation.The value is a string of 6 to 128characters.

Test@123

Confirm PSK Specifies the confirm pre-sharedkey.

Test@123

Tag Specifies the VPN tag, whichconsists of a key and value pair.You can add a maximum of tentags to each VPN.The tag key and value must meetthe requirements listed in Table2-8.

● Key: vpn_key1● Value: vpn-01

AdvancedSettings

● Default: uses default IKE andIPsec policies.

● Existing: uses existing IKE andIPsec policies. This option isavailable only after you havecreated IKE and IPsec policies.

● Custom: uses custom IKE andIPsec policies. For detailsabout the policies, see Table2-9 and Table 2-10.

Custom


2019-02-22 16

Table 2-8 VPN tag key and value requirements

Parameter Requirement Example Value

Key ● Cannot be left blank.● Must be unique for the same VPN

and can be the same for differentVPNs.

● Contains a maximum of 36characters.



vpn_key1




vpn-01

Table 2-9 IKE policy

Parameter Description ExampleValue

AuthenticationAlgorithm

Specifies the authentication hashalgorithm. The value can be SHA1,SHA2-256, SHA2-384, SHA2-512, orMD5.The default value is SHA1.

SHA1

EncryptionAlgorithm

Specifies the encryption algorithm. Thevalue can be AES-128, AES-192,AES-256, or 3DES. The 3DES algorithmis not recommended because it is risky.The default value is AES-128.

AES-128


2019-02-22 17


DH Algorithm Specifies the Diffie-Hellman keyexchange algorithm. The value can beGroup 1, Group 2, Group 5, Group 14,Group 15, Group 16, Group 19, Group20, or Group 21.The DH group security level from thehighest to lowest is as follows: Group 21> Group 20 > Group 19 > Group 16 >Group 15 > Group 14 > Group 5 > Group2 > Group 1.The default value is Group 5.

Group 5

Version Specifies the version of the IKE protocol.The value can be v1 or v2.The default value is v1.

v1

Lifecycle (s) Specifies the lifetime of the securityassociation (SA), in seconds.The SA will be renegotiated if its lifetimeexpires.The default value is 86400.

86400

Negotiation Mode If the IKE policy version is v1, thenegotiation mode can be configured.The value can only be Main.The default value is Main.

Main

Table 2-10 IPsec policy


AuthenticationAlgorithm

Specifies the authentication hashalgorithm. The value can be SHA1,SHA2-256, SHA2-384, SHA2-512, orMD5.The default value is SHA1.

SHA1

Encryption Algorithm Specifies the encryption algorithm.The value can be AES-128, AES-192,AES-256, or 3DES. The 3DESalgorithm is not recommendedbecause it is risky.The default value is AES-128.

AES-128


2019-02-22 18


PFS Specifies the perfect forward secrecy(PFS), which is used to configure theIPsec tunnel negotiation.This function enables two parties toexchange the DH keys during thephase-two negotiation, improvingkey security. It is recommended thatyou enable this function.You can disable this function byselecting Disable from the drop-down list.The PFS used at the two sides of aVPN must be the same. Otherwise,the negotiation will fail. If youdisable this function on the console,you also need to disable it at thecustomer side of the VPN.The value can be DH group 1, DHgroup 2, DH group 5, DH group 14,DH group 15, DH group 16, DHgroup 19, DH group 20, or DHgroup 21.The PFS group security level fromthe highest to lowest is as follows:DH group 21 > DH group 20 > DHgroup 19 > DH group 16 > DH group15 > DH group 14 > DH group 5 >DH group 2 > DH group 1.The default value is DH group 5.

DH group5

Transfer Protocol Specifies the security protocol usedfor IPsec to transmit and encapsulateuser data. The value can be AH, ESP,or AH-ESP.The default value is ESP.

ESP

Lifecycle (s) Specifies the lifetime of the SA, inseconds.The SA will be renegotiated if itslifetime expires.The default value is 3600.

3600


2019-02-22 19

The IKE policy specifies the encryption and authentication algorithms to use in thenegotiation phase of an IPsec tunnel. The IPsec policy specifies the protocol,encryption algorithm, and authentication algorithm to use in the data transmissionphase of an IPsec tunnel. These parameters must be the same between the VPN inyour VPC and that in your data center. If they are different, the VPN cannot be set up.

