Set Up Intranet Connection Between VPCs with Express Connect
Alibaba Cloud Express Connect is a service that enables you to establish a secure high-speed intranet link to, from or between VPCs (virtual private clouds) without requiring the use of a VPN or the public Internet.
Express Connect can be used:
• To connect two Alibaba Cloud VPCs, in the same hosting region or in different regions. The VPCs can be on the same Alibaba Cloud account or two different ones.
• To connect an Alibaba Cloud VPC to your own data center. This is implemented via a leased line, that can be purchased from an Alibaba Cloud communications partner or from any other carrier.
Express Connect is a subscription service, billed monthly or annually. There is no cost for a link between two VPCs in the same hosting region and zone. Pricing for inter-region links varies according to the bandwidth required and the hosting regions involved, and starts from USD $34 per month. Full information can be found at https://www.alibabacloud.com/product/express-connect.
If you wish to create an Express Connect link between VPCs in different Alibaba Cloud hosting regions, and at least one of those VPCs is hosted outside of Mainland China, note that you will need to raise a support ticket or contact your account manager before you start the process. Otherwise, you will receive an error message when you place the order and attempt to make the payment.
In this tutorial, we will demonstrate how to create an Express Connect link between two VPCs on the same account in the same hosting region. We will use the console to create the link, but there is also an API available for establishing connections programmatically if required.
We will connect two VPCs in the Frankfurt hosting region. Because they are both in the same region, the link will be free of charge and therefore, we suggest that you adopt a similar strategy when evaluating Express Connect for yourself.
For the purpose of this document, we will create our two VPCs from scratch and assign them non-overlapping IP address ranges. If you need to link two existing VPCs then you can omit these steps, but be aware that you may have issues such as IP address range conflicts. If this is the case, raise a support ticket with Alibaba Cloud if you need assistance.
Create the Frankfurt-1 VPC
Start by creating the first VPC in Frankfurt. Log into your Alibaba Cloud account and head to the admin console. From the Networking section, select Virtual Private Cloud.
Under the VPC heading on the left hand side of the screen, click VPC. The screen will look something like this.
Click on Germany 1 (Frankfurt) from the list of regions at the top of the screen, as that’s where we will create our VPCs.
In the top right hand corner of the screen, click on the Create VPC button and fill in the details. We’ll use the 192.168 CIDR range for this VPC, and we’ll name it Frankfurt-1.
Next, click on the Create VPC button to start the creation process.
Our VPC has been created, so click the Next Step button to proceed.
We also need to create a virtual switch for our VPC, and the screen for doing this will appear automatically. We’ll name it Frankfurt-1 too. We need to narrow down our hosting region to a particular zone so in this case, we’ll choose Zone A. We also need to choose an IP range so we will use the suggested example.
When you’ve entered the details, click on Create VSwitch, then click the Done button on the screen that follows.
The VPC and VSwitch are now active and can be seen on the screen that appears.
Note the first column of the table which contains both the name and the internal ID code of the VPC. When you come to create the Express Connect link, you’ll need to know the ID of the VPC if you have more than one in the region.
Note that the VPC will only be shown on the screen if you select the correct region from the buttons at the top of the page. So, if you don’t see your VPC listed, check this.
Create the Frankfurt-2 VPC
Now repeat the steps above, to create a second Frankfurt VPC and VSwitch, each called Frankfurt-2. Choose the 172.16 CIDR block for the VPC. As before, choose Zone A for the VSwitch, and use the suggested example for its IP address range.
You should now see two VPCs listed. Make sure they are configured to use different IP address ranges.
Creating the Link
We now have our VPCs running so we can move on to creating the link with Express Connect. If you have more than two VPCs in the region that you’re going to be working in, make sure you know the internal IDs of the two that you are going to link before continuing.
Head to your Alibaba Cloud console and, from the Networking section, select Express Connect.
You’ll see a screen like this. There’s no need to click on a specific region right now.
Ensure that Router Interface is selected on the left hand side, and then click on the blue Create Router Interface button. You should see something like the following.
Ensure that the Subscription tab is selected at the top of the screen, rather than the Pay-As-You-Go option. Pay-As-You-Go is used for creating additional receivers for an existing link and can’t be used when creating a fixed link between two VPCs. Express Connect is purely a subscription service.
For the scenario, choose VPC Interconnect. The Physical Access option is for a leased-line connection between a VPC and an external data center, which will not be covered in this tutorial. To set up such a link, contact your Alibaba Cloud account manager or raise a support ticket.
