diff --git a/docs/vpn/umn/ALL_META.TXT.json b/docs/vpn/umn/ALL_META.TXT.json
new file mode 100644
index 000000000..8d6736bd1
--- /dev/null
+++ b/docs/vpn/umn/ALL_META.TXT.json
@@ -0,0 +1,372 @@
+[
+ {
+ "uri":"en-us_topic_0035391332.html",
+ "product_code":"vpn",
+ "code":"1",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Overview",
+ "title":"Overview",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0035391393.html",
+ "product_code":"vpn",
+ "code":"2",
+ "des":"A Virtual Private Network (VPN) establishes an encrypted, Internet-based communications tunnel between a user and a Virtual Private Cloud (VPC). With VPN, you can connect",
+ "doc_type":"usermanual",
+ "kw":"Virtual Private Network,Overview,User Guide",
+ "title":"Virtual Private Network",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0160974607.html",
+ "product_code":"vpn",
+ "code":"3",
+ "des":"The Internet Protocol Security (IPsec) VPN is an encrypted tunneling technology that uses encrypted security services to establish confidential and secure communication t",
+ "doc_type":"usermanual",
+ "kw":"IPsec VPN,Overview,User Guide",
+ "title":"IPsec VPN",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0035391412.html",
+ "product_code":"vpn",
+ "code":"4",
+ "des":"With the VPN between the VPC and your traditional data center, you can easily use the ECSs and block storage resources provided by the cloud platform.Applications can be ",
+ "doc_type":"usermanual",
+ "kw":"Application Scenarios,Overview,User Guide",
+ "title":"Application Scenarios",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0081947484.html",
+ "product_code":"vpn",
+ "code":"5",
+ "des":"The following standards and protocols are associated with the IPsec VPN:RFC 4301: Security Architecture for the Internet ProtocolRFC 2403: The Use of HMAC-MD5-96 within E",
+ "doc_type":"usermanual",
+ "kw":"Reference Standards and Protocols,Overview,User Guide",
+ "title":"Reference Standards and Protocols",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0185622695.html",
+ "product_code":"vpn",
+ "code":"6",
+ "des":"A region and availability zone (AZ) identify the location of a data center. You can create resources in a specific region and AZ.A region is a physical data center, which",
+ "doc_type":"usermanual",
+ "kw":"Region and AZ,Overview,User Guide",
+ "title":"Region and AZ",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0035391382.html",
+ "product_code":"vpn",
+ "code":"7",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Getting Started",
+ "title":"Getting Started",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0122970066.html",
+ "product_code":"vpn",
+ "code":"8",
+ "des":"A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required.Create a VPC by following the procedure provided in this section",
+ "doc_type":"usermanual",
+ "kw":"(Optional) Create a VPC,Getting Started,User Guide",
+ "title":"(Optional) Create a VPC",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0122970067.html",
+ "product_code":"vpn",
+ "code":"9",
+ "des":"You can add subnets during VPC creation. If required, you can also create subnets for an existing VPC.The created subnet is configured with DHCP by default. After an ECS ",
+ "doc_type":"usermanual",
+ "kw":"(Optional) Create a Subnet for the VPC,Getting Started,User Guide",
+ "title":"(Optional) Create a Subnet for the VPC",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0060118606.html",
+ "product_code":"vpn",
+ "code":"10",
+ "des":"By default, ECSs in a VPC cannot communicate with your data center or private network. To enable communication between them, use a VPN. You need to create a VPN in your V",
+ "doc_type":"usermanual",
+ "kw":"Creating a VPN,Getting Started,User Guide",
+ "title":"Creating a VPN",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0035634996.html",
+ "product_code":"vpn",
+ "code":"11",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"(Optional) Configure Security Group Rules",
+ "title":"(Optional) Configure Security Group Rules",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0013748715.html",
+ "product_code":"vpn",
+ "code":"12",
+ "des":"To improve ECS access security, you can create a security group, define security group rules, and add ECSs in the VPC to the security group. We recommend that you allocat",
+ "doc_type":"usermanual",
+ "kw":"Creating a Security Group,(Optional) Configure Security Group Rules,User Guide",
+ "title":"Creating a Security Group",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0030969470.html",
+ "product_code":"vpn",
+ "code":"13",
+ "des":"After a security group is created, you can add rules to the security group. A rule applies either to inbound traffic (ingress) or outbound traffic (egress). After ECSs ar",
+ "doc_type":"usermanual",
+ "kw":"Adding a Security Group Rule,(Optional) Configure Security Group Rules,User Guide",
+ "title":"Adding a Security Group Rule",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0030969471.html",
+ "product_code":"vpn",
+ "code":"14",
+ "des":"If the source of an inbound security group rule or destination of an outbound security group rule needs to be changed, you need to first delete the security group rule an",
+ "doc_type":"usermanual",
+ "kw":"Deleting a Security Group Rule,(Optional) Configure Security Group Rules,User Guide",
+ "title":"Deleting a Security Group Rule",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0035391378.html",
+ "product_code":"vpn",
+ "code":"15",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Management",
+ "title":"Management",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0035506845.html",
+ "product_code":"vpn",
+ "code":"16",
+ "des":"You can view details about an existing VPN.Log in to the management console.Click in the upper left corner and select the desired region and project.On the console homep",
+ "doc_type":"usermanual",
+ "kw":"Viewing a VPN,Management,User Guide",
+ "title":"Viewing a VPN",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0035391295.html",
+ "product_code":"vpn",
+ "code":"17",
+ "des":"If the VPN network information conflicts the VPC network information or you need to adjust VPN configurations, you can modify a VPN.Log in to the management console.Click",
+ "doc_type":"usermanual",
+ "kw":"Modifying a VPN,Management,User Guide",
+ "title":"Modifying a VPN",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0035616925.html",
+ "product_code":"vpn",
+ "code":"18",
+ "des":"You can delete a VPN to release network resources if the VPN is no longer required.Log in to the management console.Click in the upper left corner and select a region an",
+ "doc_type":"usermanual",
+ "kw":"Deleting a VPN,Management,User Guide",
+ "title":"Deleting a VPN",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0107396413.html",
+ "product_code":"vpn",
+ "code":"19",
+ "des":"A VPN tag identifies a VPN. Tags can be added to VPNs to facilitate VPN identification and administration. You can add a tag to a VPN when creating the VPN. Alternatively",
+ "doc_type":"usermanual",
+ "kw":"Managing VPN Tags,Management,User Guide",
+ "title":"Managing VPN Tags",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0114174493.html",
+ "product_code":"vpn",
+ "code":"20",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"VPN Best Practice",
+ "title":"VPN Best Practice",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0066871940.html",
+ "product_code":"vpn",
+ "code":"21",
+ "des":"By default, ECSs in a VPC cannot communicate with your data center or private network. To enable communication between them, use a VPN. After a VPN is created, configure ",
+ "doc_type":"usermanual",
+ "kw":"Connecting to a VPC Through a VPN,VPN Best Practice,User Guide",
+ "title":"Connecting to a VPC Through a VPN",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0035391365.html",
+ "product_code":"vpn",
+ "code":"22",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"FAQs",
+ "title":"FAQs",
+ "githuburl":""
+ },
+ {
+ "uri":"vpn_faq_0021.html",
+ "product_code":"vpn",
+ "code":"23",
+ "des":"By default, a user can have a maximum of five IPsec VPNs. If your quota cannot fulfill your service requirements, submit a service ticket to increase the quota.",
+ "doc_type":"usermanual",
+ "kw":"How Many IPsec VPNs Can I Have?,FAQs,User Guide",
+ "title":"How Many IPsec VPNs Can I Have?",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0036149069.html",
+ "product_code":"vpn",
+ "code":"24",
+ "des":"The IPsec VPN tunnel works in passive mode, which triggers automatic negotiation only when traffic sent by the local end passes through the tunnel.",
+ "doc_type":"usermanual",
+ "kw":"Do IPsec VPNs Support Automatic Negotiation?,FAQs,User Guide",
+ "title":"Do IPsec VPNs Support Automatic Negotiation?",
+ "githuburl":""
+ },
+ {
+ "uri":"vpn_faq_0055.html",
+ "product_code":"vpn",
+ "code":"25",
+ "des":"Log in to the management console and click Virtual Private Network.In the VPN list, locate the target VPN and click View Policyin the Operationcolumn to view IKE and IPse",
+ "doc_type":"usermanual",
+ "kw":"What Do I Do If VPN Setup Fails?,FAQs,User Guide",
+ "title":"What Do I Do If VPN Setup Fails?",
+ "githuburl":""
+ },
+ {
+ "uri":"vpn_faq_0056.html",
+ "product_code":"vpn",
+ "code":"26",
+ "des":"The security group denies the access from all sources by default. If you want to access your ECSs, modify the security group configuration and allow the access from the r",
+ "doc_type":"usermanual",
+ "kw":"How Can I Handle the Failure in Accessing the ECSs from My Data Center or LAN Even If the VPN Has Be",
+ "title":"How Can I Handle the Failure in Accessing the ECSs from My Data Center or LAN Even If the VPN Has Been Set Up?",
+ "githuburl":""
+ },
+ {
+ "uri":"vpn_faq_0057.html",
+ "product_code":"vpn",
+ "code":"27",
+ "des":"Check whether you have properly configured the firewall policies for the access from the public IP address of the cloud VPN to the public IP address of your data center o",
+ "doc_type":"usermanual",
+ "kw":"What Do I Do If I Cannot Access My Data Center or LAN from the ECSs After a VPN Connection Has Been ",
+ "title":"What Do I Do If I Cannot Access My Data Center or LAN from the ECSs After a VPN Connection Has Been Set Up?",
+ "githuburl":""
+ },
+ {
+ "uri":"vpn_faq_0058.html",
+ "product_code":"vpn",
+ "code":"28",
+ "des":"If the two VPCs are in the same region, you can use a VPC peering connection to enable communication between them.If the two VPCs are in different regions, you can use a ",
+ "doc_type":"usermanual",
+ "kw":"Does a VPN Allow for Communication Between Two VPCs?,FAQs,User Guide",
+ "title":"Does a VPN Allow for Communication Between Two VPCs?",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0044789110.html",
+ "product_code":"vpn",
+ "code":"29",
