VPN connections
In this article:
VPN connections#
Using the cloud VPN service (VPN as a Service, VPNaaS) you can easily connect your K2 Cloud infrastructure with the remote infrastructure.
By default, a high-availability VPN connection is created in a region with multiple availability zones. To ensure high availability, two tunnels are created and terminated in different availability zones. In normal operation, both tunnels are active, and traffic from instances is forwarded to the closest tunnel. If a tunnel fails, all traffic is automatically redirected through the second tunnel to make cloud resources available.
Note
There is an hourly rate in addition to using a VPN connection to outbound traffic charges. You can view the tariff information in the Network tab of the Tariffs section.
There are two types of IPsec VPN connections in K2 Cloud:
ipsec.1: tunnel mode;ipsec.legacy: transport mode.
Important
For simplicity, a VPN gateway is not displayed in the web interface. So, when you create VPN connections, selecting a VPC is equivalent to choosing a VPN gateway. Information about the available VPN gateways can be obtained explicitly using the API.
To connect your device with the cloud infrastructure, you should:
create the customer gateway, putting in the information about your device;
create the VPN connection with the gateway;
configure your device according to settings, which you can get on the created VPN connection page.
There can be only one VPN connection between a customer gateway and a VPC (a VPN gateway). But you can create several VPN connections between a VPC and different customer gateways or between a customer gateway and different VPCs.
Creating a customer gateway#
Go to Interconnect VPN Customer gateways.
Click Create.
In the window that opens, set the following parameters:
Name tag (Optional).
Type —
ipsec.1(IPsec connection in tunnel mode) andipsec.legacy(IPsec connection in transport mode).IP address — The address of the customer gateway in the remote infrastructure.
BGP ASN — The number of the autonomous system of a remote network. If static addressing is used, you can either specify any value or leave the default one. If you leave this field empty, then 65000 will be set by default.
If you need to set tags, go to the next step by clicking Add tags. Specify the tag key and value.
After setting all the required parameters, click Create.
Creating a VPN connection#
Create a VPN connection to a customer gateway#
Note
VPN connections can only be created only if thereis a customer gateway.
If BGP is used to exchange route information, only eBGP is allowed. Thus, the BGP ASN of the customer gateway and the BGP ASN of the VPC (VPN gateway) must not be the same. If necessary, you can change the BGP ASN of the VPC. To change it, contact the K2 Cloud support. Please include the VPC ID and the desired autonomous system number in your request. It is recommended to use a number from the private BGP ranges: 64512—65535 and 4200000000—4294967294.
When you create a VPN connection, the cloud, by default, downloads a configuration file, this file is specific for your customer gateway and contains data for the device setup.
Go to Interconnect VPN VPN connections.
Click Create to open a VPN connection wizard.
Enter the Name tag in the Name tag field (optional).
In the VPC field, select the VPC to connect VPN to.
A high-availability dual-tunnel connection is created by default. If you don’t need it, uncheck the corresponding option.
In the Customer gateway field, select either Existing to specify an existing customer gateway, or New to create a new one right in that window.
When creating a gateway, set the following parameters:
Type —
ipsec.1(IPsec connection in tunnel mode) andipsec.legacy(IPsec connection in transport mode).IP address — The address of the customer gateway in the remote infrastructure.
BGP ASN — The number of the autonomous system of a remote network. If static addressing is used, you can either specify any value or leave the default one. If you leave this field empty, then 65000 will be set by default.
For an
ipsec.1type connection, you can also specify the subnets, which are permitted to use an encrypted tunnel:Local IP Network CIDR — customer’s subnet.
Remote IP Network CIDR — a cloud subnet.
If you need to modify default tunnel options, click Set tunnel options to modify options of the tunnel (tunnel 1 if high-availability connection is selected). Once tunnel 1 options are set, click Tunnel 2 options to configure tunnel 2 of the high-availability connection.
Tunnel options can be modified after it has been created.
If you need to set tags, go to the Tags step by clicking Add tags. Specify the tag key and value.
After setting all the required parameters, click Create.
You can also create a VPN connection in the Customer gateways section. To this end:
Go to Interconnect VPN Customer gateways.
Сreate a customer gateway or select it in the resource table.
Click Create VPN connection to open a VPN connection wizard.
Set options specified in step 2 of the manual.
Click Create.
Create an inter-region VPN connection#
If you have VPCs in different K2 Cloud regions, you can connect them via an inter-region VPN connection.