For router creation, choose “create initiator and receiver”. Note that the link will be bi-directional. The terms initiator and receiver are merely to differentiate each end of the link, and in practice it doesn’t matter which VPC you use for each.
For router type, choose VRouter.
For the local region, we choose the location of our first VPC which in this case is Frankfurt.
We can now choose from a drop-down list of the ID codes of our VPCs in that region.
Next, for the peer region, select the location of your other VPC. In this case it’s also Frankfurt.
For peer router type, choose VRouter.
For the peer VPC ID we choose the ID of the other Frankfurt VPC.
Choose a bandwidth specification from the list available. A connection between two VPCs in the same region, which is free of charge, will generally only be available with a limited choice of specifications. Inter-region links offer a much wider range of choices in terms of capacity and cost.
Finally, choose the order duration. We only need this link for one month, so we will leave the default option set. You can increase this if you wish, and you can set it to auto-renew too. Take care when using a chargeable option to ensure that you do not inadvertently set the service to automatically renew unless you need it to.
With everything specified, the screen looks like this:
Click on Buy Now and you’ll see a summary of your order.
Tick the box to agree to the terms of service, then click on Pay to complete the process. (Note: If you are using a free service such as this one, and you have some outstanding credit coupons, you should choose the Do Not Use Coupons option as there may otherwise be an issue with placing your order).
Check the details once more and press the Pay button. After a few moments, you should see a message to confirm that the order has been successful.
Configuring the Routes
With the link established and the order placed, we can now configure the routing information on each of our VPCs.
We’ll start by configuring the first VPC, which is Frankfurt-1 in this case.
From the home page of the console, under Networking, click on Virtual Private Cloud. Then on the left hand side of the screen and on the VPC tab, click on the VPC link.
Then from the list of regions at the top of the screen, choose Frankfurt.
The screen shows details of each of our VPCs in the selected region.
Click the Manage link for the Frankfurt-1 VPC, and the screen shows the following:
On the left hand side of the screen, click on VRouters and you’ll see this:
At the top of the screen, click the blue Add Route Entry button and you will see this:
For the Destination CIDR Block, enter the IP range of the VPC to link to, which is Frankfurt-2 in this instance. You will recall from when we created the Frankfurt-2 VPC that the CIDR range is 172.16.0.0/12, so that’s what we need to enter.
Set the Next Hop Type to Router Interface.
Under Router Interface, select the General Routing radio button. From the drop-down list of router interfaces, choose the router interface of the Frankfurt-1 VRouter (not the Frankfurt-2 one).
The completed screen looks like this:
Click OK and you should see a notification that the route was successfully added.
Now repeat the process to configure your second VRouter correctly. To do this we repeat the steps above. So, from the home page of the console, under Networking, click on Virtual Private Cloud. Then on the left hand side of the screen, on the VPC tab, click on the VPC link.
From the list of regions at the top of the screen, choose Frankfurt as that’s where our second VPC is hosted.
We click the Manage link for the Frankfurt-2 VPC, and the screen shows the following:
On the left hand side of the screen, click on VRouters and you’ll see something like this:
At the top of the screen, click the blue Add Route Entry button.
For the Destination CIDR Block, enter the IP range of the VPC to link to, which is now Frankfurt-1. You will recall from when we created the Frankfurt-1 VPC that the CIDR range is 192.168.0.0/16 so that’s what we need to enter.
Set the Next Hop Type to Router Interface.
Under Router Interface, select the General Routing radio button. From the drop-down list of router interfaces, we choose the router interface of our Frankfurt-2 VRouter.
For the second VPC, the completed screen looks like this:
Click OK and wait for the success notification. You have now established the link between your two VPCs.
It may take a couple of minutes for the router interface to be configured, after which your link will be ready to use.
Checking the Link State
To demonstrate that the link is up, you can create 2 ECS instances – one in each of the two VPCs. Ensure that the ICMP protocol (which permits ping requests) remains selected within the security group of each instance.
In this example our instance in the Frankfurt-1 VPC gets allocated an IP address of 192.168.117.101. Our second instance, in the Frankfurt-2 VPC, is allocated 172.25.175.95. By logging into the first instance, the Express Connect link should allow us to ping the second one.
As you can see, this is indeed the case.
In this tutorial we have initiated a secure intranet connection between two VPCs, using Alibaba Cloud Express Connect. For our example we linked two VPCs in the same hosting region and zone, using the same Alibaba Cloud account, as this option is free of charge and is, therefore, the ideal way to evaluate the feature.