+ "des":"The maximum number obtained by multiplying the number of local subnets and that of remote subnets cannot exceed 2500.",
+ "doc_type":"usermanual",
+ "kw":"What Is the Limitation on the Number of Local and Remote Subnets of a VPN?,FAQs,User Guide",
+ "title":"What Is the Limitation on the Number of Local and Remote Subnets of a VPN?",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0045305370.html",
+ "product_code":"vpn",
+ "code":"30",
+ "des":"After a VPN is created, its status changes to Normalonly after the VMs or physical servers on the two sides of the VPN communicate with each other.IKE v1:If no traffic go",
+ "doc_type":"usermanual",
+ "kw":"Why Is Not Connected Displayed as the Status for a Successfully Created VPN?,FAQs,User Guide",
+ "title":"Why Is Not Connected Displayed as the Status for a Successfully Created VPN?",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0051518174.html",
+ "product_code":"vpn",
+ "code":"31",
+ "des":"The time required for VPN configurations to take effect increases linearly with the number obtained by multiplying the number of local subnets and that of remote subnets.",
+ "doc_type":"usermanual",
+ "kw":"How Long Is Required for Issued VPN Configurations to Take Effect?,FAQs,User Guide",
+ "title":"How Long Is Required for Issued VPN Configurations to Take Effect?",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0109312453.html",
+ "product_code":"vpn",
+ "code":"32",
+ "des":"Due to the symmetry of the tunnel, the VPN parameters configured on the cloud must be the same as those configured in your own data center. If they are different, a VPN c",
+ "doc_type":"usermanual",
+ "kw":"How Do I Configure a Remote Device for a VPN?,FAQs,User Guide",
+ "title":"How Do I Configure a Remote Device for a VPN?",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0109676043.html",
+ "product_code":"vpn",
+ "code":"33",
+ "des":"Most devices that meet IPsec VPN standard and reference protocol requirements can be used as the remote VPN devices, for example, Cisco ASA firewalls, Huawei USG6xxxxseri",
+ "doc_type":"usermanual",
+ "kw":"Which Remote VPN Devices Are Supported?,FAQs,User Guide",
+ "title":"Which Remote VPN Devices Are Supported?",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0142368417.html",
+ "product_code":"vpn",
+ "code":"34",
+ "des":"You can perform the following steps to handle the issues:Check the ECS specifications. Rate limiting is not performed for the VPN ingress on the cloud, so the issue may b",
+ "doc_type":"usermanual",
+ "kw":"What Can I Do If the VPN Fails or the Network Speed of the VPN Is Slow?,FAQs,User Guide",
+ "title":"What Can I Do If the VPN Fails or the Network Speed of the VPN Is Slow?",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0142373840.html",
+ "product_code":"vpn",
+ "code":"35",
+ "des":"Currently, the VPN service does not support the SSL VPNs.",
+ "doc_type":"usermanual",
+ "kw":"Are SSL VPNs Supported?,FAQs,User Guide",
+ "title":"Are SSL VPNs Supported?",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0035391366.html",
+ "product_code":"vpn",
+ "code":"36",
+ "des":"Quotas are enforced for service resources on the platform to prevent unforeseen spikes in resource usage. Quotas can limit the number or amount of resources available to ",
+ "doc_type":"usermanual",
+ "kw":"What Is the VPN Quota?,FAQs,User Guide",
+ "title":"What Is the VPN Quota?",
+ "githuburl":""
+ },
+ {
+ "uri":"en-us_topic_0041174633.html",
+ "product_code":"vpn",
+ "code":"37",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"A Change History,User Guide",
+ "title":"A Change History",
+ "githuburl":""
+ }
+]
\ No newline at end of file
diff --git a/docs/vpn/umn/CLASS.TXT.json b/docs/vpn/umn/CLASS.TXT.json
new file mode 100644
index 000000000..07b96ae31
--- /dev/null
+++ b/docs/vpn/umn/CLASS.TXT.json
@@ -0,0 +1,335 @@
+[
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"vpn",
+ "title":"Overview",
+ "uri":"en-us_topic_0035391332.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"1"
+ },
+ {
+ "desc":"A Virtual Private Network (VPN) establishes an encrypted, Internet-based communications tunnel between a user and a Virtual Private Cloud (VPC). With VPN, you can connect",
+ "product_code":"vpn",
+ "title":"Virtual Private Network",
+ "uri":"en-us_topic_0035391393.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"2"
+ },
+ {
+ "desc":"The Internet Protocol Security (IPsec) VPN is an encrypted tunneling technology that uses encrypted security services to establish confidential and secure communication t",
+ "product_code":"vpn",
+ "title":"IPsec VPN",
+ "uri":"en-us_topic_0160974607.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"3"
+ },
+ {
+ "desc":"With the VPN between the VPC and your traditional data center, you can easily use the ECSs and block storage resources provided by the cloud platform.Applications can be ",
+ "product_code":"vpn",
+ "title":"Application Scenarios",
+ "uri":"en-us_topic_0035391412.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"4"
+ },
+ {
+ "desc":"The following standards and protocols are associated with the IPsec VPN:RFC 4301: Security Architecture for the Internet ProtocolRFC 2403: The Use of HMAC-MD5-96 within E",
+ "product_code":"vpn",
+ "title":"Reference Standards and Protocols",
+ "uri":"en-us_topic_0081947484.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"5"
+ },
+ {
+ "desc":"A region and availability zone (AZ) identify the location of a data center. You can create resources in a specific region and AZ.A region is a physical data center, which",
+ "product_code":"vpn",
+ "title":"Region and AZ",
+ "uri":"en-us_topic_0185622695.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"6"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"vpn",
+ "title":"Getting Started",
+ "uri":"en-us_topic_0035391382.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"7"
+ },
+ {
+ "desc":"A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required.Create a VPC by following the procedure provided in this section",
+ "product_code":"vpn",
+ "title":"(Optional) Create a VPC",
+ "uri":"en-us_topic_0122970066.html",
+ "doc_type":"usermanual",
+ "p_code":"7",
+ "code":"8"
+ },
+ {
+ "desc":"You can add subnets during VPC creation. If required, you can also create subnets for an existing VPC.The created subnet is configured with DHCP by default. After an ECS ",
+ "product_code":"vpn",
+ "title":"(Optional) Create a Subnet for the VPC",
+ "uri":"en-us_topic_0122970067.html",
+ "doc_type":"usermanual",
+ "p_code":"7",
+ "code":"9"
+ },
+ {
+ "desc":"By default, ECSs in a VPC cannot communicate with your data center or private network. To enable communication between them, use a VPN. You need to create a VPN in your V",
+ "product_code":"vpn",
+ "title":"Creating a VPN",
+ "uri":"en-us_topic_0060118606.html",
+ "doc_type":"usermanual",
+ "p_code":"7",
+ "code":"10"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"vpn",
+ "title":"(Optional) Configure Security Group Rules",
+ "uri":"en-us_topic_0035634996.html",
+ "doc_type":"usermanual",
+ "p_code":"7",
+ "code":"11"
+ },
+ {
+ "desc":"To improve ECS access security, you can create a security group, define security group rules, and add ECSs in the VPC to the security group. We recommend that you allocat",
+ "product_code":"vpn",
+ "title":"Creating a Security Group",
+ "uri":"en-us_topic_0013748715.html",
+ "doc_type":"usermanual",
+ "p_code":"11",
+ "code":"12"
+ },
+ {
+ "desc":"After a security group is created, you can add rules to the security group. A rule applies either to inbound traffic (ingress) or outbound traffic (egress). After ECSs ar",
+ "product_code":"vpn",
+ "title":"Adding a Security Group Rule",
+ "uri":"en-us_topic_0030969470.html",
+ "doc_type":"usermanual",
+ "p_code":"11",
+ "code":"13"
+ },
+ {
+ "desc":"If the source of an inbound security group rule or destination of an outbound security group rule needs to be changed, you need to first delete the security group rule an",
+ "product_code":"vpn",
+ "title":"Deleting a Security Group Rule",
+ "uri":"en-us_topic_0030969471.html",
+ "doc_type":"usermanual",
+ "p_code":"11",
+ "code":"14"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"vpn",
+ "title":"Management",
+ "uri":"en-us_topic_0035391378.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"15"
+ },
+ {
+ "desc":"You can view details about an existing VPN.Log in to the management console.Click in the upper left corner and select the desired region and project.On the console homep",
+ "product_code":"vpn",
+ "title":"Viewing a VPN",
+ "uri":"en-us_topic_0035506845.html",
+ "doc_type":"usermanual",
+ "p_code":"15",
+ "code":"16"
+ },
+ {
+ "desc":"If the VPN network information conflicts the VPC network information or you need to adjust VPN configurations, you can modify a VPN.Log in to the management console.Click",
+ "product_code":"vpn",
+ "title":"Modifying a VPN",
+ "uri":"en-us_topic_0035391295.html",
+ "doc_type":"usermanual",
+ "p_code":"15",
+ "code":"17"
+ },
+ {
+ "desc":"You can delete a VPN to release network resources if the VPN is no longer required.Log in to the management console.Click in the upper left corner and select a region an",
+ "product_code":"vpn",
+ "title":"Deleting a VPN",
+ "uri":"en-us_topic_0035616925.html",
+ "doc_type":"usermanual",
+ "p_code":"15",
+ "code":"18"
+ },
+ {
+ "desc":"A VPN tag identifies a VPN. Tags can be added to VPNs to facilitate VPN identification and administration. You can add a tag to a VPN when creating the VPN. Alternatively",
+ "product_code":"vpn",
+ "title":"Managing VPN Tags",
+ "uri":"en-us_topic_0107396413.html",
+ "doc_type":"usermanual",
+ "p_code":"15",
+ "code":"19"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"vpn",
+ "title":"VPN Best Practice",
+ "uri":"en-us_topic_0114174493.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"20"
+ },
+ {
+ "desc":"By default, ECSs in a VPC cannot communicate with your data center or private network. To enable communication between them, use a VPN. After a VPN is created, configure ",
+ "product_code":"vpn",
+ "title":"Connecting to a VPC Through a VPN",
+ "uri":"en-us_topic_0066871940.html",
+ "doc_type":"usermanual",
+ "p_code":"20",
+ "code":"21"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"vpn",
+ "title":"FAQs",
+ "uri":"en-us_topic_0035391365.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"22"
+ },
+ {
+ "desc":"By default, a user can have a maximum of five IPsec VPNs. If your quota cannot fulfill your service requirements, submit a service ticket to increase the quota.",
+ "product_code":"vpn",
+ "title":"How Many IPsec VPNs Can I Have?",
+ "uri":"vpn_faq_0021.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"23"
+ },
+ {
+ "desc":"The IPsec VPN tunnel works in passive mode, which triggers automatic negotiation only when traffic sent by the local end passes through the tunnel.",