6. Click Submit.

After the IPsec VPN is created, a public network egress IP address is assignedto the IPsec VPN. The IP address is the local gateway address of a createdVPN on the network console. When configuring the remote tunnel in yourdata center, you must set the remote gateway address to this IP address.

Figure 2-4 Gateway egress IP address

7. Due to the symmetry of the tunnel, you also need to configure the IPsec VPNon your router or firewall in the data center.

– For the protocols supported by VPN connections, see section 1.4Reference Standards and Protocols.

– For a list of supported VPN devices, see 5.11 Which Remote VPNDevices Are Supported?.

2.4 (Optional) Configure Security Group Rules

2.4.1 Creating a Security Group

Scenarios

To improve ECS access security, you can create a security group, define securitygroup rules, and add ECSs in the VPC to the security group. We recommend thatyou allocate ECSs that have different Internet access policies to different securitygroups.


2. Click in the upper left corner and select the desired region and project.

3. On the console homepage, under Network, click Virtual Private Cloud.

4. In the navigation pane on the left, choose Access Control > Security Groups.

5. On the Security Groups page, click Create Security Group.

6. In the Create Security Group area, set the parameters as prompted. Table2-11 lists the parameters to be configured.


2019-02-22 20

Figure 2-5 Create Security Group

Table 2-11 Parameter description


Name Specifies the security group name. Thisparameter is mandatory.The security group name can contain amaximum of 64 characters, which mayconsist of letters, digits, underscores (_),hyphens (-), and periods (.). The namecannot contain spaces.NOTE

You can change the security group name after asecurity group is created. It is recommended thatyou use different names for different securitygroups.

sg-318b

Description Provides supplementary information aboutthe security group. This parameter isoptional.The security group description can contain amaximum of 255 characters and cannotcontain angle brackets (< or >).

N/A

7. Click OK.


2019-02-22 21

2.4.2 Adding a Security Group Rule

Scenarios

After a security group is created, you can add rules to the security group. A ruleapplies either to inbound traffic (ingress) or outbound traffic (egress). After ECSsare added to the security group, they are protected by the rules of that group.

● Inbound rules control incoming traffic to ECSs associated with the securitygroup.

● Outbound rules control outgoing traffic from ECSs associated with thesecurity group.



3. On the console homepage, under Network, click Virtual Private Cloud.

4. In the navigation pane on the left, choose Access Control > Security Groups.

5. On the Security Groups page, locate the target security group and clickManage Rule in the Operation column to switch to the page for managinginbound and outbound rules.

6. On the inbound rule tab, click Add Rule. In the displayed dialog box, setrequired parameters to add an inbound rule.

You can click + to add more inbound rules.

Figure 2-6 Add Inbound Rule

Table 2-12 Inbound rule parameter description


Protocol/Application

Specifies the network protocol.Currently, the value can be All, TCP,UDP, ICMP, GRE, or others.

TCP


2019-02-22 22


Port & Source Port: specifies the port or port rangeover which the traffic can reach yourECS. The value ranges from 1 to 65535.

22 or 22-30

Source: specifies the source of thesecurity group rule. The value can beanother security group, a CIDR block,or a single IP address. For example:● xxx.xxx.xxx.xxx/32 (IPv4 address)● xxx.xxx.xxx.0/24 (subnet CIDR block)● 0.0.0.0/0 (any IP address)

0.0.0.0/0default

Description Provides supplementary informationabout the security group rule. Thisparameter is optional.The security group rule description cancontain a maximum of 255 charactersand cannot contain angle brackets (<or >).

N/A

7. On the outbound rule tab, click Add Rule. In the displayed dialog box, setrequired parameters to add an outbound rule.

You can click + to add more outbound rules.

Figure 2-7 Add Outbound Rule

Table 2-13 Outbound rule parameter description


Protocol/Application

Specifies the network protocol.Currently, the value can be All, TCP,UDP, ICMP, GRE, or others.

TCP


2019-02-22 23


Port & Destination Port: specifies the port or port rangeover which the traffic can leave yourECS. The value ranges from 1 to 65535.