Important
A VPN connection between VPCs located in different regions is only possible if at least one VPC has no other VPN connections. Furthermore, the VPC CIDR blocks must not overlap.
Attention
If BGP ASNs of the local and remote VPCs are the same, then creating an inter-region VPN connection will automatically modify the number of an autonomous system of the VPC, which does not have other VPN connections. In the process of such modification, the Metadata API and DNS Resolver services may be unavailable for up to one minute. When service availability is affected, the VPN connection wizard displays a warning indicating the region in which the reconfiguration is underway.
Along with the VPN connection, customer gateways will be created in each region. The VPN connection and the customer gateways will be assigned the following tags:
RemoteVpcRegion — The region of the VPC, which the VPN connection / customer gateway are connected to;
RemoteVpcId — The ID of the VPC, which the VPN connection / customer gateway are connected to;
CreatedBy with the value
InterRegionVpcWizard— Indicates that the resource was created automatically using the inter-region VPN connection wizard.
For dynamic routing, route propagation to the target route table must be enabled in each VPC (see for details). Alternatively, you can configure static routing yourself.
Go to Interconnect VPN VPN connections.
In the VPN connection creation menu, select Create inter-region VPN connection.
In the window that opens, set the VPN connection parameters:
(Optional) Name tag.
Local VPC in the current region.
Remote VPC in the other region.
High-availability connection option (which is enabled by default).
If you need to modify default tunnel options, click Set tunnel options to modify options of the tunnel (tunnel 1 if high-availability connection is selected). Once tunnel 1 options are set, click Tunnel 2 options to configure tunnel 2 of the high-availability connection.
Tunnel options can be modified after it has been created.
Note
For an inter-region VPN connection, Internal IP CIDR for the tunnel cannot be modified.
If you need to set tags, go to the Tags step by clicking Add tags. Specify the tag key and value.
After setting all the required parameters, click Create.
Changing tunnel parameters#
In K2 Cloud, you can choose which tunnel options to use when creating a VPN connection. For a high-availability VPN, you can specify tunnel options separately for each tunnel.
Here are the tunnel parameters that you can configure.
General parameters:
Internal IP CIDR for tunnel — a /30 block from the subnet 169.254.252.0/22 to be used inside the IPsec tunnel of the VPN connection;
Pre-shared Key for tunnel — the key (PSK) used for a primary authentication between VPN and customer gateways;
ikeVersion — a key exchange protocol version
ikev1orikev2;Replay Window Size — the number of packets in the IKE replay window.
Phase1 parameters:
Encryption Algorithms — the allowed encryption algorithms for the VPN tunnel in the first IKE phase;
Integrity Algorithms — the allowed integrity algorithms for the VPN tunnel in the first IKE phase;
DH Group Numbers — the allowed Diffie-Hellman groups for the VPN tunnel in the first IKE phase;
Lifetime Seconds — the lifetime for the first IKE phase, in seconds.
Phase2 parameters:
Encryption Algorithms — the allowed encryption algorithms for the VPN tunnel in the second IKE phase;
Integrity Algorithms — the allowed integrity algorithms for the VPN tunnel in the second IKE phase;
Turn on PFS — the enabled Perfect Forward Secrecy (PFS) mode guarantees that session encryption keys will not be compromised;
Attention
PFS is enabled by default. In order to prevent the session encryption key from being compromised, do not disable PFS.
DH Group Numbers — the allowed Diffie-Hellman groups for the VPN tunnel in the second IKE phase;
Note
If PFS is disabled, Diffie-Hellman groups cannot be selected.
Lifetime Seconds — the lifetime for the second IKE phase, in seconds.
To learn more about the supported tunnel options, limitations and algorithm compatibility for different IKE versions, see documentation.
Configuring of the remote device#
You can configure your device, located in the remote infrastructure (customer gateway) using settings, provided by the K2 Cloud for each VPN connection.
Go to Interconnect VPN VPN connections.
Create the VPN connection if it has not been created yet.
Find the newly created VPN connection in the resource table and click its ID to go to the VPN connection page.
Click Get settings. The following formats for settings are supported:
generic configuration with a text description of all parameters;
configuration for Cisco IOS 12.4 and higher;
Generic Linux Openswan/Libreswan with Quagga/FRR;
RedHat Linux Openswan/Libreswan with Quagga/FRR.
Click Download to save the customer gateway settings in .cfg format on the local PC.