+ "product_code":"vpn",
+ "title":"Do IPsec VPNs Support Automatic Negotiation?",
+ "uri":"en-us_topic_0036149069.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"24"
+ },
+ {
+ "desc":"Log in to the management console and click Virtual Private Network.In the VPN list, locate the target VPN and click View Policyin the Operationcolumn to view IKE and IPse",
+ "product_code":"vpn",
+ "title":"What Do I Do If VPN Setup Fails?",
+ "uri":"vpn_faq_0055.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"25"
+ },
+ {
+ "desc":"The security group denies the access from all sources by default. If you want to access your ECSs, modify the security group configuration and allow the access from the r",
+ "product_code":"vpn",
+ "title":"How Can I Handle the Failure in Accessing the ECSs from My Data Center or LAN Even If the VPN Has Been Set Up?",
+ "uri":"vpn_faq_0056.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"26"
+ },
+ {
+ "desc":"Check whether you have properly configured the firewall policies for the access from the public IP address of the cloud VPN to the public IP address of your data center o",
+ "product_code":"vpn",
+ "title":"What Do I Do If I Cannot Access My Data Center or LAN from the ECSs After a VPN Connection Has Been Set Up?",
+ "uri":"vpn_faq_0057.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"27"
+ },
+ {
+ "desc":"If the two VPCs are in the same region, you can use a VPC peering connection to enable communication between them.If the two VPCs are in different regions, you can use a ",
+ "product_code":"vpn",
+ "title":"Does a VPN Allow for Communication Between Two VPCs?",
+ "uri":"vpn_faq_0058.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"28"
+ },
+ {
+ "desc":"The maximum number obtained by multiplying the number of local subnets and that of remote subnets cannot exceed 2500.",
+ "product_code":"vpn",
+ "title":"What Is the Limitation on the Number of Local and Remote Subnets of a VPN?",
+ "uri":"en-us_topic_0044789110.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"29"
+ },
+ {
+ "desc":"After a VPN is created, its status changes to Normalonly after the VMs or physical servers on the two sides of the VPN communicate with each other.IKE v1:If no traffic go",
+ "product_code":"vpn",
+ "title":"Why Is Not Connected Displayed as the Status for a Successfully Created VPN?",
+ "uri":"en-us_topic_0045305370.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"30"
+ },
+ {
+ "desc":"The time required for VPN configurations to take effect increases linearly with the number obtained by multiplying the number of local subnets and that of remote subnets.",
+ "product_code":"vpn",
+ "title":"How Long Is Required for Issued VPN Configurations to Take Effect?",
+ "uri":"en-us_topic_0051518174.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"31"
+ },
+ {
+ "desc":"Due to the symmetry of the tunnel, the VPN parameters configured on the cloud must be the same as those configured in your own data center. If they are different, a VPN c",
+ "product_code":"vpn",
+ "title":"How Do I Configure a Remote Device for a VPN?",
+ "uri":"en-us_topic_0109312453.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"32"
+ },
+ {
+ "desc":"Most devices that meet IPsec VPN standard and reference protocol requirements can be used as the remote VPN devices, for example, Cisco ASA firewalls, Huawei USG6xxxxseri",
+ "product_code":"vpn",
+ "title":"Which Remote VPN Devices Are Supported?",
+ "uri":"en-us_topic_0109676043.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"33"
+ },
+ {
+ "desc":"You can perform the following steps to handle the issues:Check the ECS specifications. Rate limiting is not performed for the VPN ingress on the cloud, so the issue may b",
+ "product_code":"vpn",
+ "title":"What Can I Do If the VPN Fails or the Network Speed of the VPN Is Slow?",
+ "uri":"en-us_topic_0142368417.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"34"
+ },
+ {
+ "desc":"Currently, the VPN service does not support the SSL VPNs.",
+ "product_code":"vpn",
+ "title":"Are SSL VPNs Supported?",
+ "uri":"en-us_topic_0142373840.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"35"
+ },
+ {
+ "desc":"Quotas are enforced for service resources on the platform to prevent unforeseen spikes in resource usage. Quotas can limit the number or amount of resources available to ",
+ "product_code":"vpn",
+ "title":"What Is the VPN Quota?",
+ "uri":"en-us_topic_0035391366.html",
+ "doc_type":"usermanual",
+ "p_code":"22",
+ "code":"36"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"vpn",
+ "title":"A Change History",
+ "uri":"en-us_topic_0041174633.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"37"
+ }
+]
\ No newline at end of file
diff --git a/docs/vpn/umn/PARAMETERS.txt b/docs/vpn/umn/PARAMETERS.txt
new file mode 100644
index 000000000..6da8d5f07
--- /dev/null
+++ b/docs/vpn/umn/PARAMETERS.txt
@@ -0,0 +1,3 @@
+version=""
+language="en-us"
+type=""
\ No newline at end of file
diff --git a/docs/vpn/umn/en-us_image_0000001404528466.png b/docs/vpn/umn/en-us_image_0000001404528466.png
new file mode 100644
index 000000000..daf53fd45
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001404528466.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001404848230.jpg b/docs/vpn/umn/en-us_image_0000001404848230.jpg
new file mode 100644
index 000000000..b02afe636
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001404848230.jpg differ
diff --git a/docs/vpn/umn/en-us_image_0000001405148354.jpg b/docs/vpn/umn/en-us_image_0000001405148354.jpg
new file mode 100644
index 000000000..28092c102
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405148354.jpg differ
diff --git a/docs/vpn/umn/en-us_image_0000001405148570.png b/docs/vpn/umn/en-us_image_0000001405148570.png
new file mode 100644
index 000000000..fcd4cf4b2
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405148570.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001405151706.png b/docs/vpn/umn/en-us_image_0000001405151706.png
new file mode 100644
index 000000000..a06a21362
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405151706.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001405171846.png b/docs/vpn/umn/en-us_image_0000001405171846.png
new file mode 100644
index 000000000..1a8fd5bdc
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405171846.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001405176804.png b/docs/vpn/umn/en-us_image_0000001405176804.png
new file mode 100644
index 000000000..28a39f44b
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405176804.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001405314402.jpg b/docs/vpn/umn/en-us_image_0000001405314402.jpg
new file mode 100644
index 000000000..949fed3e9
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405314402.jpg differ
diff --git a/docs/vpn/umn/en-us_image_0000001405317654.png b/docs/vpn/umn/en-us_image_0000001405317654.png
new file mode 100644
index 000000000..9e0a935fb
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405317654.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001405485434.png b/docs/vpn/umn/en-us_image_0000001405485434.png
new file mode 100644
index 000000000..a06a21362
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405485434.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001405496560.png b/docs/vpn/umn/en-us_image_0000001405496560.png
new file mode 100644
index 000000000..a06a21362
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405496560.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001405630570.png b/docs/vpn/umn/en-us_image_0000001405630570.png
new file mode 100644
index 000000000..10e3a9d76
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405630570.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001405640430.png b/docs/vpn/umn/en-us_image_0000001405640430.png
new file mode 100644
index 000000000..3880d33d1
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405640430.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001405646142.png b/docs/vpn/umn/en-us_image_0000001405646142.png
new file mode 100644
index 000000000..e2b98462e
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405646142.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001405650458.png b/docs/vpn/umn/en-us_image_0000001405650458.png
new file mode 100644
index 000000000..a06a21362
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405650458.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001405655248.png b/docs/vpn/umn/en-us_image_0000001405655248.png
new file mode 100644
index 000000000..8530092e9
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001405655248.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001455555929.png b/docs/vpn/umn/en-us_image_0000001455555929.png
new file mode 100644
index 000000000..5ac6e2e6c
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001455555929.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001455557817.png b/docs/vpn/umn/en-us_image_0000001455557817.png
new file mode 100644
index 000000000..e65a9f184
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001455557817.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001455569161.png b/docs/vpn/umn/en-us_image_0000001455569161.png
new file mode 100644
index 000000000..a06a21362
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001455569161.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001455570241.png b/docs/vpn/umn/en-us_image_0000001455570241.png
new file mode 100644
index 000000000..a06a21362
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001455570241.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001455711269.jpg b/docs/vpn/umn/en-us_image_0000001455711269.jpg
new file mode 100644
index 000000000..49464ad58
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001455711269.jpg differ
diff --git a/docs/vpn/umn/en-us_image_0000001455717309.png b/docs/vpn/umn/en-us_image_0000001455717309.png
new file mode 100644
index 000000000..3880d33d1
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001455717309.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001455827749.jpg b/docs/vpn/umn/en-us_image_0000001455827749.jpg
new file mode 100644
index 000000000..50d93d434
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001455827749.jpg differ
diff --git a/docs/vpn/umn/en-us_image_0000001455829029.png b/docs/vpn/umn/en-us_image_0000001455829029.png
new file mode 100644
index 000000000..3880d33d1
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001455829029.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001455829553.jpg b/docs/vpn/umn/en-us_image_0000001455829553.jpg
new file mode 100644
index 000000000..6c709cff4
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001455829553.jpg differ
diff --git a/docs/vpn/umn/en-us_image_0000001455845961.png b/docs/vpn/umn/en-us_image_0000001455845961.png
new file mode 100644