22 or 22-30

Destination: specifies the destinationof the security group rule. The valuecan be another security group, a CIDRblock, or a single IP address. Forexample:● xxx.xxx.xxx.xxx/32 (IPv4 address)● xxx.xxx.xxx.0/24 (subnet CIDR block)● 0.0.0.0/0 (any IP address)

0.0.0.0/0default

Description Provides supplementary informationabout the security group rule. Thisparameter is optional.The security group rule description cancontain a maximum of 255 charactersand cannot contain angle brackets (<or >).

N/A

8. Click OK.

2.4.3 Deleting a Security Group Rule

Scenarios

If the source of an inbound security group rule or destination of an outboundsecurity group rule needs to be changed, you need to first delete the securitygroup rule and add a new one.

Security group rules use whitelists. Deleting a security group rule may result in ECS accessfailures. Exercise caution when deleting security group rules.


2. Click in the upper left corner and select the desired region and project.3. On the console homepage, under Network, click Virtual Private Cloud.4. In the navigation pane on the left, choose Access Control > Security Groups.5. On the Security Groups page, click the security group name.6. If you do not need a security group rule, locate the row that contains the

target rule, and click Delete.7. Click Yes in the displayed dialog box.


2019-02-22 24

Deleting Multiple Security Group Rules at Once.

You can also select multiple security group rules and click Delete above thesecurity group rule list to delete multiple rules at a time.


2019-02-22 25

3 Management

3.1 Viewing a VPN

ScenariosYou can view details about an existing VPN.


2. Click in the upper left corner and select the desired region and project.3. On the console homepage, under Network, click Virtual Private Network.4. On the displayed Virtual Private Network page, view the target VPN. Table

3-1 describes the VPN status.

Table 3-1 VPN status

Status Description

Normal Indicates that the VPN is successfully created andcommunication with the local data center through theVPN is normal.

Not connected Indicates that the VPN is successfully created but hasnot been used for communication with the local datacenter.

Creating Indicates that the VPN is being created.

Updating Indicates that VPN information is being updated.

Deleting Indicates that the VPN is being deleted.

Abnormal Indicates that the VPN is abnormal.

Frozen Indicates that the VPN is frozen.

Virtual Private NetworkUser Guide 3 Management

2019-02-22 26

3.2 Modifying a VPN

ScenariosIf the VPN network information conflicts the VPC network information or youneed to adjust VPN configurations, you can modify a VPN.


2. Click in the upper left corner and select a region and project.3. On the console homepage, under Network, click Virtual Private Network.4. On the Virtual Private Network page, locate the target VPN and click

Modify.5. In the displayed dialog box, set parameters as prompted.

Figure 3-1 Modifying a VPN

6. Click OK.

3.3 Deleting a VPN

ScenariosYou can delete a VPN to release network resources if the VPN is no longerrequired.


2. Click in the upper left corner and select a region and project.3. On the console homepage, under Network, click Virtual Private Network.4. On the Virtual Private Network page, locate the target VPN and click

Delete.5. Click Yes in the displayed dialog box.


2019-02-22 27

3.4 Managing VPN Tags

Application Scenarios

A VPN tag identifies a VPN. Tags can be added to VPNs to facilitate VPNidentification and administration. You can add a tag to a VPN when creating theVPN. Alternatively, you can add a tag to a created VPN on the VPN details page. Amaximum of ten tags can be added to each VPN.

A tag consists of a key and value pair. Table 3-2 lists the tag key and valuerequirements.

Table 3-2 VPN tag key and value requirements

Parameter Requirement Example Value

Key ● Cannot be left blank.● Must be unique for the same VPN and

can be the same for different VPNs.● Contains a maximum of 36 characters.● Can contain only the following



vpn_key1




vpn-01

Procedure

Search for VPNs by Tag Key and Value on the Page Showing the VPN List.

1. Log in to the management console.

2. Click in the upper left corner and select a region and project.3. On the console homepage, under Network, click Virtual Private Network.


2019-02-22 28

4. In the upper right corner of the VPN list, click Search by Tag.5. In the displayed area, enter the tag key and value of the VPN you are looking

for.Both the tag key and value must be specified.

6. Click + to add the entered tag key and value.You can add multiple tag keys and values to refine your search results. If youadd more than one tag to search for VPCs, the VPCs containing all specifiedtags will be displayed.

