Setup IPSec Tunnel between Microsoft Azure and Alibaba Cloud with VPN Gateway

By Lin En Shu, Solutions Architect

A Virtual Private Network (VPN) provides a means for securely communicating among remote hosts and private networks across a public WAN such as the Internet. Two private networks can be securely connected through site-to-site VPN. To secure VPN communication while passing through the WAN, the two sites create an IP Security (IPsec) VPN tunnel.

IPSec VPN tunnel protects IP packets exchanged between remote networks or hosts and VPN gateway located at the edge of private network. IPSec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session.

This solution guide aims to provide a walkthrough on how to establish an IPSec Tunnel between Microsoft Azure and Alibaba Cloud using VPN Gateway.

Solution Architecture

In this guide, the IPSec VPN Tunnel setup between Microsoft Azure and Alibaba Cloud using VPN Gateway will be based upon the following solution architecture.

Image for post
Image for post

Pre-Requisites and Preparation

  1. An Alibaba Cloud Account
  2. A Microsoft Azure Account
  3. Required environmental setup information
Image for post
Image for post
  1. Reference: Azure IPSec/IKE parameters for Site to Site VPN Gateway https://docs.microsoft.com/en-gb/azure/vpn-gateway/vpn-gateway-about-vpn-devices
Image for post
Image for post
  1. Create an Alibaba Cloud VPC
  2. Refer to this guide: https://www.alibabacloud.com/help/doc-detail/53604.htm

Alibaba Cloud — Setup VPN Gateway

1. Create VPN Gateway

Go to Products -> Virtual Private Cloud -> VPN Gateway and click the Create VPN Gateway button

Image for post
Image for post

Choose the region, peak bandwidth and VPC (which has been created) and press Buy Now.

Go back to VPN Gateway console to find the VPN Gateway IP address.

2. Create Customer Gateway

Customer Gateway is the VPN gateway IP in Microsoft Azure.

Go to Virtual Private Cloud -> Customer Gateway and press Create Customer Gateway button

Image for post
Image for post

Enter Azure’s VPN Gateway IP into the IP Address field.

Image for post
Image for post

Go back to the Customer Gateway console to verify Customer Gateway IP has been registered correctly.

3. Create VPN Connection

Once the VPN Gateway in Alibaba Cloud and Customer Gateway for Azure has been configured, next is to setup the VPN connection.

Go to Virtual Private Cloud -> VPN Connection and press Create VPN Connection button

Fill in the information for the advanced configuration based on this table. It is a must to use the same values highlighted in Green (Azure’s IPSec/IKE configuration) otherwise the IPSec tunnel cannot be established.

Image for post
Image for post
Image for post
Image for post

4. Add Route Entry in VPC

In order for the ECS within this Alibaba Cloud VPC to reach the VMs in Azure Virtual Network, a route entry needs to be added to route the traffic to remote private network (Azure) through this VPN Gateway.

Once the VPN connection has been created, select the VPC and go to VRouters to add a route entry.

Image for post
Image for post

Enter the CIDR (Address Space) of Azure Virtual Network to destination CIDR Block, choose VPN Gateway as the next hop type and select the VPN Gateway created.

Image for post
Image for post

The IPSec VPN Tunnel setup in Alibaba Cloud side is now completed!

Microsoft Azure — Setup Virtual Network Gateway

1. Create Virtual Network

The steps here are similar as Azure Virtual Network is Alibaba Cloud’s VPC equivalent. The first step is to setup Azure Virtual Network by pressing New -> Networking -> Virtual Network.

Enter the all the required information and most important information here is Address Space, which is the CIDR of Azure’s private network.

Image for post
Image for post

Go to Virtual Networks to verify that it has been created successfully.

2. Create Virtual Network Gateway

Similarly, Azure Virtual Network Gateway is Alibaba Cloud’s VPN Gateway equivalent.

Create Azure Virtual Network Gateway by pressing New -> Networking -> Virtual Network Gateway.

Enter the all the required information and most important information here is to choose the Virtual Network created earlier.

Image for post
Image for post

3. Create Local Network Gateway

Azure Local Network Gateway is Alibaba Cloud’s Customer Gateway equivalent.

Create Azure Local Network Gateway by pressing New -> Networking -> Local Network Gateway.

Enter the all the required information and most important information here are:

  1. IP address: Alibaba Cloud’s VPN Gateway IP
  2. Address space: Alibaba Cloud’s VPC CIDR
Image for post
Image for post

4. Create VPN Connection

Create an Azure VPN Connection by going to Virtual Network Gateway -> Connections -> +Add

Image for post
Image for post

Enter the all the required information and most important information here are:

  1. Connection type: Site to site (IPSec)
  2. Shared key (PSK): This pre-shared key must be the same with the one entered in Alibaba Cloud during VPN Connection creation.
Image for post
Image for post

The IPSec VPN Tunnel setup in Microsoft Azure side is now completed!

Site-to-Site IPSec VPN Tunnel Test

1. VPN Connectivity Verification

Verify both side’s VPN connection status. Alibaba Cloud side’s VPN Connection should have the status of “Phase 2 of IKE Tunnel Negotiation Succeeded”.

Image for post
Image for post

Microsoft Azure side’s VPN Connection should have the status of “Connected”.

Image for post
Image for post

2. Provision servers to test VPN Tunnel

In Alibaba Cloud, setup an ECS server in the same region and same VPC of VPN gateway.

Refer to this guide to setup a Linux ECS server.

Image for post
Image for post

In Microsoft Azure, setup a virtual machine in the same region and same virtual network of Virtual Network Gateway.

Refer to this guide to setup an Azure Virtual Machine.

Image for post
Image for post

3. Test IPSec VPN Tunnel Connectivity Using Telnet

As a summary, here are the server information of test servers provisioned

SiteServer Private IPAlibaba Cloud172.21.223.245Microsoft Azure10.1.0.4

Login to Alibaba Cloud server and telnet to Azure server’s private IP and SSH port 22. The result should show “Connected to < Azure VM’s private IP > “.

Image for post
Image for post

Login to Azure server and telnet to Alibaba Cloud server’s private IP and SSH port 22. The result should show “Connected to < Alibaba Cloud ECS private IP > “.

Image for post
Image for post

Conclusion

This site-to-site IPSec VPN Tunnel solution allows customer who are consuming services in both Alibaba Cloud and Microsoft Azure to be able have a secure connectivity between both sites over internet.

Related Products

  1. VPN Gateway
  2. Virtual Private Cloud
  3. Elastic Compute Service

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store