index 000000000..a06a21362
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001455845961.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001455909921.png b/docs/vpn/umn/en-us_image_0000001455909921.png
new file mode 100644
index 000000000..3880d33d1
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001455909921.png differ
diff --git a/docs/vpn/umn/en-us_image_0000001455916097.png b/docs/vpn/umn/en-us_image_0000001455916097.png
new file mode 100644
index 000000000..3880d33d1
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0000001455916097.png differ
diff --git a/docs/vpn/umn/en-us_image_0107432228.png b/docs/vpn/umn/en-us_image_0107432228.png
new file mode 100644
index 000000000..1909444d2
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0107432228.png differ
diff --git a/docs/vpn/umn/en-us_image_0109860229.png b/docs/vpn/umn/en-us_image_0109860229.png
new file mode 100644
index 000000000..32d225a39
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0109860229.png differ
diff --git a/docs/vpn/umn/en-us_image_0118534037.png b/docs/vpn/umn/en-us_image_0118534037.png
new file mode 100644
index 000000000..595a9b056
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0118534037.png differ
diff --git a/docs/vpn/umn/en-us_image_0118696493.png b/docs/vpn/umn/en-us_image_0118696493.png
new file mode 100644
index 000000000..1909444d2
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0118696493.png differ
diff --git a/docs/vpn/umn/en-us_image_0118696764.png b/docs/vpn/umn/en-us_image_0118696764.png
new file mode 100644
index 000000000..1909444d2
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0118696764.png differ
diff --git a/docs/vpn/umn/en-us_image_0118696766.png b/docs/vpn/umn/en-us_image_0118696766.png
new file mode 100644
index 000000000..1909444d2
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0118696766.png differ
diff --git a/docs/vpn/umn/en-us_image_0123091916.png b/docs/vpn/umn/en-us_image_0123091916.png
new file mode 100644
index 000000000..1909444d2
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0123091916.png differ
diff --git a/docs/vpn/umn/en-us_image_0141273034.png b/docs/vpn/umn/en-us_image_0141273034.png
new file mode 100644
index 000000000..1909444d2
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0141273034.png differ
diff --git a/docs/vpn/umn/en-us_image_0147165026.png b/docs/vpn/umn/en-us_image_0147165026.png
new file mode 100644
index 000000000..1909444d2
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0147165026.png differ
diff --git a/docs/vpn/umn/en-us_image_0152727234.png b/docs/vpn/umn/en-us_image_0152727234.png
new file mode 100644
index 000000000..35e283157
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0152727234.png differ
diff --git a/docs/vpn/umn/en-us_image_0152926732.png b/docs/vpn/umn/en-us_image_0152926732.png
new file mode 100644
index 000000000..79ca15dd5
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0152926732.png differ
diff --git a/docs/vpn/umn/en-us_image_0154037992.png b/docs/vpn/umn/en-us_image_0154037992.png
new file mode 100644
index 000000000..13e196ca6
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0154037992.png differ
diff --git a/docs/vpn/umn/en-us_image_0155717676.png b/docs/vpn/umn/en-us_image_0155717676.png
new file mode 100644
index 000000000..12f0d879f
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0155717676.png differ
diff --git a/docs/vpn/umn/en-us_image_0155784843.png b/docs/vpn/umn/en-us_image_0155784843.png
new file mode 100644
index 000000000..cbb489151
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0155784843.png differ
diff --git a/docs/vpn/umn/en-us_image_0159197475.png b/docs/vpn/umn/en-us_image_0159197475.png
new file mode 100644
index 000000000..33c844036
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0159197475.png differ
diff --git a/docs/vpn/umn/en-us_image_0159201188.png b/docs/vpn/umn/en-us_image_0159201188.png
new file mode 100644
index 000000000..8e09bc614
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0159201188.png differ
diff --git a/docs/vpn/umn/en-us_image_0159206951.png b/docs/vpn/umn/en-us_image_0159206951.png
new file mode 100644
index 000000000..1466ed0b7
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0159206951.png differ
diff --git a/docs/vpn/umn/en-us_image_0160993816.png b/docs/vpn/umn/en-us_image_0160993816.png
new file mode 100644
index 000000000..8f2039895
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0160993816.png differ
diff --git a/docs/vpn/umn/en-us_image_0161052507.png b/docs/vpn/umn/en-us_image_0161052507.png
new file mode 100644
index 000000000..1909444d2
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0161052507.png differ
diff --git a/docs/vpn/umn/en-us_image_0161052509.png b/docs/vpn/umn/en-us_image_0161052509.png
new file mode 100644
index 000000000..3322328b6
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0161052509.png differ
diff --git a/docs/vpn/umn/en-us_image_0170041086.png b/docs/vpn/umn/en-us_image_0170041086.png
new file mode 100644
index 000000000..e6ce3d56d
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0170041086.png differ
diff --git a/docs/vpn/umn/en-us_image_0184026531.png b/docs/vpn/umn/en-us_image_0184026531.png
new file mode 100644
index 000000000..1303a51c2
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0184026531.png differ
diff --git a/docs/vpn/umn/en-us_image_0210485645.png b/docs/vpn/umn/en-us_image_0210485645.png
new file mode 100644
index 000000000..5666bb1f5
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0210485645.png differ
diff --git a/docs/vpn/umn/en-us_image_0210486152.png b/docs/vpn/umn/en-us_image_0210486152.png
new file mode 100644
index 000000000..d36739fdf
Binary files /dev/null and b/docs/vpn/umn/en-us_image_0210486152.png differ
diff --git a/docs/vpn/umn/en-us_topic_0013748715.html b/docs/vpn/umn/en-us_topic_0013748715.html
new file mode 100644
index 000000000..fe3a0fb1e
--- /dev/null
+++ b/docs/vpn/umn/en-us_topic_0013748715.html
@@ -0,0 +1,46 @@
+
+
+Creating a Security Group
+Scenarios
To improve ECS access security, you can create a security group, define security group rules, and add ECSs in the VPC to the security group. We recommend that you allocate ECSs that have different Internet access policies to different security groups.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click Create Security Group.
- In the Create Security Group area, set the parameters as prompted. Table 1 lists the parameters to be configured.
Figure 1 Create Security Group
+
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+Specifies the security group name. This parameter is mandatory.
+The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.
+ NOTE: You can change the security group name after a security group is created. It is recommended that you use different names for different security groups.
+
+ |
+sg-318b
+ |
+
+Description
+ |
+Provides supplementary information about the security group. This parameter is optional.
+The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- Click OK.
+
+
Adding a Security Group Rule
+Scenarios
After a security group is created, you can add rules to the security group. A rule applies either to inbound traffic (ingress) or outbound traffic (egress). After ECSs are added to the security group, they are protected by the rules of that group.
+
- Inbound rules control incoming traffic to ECSs associated with the security group.
- Outbound rules control outgoing traffic from ECSs associated with the security group.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, locate the target security group and click Manage Rule in the Operation column to switch to the page for managing inbound and outbound rules.
- On the inbound rule tab, click Add Rule. In the displayed dialog box, set required parameters to add an inbound rule.
You can click + to add more inbound rules.
+Figure 1 Add Inbound Rule
+
+Table 1 Inbound rule parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Protocol/Application
+ |
+Specifies the network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.
+ |
+TCP
+ |
+
+Port & Source
+
+ |
+Port: specifies the port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535.
+ |
+22 or 22-30
+ |
+
+Source: specifies the source of the security group rule. The value can be another security group, a CIDR block, or a single IP address. For example:
+- xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (subnet CIDR block)
- 0.0.0.0/0 (any IP address)
+ |
+0.0.0.0/0
+default
+ |
+
+Description
+ |
+Provides supplementary information about the security group rule. This parameter is optional.
+The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- On the outbound rule tab, click Add Rule. In the displayed dialog box, set required parameters to add an outbound rule.
You can click + to add more outbound rules.
+Figure 2 Add Outbound Rule
+
+
+Table 2 Outbound rule parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Protocol/Application
+ |
+Specifies the network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.
+ |
+TCP
+ |
+
+Port & Destination
+ |
+Port: specifies the port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535.
+ |
+22 or 22-30
+ |
+
+Destination: specifies the destination of the security group rule. The value can be another security group, a CIDR block, or a single IP address. For example:
+- xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (subnet CIDR block)
- 0.0.0.0/0 (any IP address)
+ |
+0.0.0.0/0
+default
+ |
+
+Description
+ |
+Provides supplementary information about the security group rule. This parameter is optional.
+The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
+ |
+N/A
+ |
+
+
+
+
- Click OK.
+
+
Deleting a Security Group Rule
+Scenarios
If the source of an inbound security group rule or destination of an outbound security group rule needs to be changed, you need to first delete the security group rule and add a new one.
+
Security group rules use whitelists. Deleting a security group rule may result in ECS access failures. Exercise caution when deleting security group rules.
+
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- On the Security Groups page, click the security group name.
- If you do not need a security group rule, locate the row that contains the target rule, and click Delete.
- Click Yes in the displayed dialog box.
+
Deleting Multiple Security Group Rules at Once.
+
You can also select multiple security group rules and click Delete above the security group rule list to delete multiple rules at a time.
+
+
+
Modifying a VPN
+Scenarios
If the VPN network information conflicts the VPC network information or you need to adjust VPN configurations, you can modify a VPN.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select a region and project. - On the console homepage, under Network, click Virtual Private Network.