7. Click Search.The system displays the VPNs you are looking for based on the entered tagkeys and values.

Add, Delete, Edit, and View Tags on the Tags Tab of a VPN.

1. Log in to the management console.

2. Click in the upper left corner and select a region and project.3. On the console homepage, under Network, click Virtual Private Network.4. On the Virtual Private Network page, locate the VPN whose tags are to be

managed and click the VPN name.The page showing details about the particular VPN is displayed.

5. Click the Tags tab and perform desired operations on tags.– View tags.

On the Tags tab, you can view details about tags added to the currentVPN, including the number of tags and the key and value of each tag.

– Add a tag.Click Add Tag in the upper left corner. In the displayed dialog box, enterthe key and value of the tag to be added, and click OK.

– Edit a tag.Locate the row that contains the tag to be edited and click Edit in theOperation column. In the Edit Tag dialog box, change the tag value andclick OK.

– Delete a tag.Locate the row that contains the tag to be deleted, and click Delete inthe Operation column. In the displayed Delete Tag dialog box, click Yes.


2019-02-22 29

4 VPN Best Practice

4.1 Connecting to a VPC Through a VPN

ScenariosBy default, ECSs in a VPC cannot communicate with your data center or privatenetwork. To enable communication between them, use a VPN. After a VPN iscreated, configure the security group and check the connectivity between the localand remote networks to ensure that the VPN is available. VPNs can be classifiedinto the following two types:

● Site-to-site VPN: The local side is a VPC on the cloud service platform, and theremote side is a user data center. A site-to-site VPN is a communicationtunnel between a user data center and a single VPC.

● Hub-and-spoke VPN: The local side is a VPC on the cloud service platform,and the remote side is user data centers. A hub-and-spoke VPN is acommunication tunnel between user data centers and a VPC.

Ensure that the following requirements are met when configuring a VPN:● The local and remote subnets cannot overlap.● Different local subnets cannot overlap.● The local and remote sides use the same IKE and IPsec policies and PSK.● The local and remote subnet and gateway parameters must be symmetric.● The security group used by ECSs in the VPC allows traffic from and to the

remote side.● After a VPN is created, its status changes to Normal only after the VMs or

physical servers on the two sides of the VPN communicate with each other.

PrerequisitesYou have created the VPC and subnet required by the VPN.

Virtual Private NetworkUser Guide 4 VPN Best Practice

2019-02-22 30

Procedure1. On the management console, select the appropriate IKE and IPsec policies to

create a VPN.2. Check the IP address pools for the local and remote subnets.

In Figure 4-1, a VPC has two subnets: 192.168.1.0/24 and 192.168.2.0/24. Onyour router deployed in your physical data center, you also have two subnets:192.168.3.0/24 and 192.168.4.0/24. You can create a VPN to enable subnets inyour VPC to communicate with those in your data center.


The IP address pools for the local and remote subnets cannot overlap witheach other. For example, if the local VPC has two subnets, 192.168.1.0/24 and192.168.2.0/24, the IP address pool for the remote subnets cannot containthese two subnets.

3. Configure security group rules for the VPC.4. Check the security group of the VPC.

The security group must allow packets from the VPN to pass. You can run theping command to check whether the security group of the VPC allowspackets from the VPN to pass.

5. Check the remote LAN configuration (network configuration of the remotedata center).A route must be configured for the remote LAN to enable VPN traffic to beforwarded to network devices on the LAN. If the VPN traffic cannot beforwarded to the network devices, check whether the remote LAN has policiesconfigured to refuse the traffic.

Virtual Private NetworkUser Guide 4 VPN Best Practice

2019-02-22 31

5 FAQs

5.1 How Many IPsec VPNs Can I Have?By default, a user can have a maximum of five IPsec VPNs. If your quota cannotfulfill your service requirements, submit a service ticket to increase the quota.

5.2 Do IPsec VPNs Support Automatic Negotiation?The IPsec VPN tunnel works in passive mode, which triggers automaticnegotiation only when traffic sent by the local end passes through the tunnel.