Routing via a VPN connection#
You can setup static routing between subnets in K2 Cloud and private networks in a remote infrastructure (behind a client gateway) using route tables.
Use BGP for dynamic routing. This saves you the hassle of manually configuring static routes over a VPN connection, improves fault tolerance, and allows for an automatic switchover when using multiple VPN connections.
Important
For high-availability VPN connections, only BGP routing is available; static routing is not supported.
For the routes learned over BGP to be installed in a VPC route table, enable Route propagation. To do this, go to the VPC page, switch to the Information tab and specify the target route table for the Route propagation parameter.
Route propagation feature#
You can choose for the VPC one route table to which BGP routes received from a client gateway must be propagated. This feature can be enabled in the web interface in the VPC page or via the API method EnableVgwRoutePropagation.
Once Route Propagation is enabled, the standard best route selection rules will apply to the selected route table. The following routes will have higher priority:
routes with longer prefix;
routes with shorter administrative distance;
routes with smaller metrics.
If necessary, Route propagation can be disabled in the web interface in the VPC page or via the API method DisableVgwRoutePropagation. In this case, BGP continues to work for VPN connections and advertise routes. Still, BGP routes will not be propagated to the route table, so instances of the VPC will be unable to access networks behind a client gateway. If this is the case, use static routing.
Important
Note that the network connectivity between the VPN and the cloud can be lost for up to 1 minute when you enable route propagation or change the route table, to which BGP routes learned from the client gateway must be propagated.
Alarm setup#
You can use alarms to receive notifications when the VPN connection options fall beyond the specified thresholds.
Create alarm#
Note
Also, to create an alarm for a particular tunnel, go to Monitoring Alarms.
Go to Interconnect VPN VPN connections.
Find the required VPN connection in the resource table and click its ID to go to the VPN connection page.
Open the Alarms tab and click Create.
In the window that opens, select the monitored metrics and press :bdg-primary`Next`.
Set alarm metrics (for details, see Alarms section):
The alarm name and, optionally, its description.
Statistics.
The condition of triggering an alarm for the selected metric. It includes a comparison operator and a threshold value. If necessary, you can also change the metric selected in the previous step.
The number and duration of time periods, over which metric values are collected.
If you want to set actions for the alarm later, complete its creation by clicking Create.
You can also set the emails to which notifications will be sent when the alarm state changes. To do this, go to the next step by clicking Set actions. After setting up the notificatons (for details, see Alarms section), click Create.
Change the alarm#
Go to Interconnect VPN VPN connections.
In the table, find the resource for which the alarm is set and click on its ID to go to the resource page.
Open the Alarms tab, select the desired alarm in the table and click Modify.
The dialog window will open at the Parameters step. Modify the required alarm parameters:
Statistics.
The condition of triggering an alarm for the selected metric. It includes a comparison operator and a threshold value.
Monitored metrics.
The number and duration of time periods, over which metric values are collected.
If you do not need to modify actions that the alarm triggers, save changes by clicking Modify. Otherwise, click Set actions.
At the Actions step, you can change or cancel already assigned actions when alarm is triggered, or add more actions. Click Modify to save the changes.
Delete the alarm#
Go to Interconnect VPN VPN connections.
In the table, find the resource wherein the alarm(s) should be deleted and click on its ID to go to the resource page.
Open the Alarms tab and select the alarm to be deleted in the resource table. You can select multiple alarms at once.
Click Delete and confirm the action in the dialog window.
Deleting a VPN connection#
Go to Interconnect VPN VPN connections.
In the resource table, select the VPN connection and click Delete.
In the window that opens, confirm the deletion.
You can also delete a VPN connection on its page. To do this, in the Information tab, click Delete.
Alternatively, a VPN connection can be deleted in the Customer gateway section.
Go to Interconnect VPN Customer gateways.
Select the customer gateway from the list and click Delete VPN connection.
In the window that opens, select the VPC, connection to which you want to delete, and click Delete.
In the window that opens, confirm the deletion.
Deleting a customer gateway#
Important
You can delete a customer gateway only if it has no active VPN connection. So you should delete the corresponding VPN connection before deleting a customer gateway.
Go to Interconnect VPN Customer gateways.
In the resource table, select the customer gateway and click Delete.
In the window that opens, confirm the deletion.
This operation can also be performed on the page of the selected customer gateway. To do this, go to the Information tab and click Delete.