- On the Virtual Private Network page, locate the target VPN and click Modify.
- In the displayed dialog box, set parameters as prompted.
Figure 1 Modifying a VPN
+ - Click OK.
+
+
Overview
+
+
+
diff --git a/docs/vpn/umn/en-us_topic_0035391365.html b/docs/vpn/umn/en-us_topic_0035391365.html
new file mode 100644
index 000000000..f39a31dcf
--- /dev/null
+++ b/docs/vpn/umn/en-us_topic_0035391365.html
@@ -0,0 +1,38 @@
+
+
+FAQs
+
+
+
diff --git a/docs/vpn/umn/en-us_topic_0035391366.html b/docs/vpn/umn/en-us_topic_0035391366.html
new file mode 100644
index 000000000..e4ac0c37a
--- /dev/null
+++ b/docs/vpn/umn/en-us_topic_0035391366.html
@@ -0,0 +1,25 @@
+
+
+What Is the VPN Quota?
+What Is a Quota?
Quotas are enforced for service resources on the platform to prevent unforeseen spikes in resource usage. Quotas can limit the number or amount of resources available to users. For example, the VPN quota limits the number of VPNs that you can create. You can also request more quotas if you need them.
+
This section describes how to view the VPN resource usage and the total quotas in a specified region.
+
+
How Do I View My Quotas?
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - In the upper right corner of the page, click
.The Service Quota page is displayed.
+ - View the used and total quota of each type of resources on the displayed page.
If a quota cannot meet service requirements, click Increase Quota to adjust it.
+
+
+
How Do I Apply for a Higher Quota?
The system does not support online quota adjustment. If you need to adjust a quota, call the hotline or send an email to the customer service mailbox. Customer service personnel will timely process your request for quota adjustment and inform you of the real-time progress by making a call or sending an email.
+
You need to prepare the following information before dialing the hotline number or sending an email:
+
- Domain name, project name, and project ID, which can be obtained by performing the following operations:
Log in to the management console using the cloud account, click the username in the upper right corner, select My Credential from the drop-down list, and obtain the domain name, project name, and project ID on the My Credential page.
+ - Quota information, which includes:
- Service name
- Quota type
- Required quota
+
+
Learn how to obtain the service hotline and email address.
+
+
+
Management
+
+
+
diff --git a/docs/vpn/umn/en-us_topic_0035391382.html b/docs/vpn/umn/en-us_topic_0035391382.html
new file mode 100644
index 000000000..9d440df8f
--- /dev/null
+++ b/docs/vpn/umn/en-us_topic_0035391382.html
@@ -0,0 +1,17 @@
+
+
+Getting Started
+
+
+
diff --git a/docs/vpn/umn/en-us_topic_0035391393.html b/docs/vpn/umn/en-us_topic_0035391393.html
new file mode 100644
index 000000000..971025da2
--- /dev/null
+++ b/docs/vpn/umn/en-us_topic_0035391393.html
@@ -0,0 +1,21 @@
+
+
+Virtual Private Network
+A Virtual Private Network (VPN) establishes an encrypted, Internet-based communications tunnel between a user and a Virtual Private Cloud (VPC). With VPN, you can connect to a VPC and access service resources in it.
+
By default, ECSs in a VPC cannot communicate with your data center or private network. To enable communication between them, use a VPN.
+
A VPN consists of a VPN gateway and one or more VPN connections. A VPN gateway provides an Internet egress for a VPC and works together with the remote gateway in the local data center. A VPN connection uses the Internet-based encryption technology to connect the VPN gateway and the remote gateway to enable communication between the local data center and VPC. The VPN connection allows you to quickly build secure hybrid cloud environment. Figure 1 shows the VPN networking.
+
Figure 1 VPN networking
+
Application Scenarios
+With the VPN between the VPC and your traditional data center, you can easily use the ECSs and block storage resources provided by the cloud platform. Applications can be migrated to the cloud and additional web servers can be deployed to increase the computing capacity on a network. In this way, a hybrid cloud is built, which reduces IT O&M costs and protects enterprise core data from being leaked.
+
The VPN service allows you to set up site-to-site VPN connections or VPN connections from one site to multiple sites.
+
Site-to-site VPN connection
You can set up a VPN to connect a local data center to a VPC, thus building a hybrid cloud. Figure 1 shows a site-to-site VPN connection.
+
Figure 1 Site-to-site VPN connection
+
+
VPN connection from one site to multiple sites
You can also set up a VPN to connect multiple local data centers to a VPC, thus building a hybrid cloud. Figure 2 shows a VPN connection from one site to multiple sites.
+
The subnet CIDR blocks of each site involved in the VPN connection cannot overlap.
+
+
Figure 2 VPN connection from one site to multiple sites
+
+
Viewing a VPN
+Scenarios
You can view details about an existing VPN.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Virtual Private Network.
- On the displayed Virtual Private Network page, view the target VPN. Table 1 describes the VPN status.
+
Table 1 VPN statusStatus
+ |
+Description
+ |
+
|---|
+
+Normal
+ |
+Indicates that the VPN is successfully created and communication with the local data center through the VPN is normal.
+ |
+
+Not connected
+ |
+Indicates that the VPN is successfully created but has not been used for communication with the local data center.
+ |
+
+Creating
+ |
+Indicates that the VPN is being created.
+ |
+
+Updating
+ |
+Indicates that VPN information is being updated.
+ |
+
+Deleting
+ |
+Indicates that the VPN is being deleted.
+ |
+
+Abnormal
+ |
+Indicates that the VPN is abnormal.
+ |
+
+Frozen
+ |
+Indicates that the VPN is frozen.
+ |
+
+
+
+
+
+
Deleting a VPN
+Scenarios
You can delete a VPN to release network resources if the VPN is no longer required.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select a region and project. - On the console homepage, under Network, click Virtual Private Network.
- On the Virtual Private Network page, locate the target VPN and click Delete.
- Click Yes in the displayed dialog box.
+
+
(Optional) Configure Security Group Rules
+
+
+
diff --git a/docs/vpn/umn/en-us_topic_0036149069.html b/docs/vpn/umn/en-us_topic_0036149069.html
new file mode 100644
index 000000000..6ab6456d5
--- /dev/null
+++ b/docs/vpn/umn/en-us_topic_0036149069.html
@@ -0,0 +1,11 @@
+
+
+Do IPsec VPNs Support Automatic Negotiation?
+The IPsec VPN tunnel works in passive mode, which triggers automatic negotiation only when traffic sent by the local end passes through the tunnel.
+
Change History
+
+
Release Date
+ |
+What's New
+ |
+
|---|
+
+2019-02-22
+ |
+This release incorporates the following changes:
+Updated the region description in Table 2.
+ |
+
+2019-02-18
+ |
+Accepted in OTC-4.0/Agile-02.2019
+ |
+
+2019-02-11
+ |
+This release incorporates the following changes:
+- Deleted content about the firewall version from section Creating a VPN.
- Added Table 1.
- Updated the tag key and value requirements in Table 3 and Table 1.
- Updated content about searching for VPNs by tag key and value in section Managing VPN Tags.
- Adjusted the column width.
+ |
+
+2019-02-02
+ |
+This release incorporates the following changes:
+
+ |
+
+2019-01-30
+ |
+This release incorporates the following changes:
+
+ |
+
+2019-01-23
+ |
+This release incorporates the following changes:
+
+ |
+
+2019-01-02
+ |
+This release incorporates the following change:
+Added description about the PFS function to the section for configuring the IPsec policy of a VPN.
+ |
+
+2018-04-30
+ |
+This issue is the eighth official release, which incorporates the following change:
+Added description about how to add tags during VPN creation.
+ |
+
+2017-08-30
+ |
+This issue is the seventh official release, which incorporates the following change:
+Added description about VPC and subnet tags.
+ |
+
+2017-07-30
+ |
+This issue is the sixth official release, which incorporates the following change:
+- Added the best practice.
- Added description about the multi-project feature.
+ |
+
+2017-04-28
+ |
+This issue is the fifth official release, which incorporates the following change:
+- Changed the maximum number obtained by multiplying the number of local subnets and that of remote subnets of a VPN to 2500.
+ |
+
+2017-03-30
+ |
+This issue is the fourth official release, which incorporates the following change:
+- Added an example illustrating how to configure the remote device of a VPN.
+ |
+
+2017-01-20
+ |
+This issue is the third official release, which incorporates the following change:
+- Added description about the IPsec VPN created between multiple local gateways in different VPCs and the same remote gateway
+ |
+
+2016-12-30
+ |
+This issue is the second official release, which incorporates the following change:
+
+ |
+
+2016-10-19
+ |
+This issue is the first official release.
+ |
+
+
+
+
+
What Is the Limitation on the Number of Local and Remote Subnets of a VPN?
+The maximum number obtained by multiplying the number of local subnets and that of remote subnets cannot exceed 2500.
+
Why Is Not Connected Displayed as the Status for a Successfully Created VPN?
+After a VPN is created, its status changes to Normal only after the VMs or physical servers on the two sides of the VPN communicate with each other.
+
- IKE v1:
If no traffic goes through the VPN for a period of time, the VPN needs to be renegotiated. The negotiation time depends on the value of Lifecycle (s) in the IPsec policy. Generally, the value of Lifecycle (s) is 3600 (1 hour), indicating that the negotiation will be initiated in the fifty-fourth minute. If the negotiation succeeds, the connection remains to the next round of negotiation. If the negotiation fails, the status is set to be disconnected within one hour. The connection can be restored after the two sides of the VPN communicates with each other. The disconnection can be avoided by using a network monitoring tool, such as IP SLA, to generate packets.
+ - IKE v2: If no traffic goes through the VPN for a period of time, the VPN remains in the connected status.
+
How Long Is Required for Issued VPN Configurations to Take Effect?
+The time required for VPN configurations to take effect increases linearly with the number obtained by multiplying the number of local subnets and that of remote subnets.