5.3 What Do I Do If VPN Setup Fails?1. Log in to the management console and click Virtual Private Network.2. In the VPN list, locate the target VPN and click View Policy in the Operation

column to view IKE and IPsec policy details about the VPN.3. Check the IKE and IPsec policies to see whether the negotiation modes and

encryption algorithms between the local and remote sides of the VPN are thesame.

a. If the IKE policy has been set up during phase one and the IPsec policyhas not been enabled in phase two, the IPsec policies between the localand remote sides of the VPN may be inconsistent.

b. If the Cisco physical device is used at the customer side, it isrecommended that you use MD5. Then, you need to set AuthenticationMode to MD5 in the IPsec policy for the VPN created on the cloud.

4. Check whether the ACL configurations are correct.If the subnets of your data center are 192.168.3.0/24 and 192.168.4.0/24, andthe VPC subnets are 192.168.1.0/24 and 192.168.2.0/24, configure the ACLrules for each data center subnet to permit the communication with the VPCsubnets. The following provides an example of ACL configurations:rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

Virtual Private NetworkUser Guide 5 FAQs

2019-02-22 32

rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

5. After the configuration is complete, ping the local and the remote side fromeach other to check whether the VPN connection is normal.

5.4 How Can I Handle the Failure in Accessing the ECSsfrom My Data Center or LAN Even If the VPN Has BeenSet Up?

The security group denies the access from all sources by default. If you want toaccess your ECSs, modify the security group configuration and allow the accessfrom the remote subnets.

5.5 What Do I Do If I Cannot Access My Data Center orLAN from the ECSs After a VPN Connection Has BeenSet Up?

Check whether you have properly configured the firewall policies for the accessfrom the public IP address of the cloud VPN to the public IP address of your datacenter or LAN. No policies are configured to limit the access by default.

5.6 Does a VPN Allow for Communication BetweenTwo VPCs?

If the two VPCs are in the same region, you can use a VPC peering connection toenable communication between them.

If the two VPCs are in different regions, you can use a VPN to enablecommunication between the VPCs. The CIDR blocks of the two VPCs are the localand remote subnets, respectively.

5.7 What Is the Limitation on the Number of Local andRemote Subnets of a VPN?

The maximum number obtained by multiplying the number of local subnets andthat of remote subnets cannot exceed 2500.

5.8 Why Is Not Connected Displayed as the Status for aSuccessfully Created VPN?

After a VPN is created, its status changes to Normal only after the VMs orphysical servers on the two sides of the VPN communicate with each other.

● IKE v1:


2019-02-22 33

If no traffic goes through the VPN for a period of time, the VPN needs to berenegotiated. The negotiation time depends on the value of Lifecycle (s) inthe IPsec policy. Generally, the value of Lifecycle (s) is 3600 (1 hour),indicating that the negotiation will be initiated in the fifty-fourth minute. Ifthe negotiation succeeds, the connection remains to the next round ofnegotiation. If the negotiation fails, the status is set to be disconnected withinone hour. The connection can be restored after the two sides of the VPNcommunicates with each other. The disconnection can be avoided by using anetwork monitoring tool, such as IP SLA, to generate packets.

● IKE v2: If no traffic goes through the VPN for a period of time, the VPNremains in the connected status.

5.9 How Long Is Required for Issued VPNConfigurations to Take Effect?

The time required for VPN configurations to take effect increases linearly with thenumber obtained by multiplying the number of local subnets and that of remotesubnets.

5.10 How Do I Configure a Remote Device for a VPN?Due to the symmetry of the tunnel, the VPN parameters configured on the cloudmust be the same as those configured in your own data center. If they aredifferent, a VPN cannot be established.

To set up a VPN, you also need to configure the IPsec VPN on the router orfirewall in your own data center. The configuration method may vary dependingon your network device in use. For details, see the configuration guide of yournetwork device.

This section describes how to configure the IPsec VPN on a Huawei USG6600series V100R001C30SPC300 firewall for your reference.

For example, the subnets of the data center are 192.168.3.0/24 and192.168.4.0/24, the subnets of the VPC are 192.168.1.0/24 and 192.168.2.0/24, andthe public IP address of the IPsec tunnel egress in the VPC is XXX.XXX.XX.XX, whichcan be obtained from the local gateway parameters of the IPsec VPN in the VPC.

