Available in VPC
You can configure communication between an on-premise network and a VPC by setting up an IPsec VPN based on a Transit VPC.
The objectives of this configuration are as follows:
- Centralize IPsec VPN gateway configuration through a Transit VPC
- Enable expansion to multiple Service VPCs without changing VPN settings
- Deliver Service VPC ranges through route propagation
The following is a diagram of the Transit VPC-based IPsec VPN configuration.
The overall sequence of this quickstart and the description of each step are as follows:
1. Preparations
2. Create VPC
3. Create subnets
4. Create VGW and VGW Group
5. Create Transit VPC Connect
6. Create Endpoint Route Table
7. Configure Service VPC Route Table
8. Create IPsec VPN gateway
9. Create IPsec VPN tunnel
10. Configure customer network and perform communication test
11. Operational precautions and inspection guide
1. Preparations
The prerequisites required to perform this example are as follows:
- Permissions to create and configure VPC, Subnet, Route Table, IPsec VPN, and Virtual Private Gateway
- Review of IPsec VPN configuration policies
2. Create VPC
In the NAVER Cloud Platform console, create Transit-type and Normal-type VPCs according to the intended purpose.
As an example in this quickstart, the values can be set as follows:
| VPC name | IPv4 CIDR | VPC type |
|---|---|---|
| transit-vpc | 10.0.0.0/16 | TRANSIT |
| svc-vpc | 172.16.1.0/24 | NORMAL |
For detailed instructions, see:
The VPC CIDR and On-premise CIDR must not overlap.
3. Create subnets
Create subnets within the created Transit VPC and Service VPC.
As an example in this quickstart, the values can be set as follows:
| Subnet name | IPv4 CIDR |
|---|---|
| transit-subnet | 10.0.1.0/24 |
| svc-subnet | 172.16.1.0/24 |
For detailed instructions, see:
4. Create VGW and VGW Group
Create Virtual Private Gateway (VGW) and VGW Group in the created Transit VPC for external connectivity.
- Create VGW
- When creating, set the target VPC to the Transit VPC created above.
- Create VGW Group
- When creating, set the target VGW to the VGW of the Transit VPC created above.
- Only one VGW Group exists in a Transit VPC.
VPC establishes external connections (VPN, Cloud Connect) through a VGW Group.
For detailed instructions, see:
5. Create Transit VPC Connect
Connect Normal-type Service VPCs to the Transit VPC through Transit VPC Connect.
As an example in this quickstart, the values can be set as follows:
- Connect Service VPC and Transit VPC
| Transit VPC Connect name | Normal VPC | Transit VPC |
|---|---|---|
| transit-vpc-conn | svc-vpc | transit-vpc |
For detailed instructions, see:
6. Create Endpoint Route Table
Create an Endpoint Route Table to control routing for ingress traffic entering the Transit VPC.
After creating the route table and enabling propagation, the Service VPC CIDR is propagated to the Transit VPC, and the Service VPC range can then be included in the Local CIDR of the IPsec VPN Tunnel.
As an example in this quickstart, the values can be set as follows:
| Endpoint Route Table name | Target VPC | Endpoint type | Destination | Target | Note |
|---|---|---|---|---|---|
| vgw-rt | transit-vpc | Virtual Private Gateway | 172.16.1.0/24 | Transit VPC Connect | |
| transit-vpc-to-svc | transit-vpc | Transit VPC Connect | 172.16.30.0/24 | Virtual Private Gateway | Enable route propagation |
For detailed instructions, see:
7. Configure Service VPC Route Table
Create a Service VPC Route Table so that traffic from the Service VPC to the On-premise network passes through the Transit VPC. As an example in this quickstart, the values can be set as follows:
| Target VPC | Route Table name | Destination | Target address | Associated subnet |
|---|---|---|---|---|
| svc-vpc | svc-rt | Transit VPC Connect | 172.16.30.0/24 | svc-subnet |
For detailed instructions, see:
8. Create IPsec VPN gateway
Create an IPsec VPN gateway based on the VGW Group of the Transit VPC.
When creating, select the VGW Group of the Transit VPC created earlier as the connection target of the IPsec VPN gateway.
For detailed instructions, see:
9. Create IPsec VPN tunnel
Create an IPsec VPN tunnel to connect with the customer’s on-premise IPsec VPN device and define the communication ranges.
As an example in this quickstart, the values can be set as follows during creation:
| Configuration item | Value | Note |
|---|---|---|
| Target gateway | IPsec-gw | Created IPsec VPN gateway |
| Peer IP | Customer public IP | Public IP of the on-premise VPN device |
| Local CIDR | 10.0.0.0/16, 172.16.1.0/24 | Service VPC range |
| Remote CIDR | 172.16.30.0/24 | On-premise network range |
For detailed instructions, see:
10. Configure customer network and perform communication test
Complete the configuration of the customer’s on-premise device and test whether actual communication is established.
- On-premise routing configuration
- On the customer VPN device, set the route for the Service VPC range to the IPsec VPN tunnel.
- Communication test
- Service VPC → On-premise: Attempt a ping from a server in the Service VPC to an on-premise server (e.g., 172.16.30.x).
- On-premise → Service VPC: Attempt a ping from an on-premise server to a Service VPC server (e.g., 172.16.1.x).
11. Operational precautions and inspection guide
For stable service operation, regularly inspect the configuration and refer to the guide below in case of failures.
| Issue | Check item |
|---|---|
| Tunnel DOWN, configuration error | Reachability of peer IP between VPN devices |
| Consistency of IPsec configuration policies | |
| Review on-premise firewall/NAT policies | |
| Enable route propagation in Endpoint Route Table | |
| Tunnel UP, communication failure | CIDR overlap status |
| Apply Service VPC Route Table | |
| Apply Endpoint Route Table | |
| On-premise routing configuration | |
| ACG / NACL policies |