+
Creating a VPN
+Overview
By default, ECSs in a VPC cannot communicate with your data center or private network. To enable communication between them, use a VPN. You need to create a VPN in your VPC and update the security group rules.
+
+
Description of a Simple IPsec VPN Intranet Topology
In Figure 1, a VPC has two subnets: 192.168.1.0/24 and 192.168.2.0/24. On your router deployed in your physical data center, you also have two subnets: 192.168.3.0/24 and 192.168.4.0/24. You can create a VPN to enable subnets in your VPC to communicate with those in your data center.
+
Figure 1 IPsec VPN
+
Currently, the site-to-site VPN and hub-spoke VPN are supported. You need to set up VPNs in both your data center and the VPC to establish the VPN connection.
+
Ensure that the VPN in your VPC and that in your data center use the same Internet Key Exchange (IKE) and IPsec policy configurations. Before creating a VPN, familiarize yourself with the protocols described in Table 1 and ensure that your device meets the requirements and configuration constraints of the involved protocols.
+
+
Table 1 Involved protocolsParameter
+ |
+Description
+ |
+Constraint
+ |
+
|---|
+
+RFC 2409
+ |
+Defines the IKE protocol, which negotiates and verifies key information to safeguard VPNs.
+ |
+- Use the pre-shared key (PSK) to reach an IKE peer agreement.
- Use the main mode and aggressive mode for negotiation.
+ |
+
+RFC 4301
+ |
+Defines the IPsec architecture, the security services that IPsec offers, and the collaboration between components.
+ |
+Use the IPsec tunnel to set up a VPN connection.
+ |
+
+
+
+
+
+
Scenarios
Perform the following procedure to create a VPN that sets up a secure, isolated communication tunnel between your data center and cloud services.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Virtual Private Network.
- On the Virtual Private Network page, click Create VPN.
- Set the parameters as prompted and click Create Now.
Figure 2 Creating a VPN
+
+
+Table 2 Basic parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Region
+ |
+Specifies the desired region. Regions are geographic areas isolated from each other. Resources are region-specific and cannot be used across regions through internal network connections. For low network latency and quick resource access, select the nearest region.
+ |
+eu-de
+ |
+
+Name
+ |
+Specifies the VPN name.
+ |
+VPN-001
+ |
+
+VPC
+ |
+Specifies the VPC name.
+ |
+VPC-001
+ |
+
+Local Subnet
+ |
+A local subnet is a VPC subnet that accesses a customer network through a VPN.
+- Select subnet: If you select this option, you can then select the subnets that need to communicate with your data center.
- Specify CIDR block: If you select this option, you can then enter the CIDR blocks that need to communicate with your data center.
+ |
+192.168.1.0/24,
+192.168.2.0/24
+ |
+
+Remote Gateway
+ |
+Specifies the public IP address of the VPN in your data center or on the private network. This IP address is used for communicating with the VPN in the VPC.
+ |
+N/A
+ |
+
+Remote Subnet
+ |
+A remote subnet is a subnet in the customer data center that accesses a VPC through a VPN. The remote and local subnets cannot have overlapping or matching CIDR blocks. The remote subnet CIDR block cannot overlap with CIDR blocks involved in existing VPC peering connections created for the local VPC.
+ |
+192.168.3.0/24,
+192.168.4.0/24
+ |
+
+PSK
+ |
+Specifies the pre-shared key, which is a private key shared by two ends of a VPN connection. The PSK configurations for both ends of a VPN connection must be the same. This key is used for VPN connection negotiation.
+The value is a string of 6 to 128 characters.
+ |
+Test@123
+ |
+
+Confirm PSK
+ |
+Specifies the confirm pre-shared key.
+ |
+Test@123
+ |
+
+Tag
+ |
+Specifies the VPN tag, which consists of a key and value pair. You can add a maximum of ten tags to each VPN.
+The tag key and value must meet the requirements listed in Table 3.
+ |
+- Key: vpn_key1
- Value: vpn-01
+ |
+
+Advanced Settings
+ |
+- Default: uses default IKE and IPsec policies.
- Existing: uses existing IKE and IPsec policies. This option is available only after you have created IKE and IPsec policies.
- Custom: uses custom IKE and IPsec policies. For details about the policies, see Table 4 and Table 5.
+ |
+Custom
+ |
+
+
+
+
Table 3 VPN tag key and value requirementsParameter
+ |
+Requirement
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for the same VPN and can be the same for different VPNs.
- Contains a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpn_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpn-01
+ |
+
+
+
+
Table 4 IKE policyParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Authentication Algorithm
+ |
+Specifies the authentication hash algorithm. The value can be SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5.
+The default value is SHA1.
+ |
+SHA1
+ |
+
+Encryption Algorithm
+ |
+Specifies the encryption algorithm. The value can be AES-128, AES-192, AES-256, or 3DES. The 3DES algorithm is not recommended because it is risky.
+The default value is AES-128.
+ |
+AES-128
+ |
+
+DH Algorithm
+ |
+Specifies the Diffie-Hellman key exchange algorithm. The value can be Group 1, Group 2, Group 5, Group 14, Group 15, Group 16, Group 19, Group 20, or Group 21.
+The DH group security level from the highest to lowest is as follows: Group 21 > Group 20 > Group 19 > Group 16 > Group 15 > Group 14 > Group 5 > Group 2 > Group 1.
+The default value is Group 5.
+ |
+Group 5
+ |
+
+Version
+ |
+Specifies the version of the IKE protocol. The value can be v1 or v2.
+The default value is v1.
+ |
+v1
+ |
+
+Lifecycle (s)
+ |
+Specifies the lifetime of the security association (SA), in seconds.
+The SA will be renegotiated if its lifetime expires.
+The default value is 86400.
+ |
+86400
+ |
+
+Negotiation Mode
+ |
+If the IKE policy version is v1, the negotiation mode can be configured. The value can only be Main.
+The default value is Main.
+ |
+Main
+ |
+
+
+
+
Table 5 IPsec policyParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Authentication Algorithm
+ |
+Specifies the authentication hash algorithm. The value can be SHA1, SHA2-256, SHA2-384, SHA2-512, or MD5.
+The default value is SHA1.
+ |
+SHA1
+ |
+
+Encryption Algorithm
+ |
+Specifies the encryption algorithm. The value can be AES-128, AES-192, AES-256, or 3DES. The 3DES algorithm is not recommended because it is risky.
+The default value is AES-128.
+ |
+AES-128
+ |
+
+PFS
+ |
+Specifies the perfect forward secrecy (PFS), which is used to configure the IPsec tunnel negotiation.
+This function enables two parties to exchange the DH keys during the phase-two negotiation, improving key security. It is recommended that you enable this function.
+You can disable this function by selecting Disable from the drop-down list.
+The PFS used at the two sides of a VPN must be the same. Otherwise, the negotiation will fail. If you disable this function on the console, you also need to disable it at the customer side of the VPN.
+The value can be DH group 1, DH group 2, DH group 5, DH group 14, DH group 15, DH group 16, DH group 19, DH group 20, or DH group 21.
+The PFS group security level from the highest to lowest is as follows: DH group 21 > DH group 20 > DH group 19 > DH group 16 > DH group 15 > DH group 14 > DH group 5 > DH group 2 > DH group 1.
+The default value is DH group 5.
+ |
+DH group 5
+ |
+
+Transfer Protocol
+ |
+Specifies the security protocol used for IPsec to transmit and encapsulate user data. The value can be AH, ESP, or AH-ESP.
+The default value is ESP.
+ |
+ESP
+ |
+
+Lifecycle (s)
+ |
+Specifies the lifetime of the SA, in seconds.
+The SA will be renegotiated if its lifetime expires.
+The default value is 3600.
+ |
+3600
+ |
+
+
+
+
The IKE policy specifies the encryption and authentication algorithms to use in the negotiation phase of an IPsec tunnel. The IPsec policy specifies the protocol, encryption algorithm, and authentication algorithm to use in the data transmission phase of an IPsec tunnel. These parameters must be the same between the VPN in your VPC and that in your data center. If they are different, the VPN cannot be set up.
+
+ - Click Submit.
After the IPsec VPN is created, a public network egress IP address is assigned to the IPsec VPN. The IP address is the local gateway address of a created VPN on the network console. When configuring the remote tunnel in your data center, you must set the remote gateway address to this IP address.
Figure 3 Gateway egress IP address
+
- Due to the symmetry of the tunnel, you also need to configure the IPsec VPN on your router or firewall in the data center.
+
+
+
Connecting to a VPC Through a VPN
+Scenarios
By default, ECSs in a VPC cannot communicate with your data center or private network. To enable communication between them, use a VPN. After a VPN is created, configure the security group and check the connectivity between the local and remote networks to ensure that the VPN is available. VPNs can be classified into the following two types:
+
- Site-to-site VPN: The local side is a VPC on the cloud service platform, and the remote side is a user data center. A site-to-site VPN is a communication tunnel between a user data center and a single VPC.
- Hub-and-spoke VPN: The local side is a VPC on the cloud service platform, and the remote side is user data centers. A hub-and-spoke VPN is a communication tunnel between user data centers and a VPC.
+
Ensure that the following requirements are met when configuring a VPN:
- The local and remote subnets cannot overlap.
- Different local subnets cannot overlap.
- The local and remote sides use the same IKE and IPsec policies and PSK.
- The local and remote subnet and gateway parameters must be symmetric.
- The security group used by ECSs in the VPC allows traffic from and to the remote side.
- After a VPN is created, its status changes to Normal only after the VMs or physical servers on the two sides of the VPN communicate with each other.
+
+
+
Prerequisites
You have created the VPC and subnet required by the VPN.
+
+
Procedure
- On the management console, select the appropriate IKE and IPsec policies to create a VPN.
- Check the IP address pools for the local and remote subnets.