Procedure1. Log in to the CLI of the firewall.2. Check firewall version information.

display version 17:20:502017/03/09Huawei Versatile Security Platform SoftwareSoftware Version: USG6600 V100R001C30SPC300 (VRP (R) Software, Version 5.30)

3. Create an access control list (ACL) and bind it to the target VPN instance.acl number 3065 vpn-instance vpn64rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255q


2019-02-22 34

4. Create an IKE proposal.ike proposal 64 dh group5 authentication-algorithm sha1 integrity-algorithm hmac-sha2-256 sa duration 3600 q

5. Create an IKE peer and reference the created IKE proposal. The peer IPaddress is 93.188.242.110.ike peer vpnikepeer_64pre-shared-key ******** (******** specifies the pre-shared key.)ike-proposal 64undo version 2remote-address vpn-instance vpn64 93.188.242.110sa binding vpn-instance vpn64q

6. Create an IPsec protocol.ipsec proposal ipsecpro64encapsulation-mode tunnelesp authentication-algorithm sha1q

7. Create an IPsec policy and reference the IKE policy and IPsec proposal.ipsec policy vpnipsec64 1 isakmpsecurity acl 3065pfs dh-group5ike-peer vpnikepeer_64proposal ipsecpro64local-address xx.xx.xx.xxq

8. Apply the IPsec policy to the subinterface.interface GigabitEthernet0/0/2.64ipsec policy vpnipsec64q

9. Test the connectivity.After you perform the preceding operations, you can test the connectivitybetween your ECSs in the cloud and the hosts in your data center. For details,see the following figure.


2019-02-22 35

5.11 Which Remote VPN Devices Are Supported?Most devices that meet IPsec VPN standard and reference protocol requirementscan be used as the remote VPN devices, for example, Cisco ASA firewalls, HuaweiUSG6xxxx series firewalls, USG9xxxx series firewalls, Hillstone firewalls, and CiscoISR routers. Table 5-1 lists the supported Huawei USG6xxxx and USG9xxxxfirewalls.

Table 5-1 Huawei VPN devices

Supported RemoteVPN Device

Description

Huawei USG6000series

USG6320/6310/6510-SJJUSG6306/6308/6330/6350/6360/6370/6380/6390/6507/6530/6550/6570:2048USG6620/6630/6650/6660/6670/6680

Huawei USG9000series

USG9520/USG9560/USG9580

Other devices that meet the requirements in the reference protocols described insection 1.4 Reference Standards and Protocols can also be deployed. However,some devices may fail to add because of inconsistent protocol implementationmethods of these devices. If the connection setup fails, rectify the fault byfollowing the instructions provided in section 5.3 What Do I Do If VPN SetupFails? or contact customer service.

5.12 What Can I Do If the VPN Fails or the NetworkSpeed of the VPN Is Slow?

You can perform the following steps to handle the issues:

1. Check the ECS specifications. Rate limiting is not performed for the VPNingress on the cloud, so the issue may be caused by the ECS specifications.

2. Rate limiting has been configured for the VPN egress on the cloud. Checkwhether your bandwidth has reached or exceeded the maximum limitallowed.

3. Check your local network to see whether the network speed is slow.4. Check whether packets sent between the cloud and the customer data center

have been lost.

5.13 Are SSL VPNs Supported?Currently, the VPN service does not support the SSL VPNs.


2019-02-22 36

5.14 What Is the VPN Quota?

What Is a Quota?

Quotas are enforced for service resources on the platform to prevent unforeseenspikes in resource usage. Quotas can limit the number or amount of resourcesavailable to users. For example, the VPN quota limits the number of VPNs thatyou can create. You can also request more quotas if you need them.

This section describes how to view the VPN resource usage and the total quotas ina specified region.

How Do I View My Quotas?1. Log in to the management console.


3. In the upper right corner of the page, click .

The Service Quota page is displayed.

4. View the used and total quota of each type of resources on the displayedpage.

If a quota cannot meet service requirements, click Increase Quota to adjustit.

How Do I Apply for a Higher Quota?

The system does not support online quota adjustment. If you need to adjust aquota, call the hotline or send an email to the customer service mailbox. Customerservice personnel will timely process your request for quota adjustment andinform you of the real-time progress by making a call or sending an email.

You need to prepare the following information before dialing the hotline numberor sending an email:

● Domain name, project name, and project ID, which can be obtained byperforming the following operations:

Log in to the management console using the cloud account, click theusername in the upper right corner, select My Credential from the drop-downlist, and obtain the domain name, project name, and project ID on the MyCredential page.

● Quota information, which includes:

– Service name

– Quota type

– Required quota

Learn how to obtain the service hotline and email address.


2019-02-22 37

https://docs.otc.t-systems.com/en-us/public/learnmore.html

A Change History

Release Date What's New

2019-02-22 This release incorporates the following changes:Updated the region description in Table 2-7.

2019-02-18 Accepted in OTC-4.0/Agile-02.2019

2019-02-11 This release incorporates the following changes:● Deleted content about the firewall version from

section 2.3 Creating a VPN.● Added Table 3-1.● Updated the tag key and value requirements in

Table 2-8 and Table 3-2.● Updated content about searching for VPNs by tag

key and value in section 3.4 Managing VPN Tags.● Adjusted the column width.

2019-02-02 This release incorporates the following changes:● Updated a figure in section 3.2 Modifying a VPN.● Updated the content in section 3.4 Managing VPN

Tags based on the latest console page.● Updated section 2.4 (Optional) Configure Security

Group Rules.● Updated sections 5.8 Why Is Not Connected

Displayed as the Status for a Successfully CreatedVPN? and 5.10 How Do I Configure a RemoteDevice for a VPN?.

● Added the negotiation mode in section Table 2-9.

Virtual Private NetworkUser Guide A Change History

2019-02-22 38


2019-01-30 This release incorporates the following changes:● Added parameter NTP Server Address to section

Table 2-1.● Sorted the DH algorithm values to display them in

order in section Table 2-9.● Sorted the PFS values to display them in order in

section Table 2-10.● Added description to show how to query the

firewall version in section 5.● Added the supported network protocols to the

tables listing inbound and outbound rules in section2.4.2 Adding a Security Group Rule.

● Modified the description of parameter Port &Source in the tables listing inbound and outboundrules in section 2.4.2 Adding a Security GroupRule.

● Added section 5.10 How Do I Configure a RemoteDevice for a VPN?.

2019-01-23 This release incorporates the following changes:● Changed VPN connection to VPN.● Changed OK to Yes in section 3.3 Deleting a VPN.● Updated figures in sections Figure 2-3, Figure 2-4,

and Figure 3-1.● Modified the title in sections 3.1 Viewing a VPN

and 3.2 Modifying a VPN.● Added parameter Region and option Specify CIDR

block to parameter Local Subnet in section Table2-7.

● Added description about the DH group security leveland description about the supported DH groupswhen the firewall version is V1 or V5 to sectionTable 2-9.

● Added description about the PFS group securitylevel and description about the supported DHgroups when the firewall version is V1 or V5 tosection Table 2-10.

● Updated section 5.3 What Do I Do If VPN SetupFails?.

● Added sections 5.12 What Can I Do If the VPNFails or the Network Speed of the VPN Is Slow?and 5.13 Are SSL VPNs Supported?.

2019-01-02 This release incorporates the following change:Added description about the PFS function to thesection for configuring the IPsec policy of a VPN.


2019-02-22 39


2018-04-30 This issue is the eighth official release, whichincorporates the following change:Added description about how to add tags during VPNcreation.

2017-08-30 This issue is the seventh official release, whichincorporates the following change:Added description about VPC and subnet tags.

2017-07-30 This issue is the sixth official release, whichincorporates the following change:● Added the best practice.● Added description about the multi-project feature.

2017-04-28 This issue is the fifth official release, whichincorporates the following change:● Changed the maximum number obtained by

multiplying the number of local subnets and that ofremote subnets of a VPN to 2500.

2017-03-30 This issue is the fourth official release, whichincorporates the following change:● Added an example illustrating how to configure the

remote device of a VPN.

2017-01-20 This issue is the third official release, whichincorporates the following change:● Added description about the IPsec VPN created

between multiple local gateways in different VPCsand the same remote gateway

2016-12-30 This issue is the second official release, whichincorporates the following change:● Added FAQs.

2016-10-19 This issue is the first official release.


2019-02-22 40

User Guide - docs.otc.t-systems.com · 1 Overview 1.1 Virtual Private Network A Virtual Private...

Documents

Transcript of User Guide - docs.otc.t-systems.com · 1 Overview 1.1 Virtual Private Network A Virtual Private...