In Figure 1, a VPC has two subnets: 192.168.1.0/24 and 192.168.2.0/24. On your router deployed in your physical data center, you also have two subnets: 192.168.3.0/24 and 192.168.4.0/24. You can create a VPN to enable subnets in your VPC to communicate with those in your data center.
+Figure 1 IPsec VPN
+The IP address pools for the local and remote subnets cannot overlap with each other. For example, if the local VPC has two subnets, 192.168.1.0/24 and 192.168.2.0/24, the IP address pool for the remote subnets cannot contain these two subnets.
+ - Configure security group rules for the VPC.
- Check the security group of the VPC.
The security group must allow packets from the VPN to pass. You can run the ping command to check whether the security group of the VPC allows packets from the VPN to pass.
+ - Check the remote LAN configuration (network configuration of the remote data center).
A route must be configured for the remote LAN to enable VPN traffic to be forwarded to network devices on the LAN. If the VPN traffic cannot be forwarded to the network devices, check whether the remote LAN has policies configured to refuse the traffic.
+
+
+
Reference Standards and Protocols
+The following standards and protocols are associated with the IPsec VPN:
+
- RFC 4301: Security Architecture for the Internet Protocol
- RFC 2403: The Use of HMAC-MD5-96 within ESP and AH
- RFC 2409: The Internet Key Exchange (IKE)
- RFC 2857: The Use of HMAC-RIPEMD-160-96 within ESP and AH
- RFC 3566: The AES-XCBC-MAC-96 Algorithm and its use with IPsec
- RFC 3625: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)
- RFC 3664: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)
- RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers
- RFC 3748: Extensible Authentication Protocol (EAP)
- RFC 3947: Negotiation of NAT-Traversal in the IKE
- RFC 4109: Algorithms for Internet Key Exchange version 1 (IKEv1)
- RFC 3948: UDP Encapsulation of IPsec ESP Packets
- RFC 4305: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)
- RFC 4306: Internet Key Exchange (IKEv2) Protocol
- RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)
- RFC 4322: Opportunistic Encryption using the Internet Key Exchange (IKE)
- RFC 4359: The Use of RSA/SHA-1 Signatures within Encapsulating Security Payload (ESP) and Authentication Header (AH)
- RFC 4434: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)
- RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2)
- RFC 5996: Internet Key Exchange Protocol Version 2 (IKEv2)
+
Managing VPN Tags
+Application Scenarios
A VPN tag identifies a VPN. Tags can be added to VPNs to facilitate VPN identification and administration. You can add a tag to a VPN when creating the VPN. Alternatively, you can add a tag to a created VPN on the VPN details page. A maximum of ten tags can be added to each VPN.
+
+
A tag consists of a key and value pair. Table 1 lists the tag key and value requirements.
+
+
Table 1 VPN tag key and value requirementsParameter
+ |
+Requirement
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for the same VPN and can be the same for different VPNs.
- Contains a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpn_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpn-01
+ |
+
+
+
+
+
Procedure
Search for VPNs by Tag Key and Value on the Page Showing the VPN List.- Log in to the management console.
- Click
in the upper left corner and select a region and project. - On the console homepage, under Network, click Virtual Private Network.
- In the upper right corner of the VPN list, click Search by Tag.
- In the displayed area, enter the tag key and value of the VPN you are looking for.
Both the tag key and value must be specified.
+ - Click + to add the entered tag key and value.
You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for VPCs, the VPCs containing all specified tags will be displayed.
+ - Click Search.
The system displays the VPNs you are looking for based on the entered tag keys and values.
+
+
+
Add, Delete, Edit, and View Tags on the Tags Tab of a VPN.- Log in to the management console.
- Click in the upper left corner and select a region and project.
- On the console homepage, under Network, click Virtual Private Network.
- On the Virtual Private Network page, locate the VPN whose tags are to be managed and click the VPN name.
The page showing details about the particular VPN is displayed.
+ - Click the Tags tab and perform desired operations on tags.
- View tags.
On the Tags tab, you can view details about tags added to the current VPN, including the number of tags and the key and value of each tag.
+ - Add a tag.
Click Add Tag in the upper left corner. In the displayed dialog box, enter the key and value of the tag to be added, and click OK.
+ - Edit a tag.
Locate the row that contains the tag to be edited and click Edit in the Operation column. In the Edit Tag dialog box, change the tag value and click OK.
+ - Delete a tag.
Locate the row that contains the tag to be deleted, and click Delete in the Operation column. In the displayed Delete Tag dialog box, click Yes.
+
+
+
+
+
How Do I Configure a Remote Device for a VPN?
+Due to the symmetry of the tunnel, the VPN parameters configured on the cloud must be the same as those configured in your own data center. If they are different, a VPN cannot be established.
+
To set up a VPN, you also need to configure the IPsec VPN on the router or firewall in your own data center. The configuration method may vary depending on your network device in use. For details, see the configuration guide of your network device.
+
This section describes how to configure the IPsec VPN on a Huawei USG6600 series V100R001C30SPC300 firewall for your reference.
+
For example, the subnets of the data center are 192.168.3.0/24 and 192.168.4.0/24, the subnets of the VPC are 192.168.1.0/24 and 192.168.2.0/24, and the public IP address of the IPsec tunnel egress in the VPC is XXX.XXX.XX.XX, which can be obtained from the local gateway parameters of the IPsec VPN in the VPC.
+
Procedure
- Log in to the CLI of the firewall.
- Check firewall version information.
display version
+17:20:502017/03/09
+Huawei Versatile Security Platform Software
+Software Version: USG6600 V100R001C30SPC300 (VRP (R) Software, Version 5.30)
+ - Create an access control list (ACL) and bind it to the target VPN instance.
acl number 3065 vpn-instance vpn64
+rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
+rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
+rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
+rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
+q
+ - Create an IKE proposal.
ike proposal 64
+dh group5
+authentication-algorithm sha1
+integrity-algorithm hmac-sha2-256
+sa duration 3600
+q
+ - Create an IKE peer and reference the created IKE proposal. The peer IP address is 93.188.242.110.
ike peer vpnikepeer_64
+pre-shared-key ******** (******** specifies the pre-shared key.)
+ike-proposal 64
+undo version 2
+remote-address vpn-instance vpn64 93.188.242.110
+sa binding vpn-instance vpn64
+q
+ - Create an IPsec protocol.
ipsec proposal ipsecpro64
+encapsulation-mode tunnel
+esp authentication-algorithm sha1
+q
+ - Create an IPsec policy and reference the IKE policy and IPsec proposal.
ipsec policy vpnipsec64 1 isakmp
+security acl 3065
+pfs dh-group5
+ike-peer vpnikepeer_64
+proposal ipsecpro64
+local-address xx.xx.xx.xx
+q
+ - Apply the IPsec policy to the subinterface.
interface GigabitEthernet0/0/2.64
+ipsec policy vpnipsec64
+q
+ - Test the connectivity.
After you perform the preceding operations, you can test the connectivity between your ECSs in the cloud and the hosts in your data center. For details, see the following figure.
+
+
+
+
Which Remote VPN Devices Are Supported?
+Most devices that meet IPsec VPN standard and reference protocol requirements can be used as the remote VPN devices, for example, Cisco ASA firewalls, Huawei USG6xxxx series firewalls, USG9xxxx series firewalls, Hillstone firewalls, and Cisco ISR routers. Table 1 lists the supported Huawei USG6xxxx and USG9xxxx firewalls.
+
+
Table 1 Huawei VPN devicesSupported Remote VPN Device
+ |
+Description
+ |
+
|---|
+
+Huawei USG6000 series
+ |
+USG6320/6310/6510-SJJ
+USG6306/6308/6330/6350/6360/6370/6380/6390/6507/6530/6550/6570:2048
+USG6620/6630/6650/6660/6670/6680
+ |
+
+Huawei USG9000 series
+ |
+USG9520/USG9560/USG9580
+ |
+
+
+
+
+
Other devices that meet the requirements in the reference protocols described in section Reference Standards and Protocols can also be deployed. However, some devices may fail to add because of inconsistent protocol implementation methods of these devices. If the connection setup fails, rectify the fault by following the instructions provided in section What Do I Do If VPN Setup Fails? or contact customer service.
+
VPN Best Practice
+
+
+
diff --git a/docs/vpn/umn/en-us_topic_0122970066.html b/docs/vpn/umn/en-us_topic_0122970066.html
new file mode 100644
index 000000000..776f26d5b
--- /dev/null
+++ b/docs/vpn/umn/en-us_topic_0122970066.html
@@ -0,0 +1,182 @@
+
+
+(Optional) Create a VPC
+Scenarios
A VPC provides an isolated virtual network for ECSs. You can configure and manage the network as required.
+
Create a VPC by following the procedure provided in this section. Then, create subnets, security groups, and VPNs, and assign EIPs by following the procedure provided in subsequent sections based on your actual network requirements.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- On the console homepage, under Network, click Virtual Private Cloud.
- Click Create VPC.
- On the Create VPC page, set parameters as prompted.
During VPC creation, a default subnet will be created and you can also click Add Subnet to create more subnets for the VPC.
+
+Table 1 VPC parameter descriptionCategory
+ |
+Parameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Basic Information
+ |
+Region
+ |
+Specifies the desired region. Regions are geographic areas isolated from each other. Resources are region-specific and cannot be used across regions through internal network connections. For low network latency and quick resource access, select the nearest region.
+ |
+eu-de
+ |
+
+Basic Information
+ |
+Name
+ |
+Specifies the VPC name.
+ |
+VPC-001
+ |
+
+Basic Information
+ |
+CIDR Block
+ |
+Specifies the CIDR block for the VPC. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC) or a subset (for multiple subnets in the VPC).
+The following CIDR blocks are supported:
+10.0.0.0 – 10.255.255.255
+172.16.0.0 – 172.31.255.255
+192.168.0.0 – 192.168.255.255
+ |
+192.168.0.0/16
+ |
+
+Basic Information
+ |
+Tag
+ |
+Specifies the VPC tag, which consists of a key and value pair. You can add a maximum of ten tags to each VPC.
+The tag key and value must meet the requirements listed in Table 2.
+ |
+- Key: vpc_key1
- Value: vpc-01
+ |
+
+Subnet Settings
+ |
+Name
+ |
+Specifies the subnet name.
+ |
+Subnet
+ |
+
+Subnet Settings
+ |
+CIDR Block
+ |
+Specifies the CIDR block for the subnet. This value must be within the VPC CIDR range.
+ |
+192.168.0.0/24
+ |
+
+Subnet Settings
+ |
+Gateway
+ |
+Specifies the gateway address of the subnet.
+ |
+192.168.0.1
+ |
+
+Subnet Settings
+ |
+DNS Server Address
+ |
+The external DNS server address is used by default. If you need to change the DNS server address, ensure that the configured DNS server address is available.
+ |
+192.168.1.0
+ |
+
+Subnet Settings
+ |
+NTP Server Address
+ |
+Specifies the NTP server IP address. A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+192.168.2.1
+ |
+
+Subnet Settings
+ |
+Tag
+ |
+Specifies the subnet tag, which consists of a key and value pair. You can add a maximum of ten tags to each subnet.
+The tag key and value must meet the requirements listed in Table 3.
+ |
+- Key: subnet_key1
- Value: subnet-01
+ |
+
+
+
+
Table 2 VPC tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for the same VPC and can be the same for different VPCs.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpc_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+vpc-01
+ |
+
+
+
+
Table 3 Subnet tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each subnet.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet-01
+ |
+
+
+
+
- The external DNS server address is used by default. If you need to change the DNS server address, select Custom for Advanced Settings and configure the DNS server addresses. You must ensure that the configured DNS server addresses are available.
- Click Create Now.
+
+
(Optional) Create a Subnet for the VPC
+Scenarios
You can add subnets during VPC creation. If required, you can also create subnets for an existing VPC.
+
The created subnet is configured with DHCP by default. After an ECS using this VPC starts, the ECS automatically obtains an IP address using DHCP.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - On the console homepage, under Network, click Virtual Private Cloud.
- In the navigation pane on the left, click Virtual Private Cloud.
- On the Virtual Private Cloud page, locate the VPC for which a subnet is to be created and click the VPC name.
- On the displayed Subnets tab, click Create Subnet.
- In the Create Subnet area, set parameters as prompted.
Figure 1 Create Subnet
+
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Name
+ |
+Specifies the subnet name.
+ |
+Subnet
+ |
+
+CIDR Block
+ |
+Specifies the CIDR block for the subnet. This value must be within the VPC CIDR range.
+ |
+192.168.0.0/24
+ |
+
+Gateway
+ |
+Specifies the gateway address of the subnet.
+ |
+192.168.0.1
+ |
+
+NTP Server Address
+ |
+Specifies the NTP server IP address. A maximum of four IP addresses can be configured. Multiple IP addresses must be separated using commas (,).
+ |
+192.168.2.1
+ |
+
+Tag
+ |
+Specifies the subnet tag, which consists of a key and value pair. You can add a maximum of ten tags to each subnet.
+The tag key and value must meet the requirements listed in Table 2.
+ |
+- Key: subnet_key1
- Value: subnet-01
+ |
+
+DNS Server Address
+ |
+The external DNS server address is used by default. If you need to change the DNS server address, ensure that the configured DNS server address is available.
+ |
+-
+ |
+
+
+
+
Table 2 Subnet tag key and value requirementsParameter
+ |
+Requirements
+ |
+Example Value
+ |
+
|---|
+
+Key
+ |
+- Cannot be left blank.
- Must be unique for each subnet.
- Can contain a maximum of 36 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet_key1
+ |
+
+Value
+ |
+- Can contain a maximum of 43 characters.
- Can contain only the following character types:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, including hyphens (-) and underscores (_)
+
+ |
+subnet-01
+ |
+
+
+
+
- The external DNS server address is used by default. If you need to change the DNS server address, select Custom for Advanced Settings and configure the DNS server addresses. You must ensure that the configured DNS server addresses are available.
- Click OK.
+
+
Precautions
After a subnet is created, five IP addresses in the subnet will be reserved and cannot be used. For example, in a subnet with CIDR block 192.168.0.0/24, the following IP addresses are reserved:
+
- 192.168.0.0: Network address.
- 192.168.0.1: Gateway address.
- 192.168.0.253: Reserved for the system interface. This IP address is used by the VPC for external communication.
- 192.168.0.254: DHCP service address.
- 192.168.0.255: Network broadcast address.
+
If you set Advanced Settings to Custom during subnet creation, the reserved IP addresses may be different from the preceding default ones. The system will reserve five IP addresses based on your subnet settings.
+
+
What Can I Do If the VPN Fails or the Network Speed of the VPN Is Slow?
+You can perform the following steps to handle the issues:
+
- Check the ECS specifications. Rate limiting is not performed for the VPN ingress on the cloud, so the issue may be caused by the ECS specifications.
- Rate limiting has been configured for the VPN egress on the cloud. Check whether your bandwidth has reached or exceeded the maximum limit allowed.
- Check your local network to see whether the network speed is slow.
- Check whether packets sent between the cloud and the customer data center have been lost.
+
Are SSL VPNs Supported?
+Currently, the VPN service does not support the SSL VPNs.
+
IPsec VPN
+The Internet Protocol Security (IPsec) VPN is an encrypted tunneling technology that uses encrypted security services to establish confidential and secure communication tunnels between different networks.
+
In Figure 1, a VPC has two subnets: 192.168.1.0/24 and 192.168.2.0/24. On your router deployed in your physical data center, you also have two subnets: 192.168.3.0/24 and 192.168.4.0/24. You can use VPN to enable subnets in your VPC to communicate with those in your data center.
+
Figure 1 IPsec VPN
+
Currently, the site-to-site VPN and hub-spoke VPN are supported. You need to set up VPNs in both your data center and the VPC to establish the VPN connection.
+
You must ensure that the VPN in your VPC and that in your data center use the same IKE and IPsec policy configurations. Before creating a VPN, familiarize yourself with the protocols described in Table 1 and ensure that your device meets the requirements and configuration constraints of the involved protocols.
+
+
Table 1 Involved protocolsProtocol
+ |
+Description
+ |
+Constraint
+ |
+
|---|
+
+RFC 2409
+ |
+Defines the IKE protocol, which negotiates and verifies key information to safeguard VPNs.
+ |
+- Use the pre-shared key (PSK) to reach an IKE peer agreement.
- Use the main mode for negotiation.
+ |
+
+RFC 4301
+ |
+Defines the IPsec architecture, the security services that IPsec offers, and the collaboration between components.
+ |
+Use the IPsec tunnel to set up a VPN connection.
+ |
+
+
+
+
+
Region and AZ
+Concept
A region and availability zone (AZ) identify the location of a data center. You can create resources in a specific region and AZ.
+
- A region is a physical data center, which is completely isolated to improve fault tolerance and stability. The region that is selected during resource creation cannot be changed after the resource is created.
- An AZ is a physical location where resources use independent power supplies and networks. A region contains one or more AZs that are physically isolated but interconnected through internal networks. Because AZs are isolated from each other, any fault that occurs in an AZ will not affect other AZs.
+
Figure 1 shows the relationship between regions and AZs.
+
Figure 1 Regions and AZs
+
+
Selecting a Region
Select a region closest to your target users for low network latency and quick access.
+
+
Selecting an AZ
When deploying resources, consider your applications' requirements on disaster recovery (DR) and network latency.
+
- For high DR capability, deploy resources in different AZs within the same region.
- For low network latency, deploy resources in the same AZ.
+
+
Regions and Endpoints
Before you use an API to call resources, specify its region and endpoint. For more details, see Regions and Endpoints.
+
+
How Many IPsec VPNs Can I Have?
+By default, a user can have a maximum of five IPsec VPNs. If your quota cannot fulfill your service requirements, submit a service ticket to increase the quota.
+
What Do I Do If VPN Setup Fails?
+- Log in to the management console and click Virtual Private Network.
- In the VPN list, locate the target VPN and click View Policy in the Operation column to view IKE and IPsec policy details about the VPN.
- Check the IKE and IPsec policies to see whether the negotiation modes and encryption algorithms between the local and remote sides of the VPN are the same.
- If the IKE policy has been set up during phase one and the IPsec policy has not been enabled in phase two, the IPsec policies between the local and remote sides of the VPN may be inconsistent.
- If the Cisco physical device is used at the customer side, it is recommended that you use MD5. Then, you need to set Authentication Mode to MD5 in the IPsec policy for the VPN created on the cloud.
+
- Check whether the ACL configurations are correct.
If the subnets of your data center are 192.168.3.0/24 and 192.168.4.0/24, and the VPC subnets are 192.168.1.0/24 and 192.168.2.0/24, configure the ACL rules for each data center subnet to permit the communication with the VPC subnets. The following provides an example of ACL configurations:
+rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
+rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
+rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
+rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
+ - After the configuration is complete, ping the local and the remote side from each other to check whether the VPN connection is normal.
+
How Can I Handle the Failure in Accessing the ECSs from My Data Center or LAN Even If the VPN Has Been Set Up?
+The security group denies the access from all sources by default. If you want to access your ECSs, modify the security group configuration and allow the access from the remote subnets.
+
What Do I Do If I Cannot Access My Data Center or LAN from the ECSs After a VPN Connection Has Been Set Up?
+Check whether you have properly configured the firewall policies for the access from the public IP address of the cloud VPN to the public IP address of your data center or LAN. No policies are configured to limit the access by default.
+
Does a VPN Allow for Communication Between Two VPCs?
+If the two VPCs are in the same region, you can use a VPC peering connection to enable communication between them.
+
If the two VPCs are in different regions, you can use a VPN to enable communication between the VPCs. The CIDR blocks of the two VPCs are the local and remote subnets, respectively.
+