Cloud Enterprise Network (CEN) helps you build a high-quality network environment. CEN provides a simplified networking method to build a hybrid cloud with a scale and communication capability at the enterprise level. This topic describes how to build a hybrid cloud by combining leased lines, VPN gateways, and Smart Access Gateway (SAG) instances.

Network topology

The following network topology is used in this example:
  • A company has deployed data centers in the China (Beijing), China (Shanghai), China (Hangzhou), and China (Guangzhou) regions.
  • In addition, the company has created virtual private clouds (VPCs) in the China (Beijing), China (Shanghai), China (Hangzhou), and China (Shenzhen) regions.
  • The data centers in China (Beijing) and China (Shanghai) are connected to Alibaba Cloud through leased lines. The virtual border routers (VBRs) of the leased lines are attached to a CEN instance.
  • The data center in China (Hangzhou) is connected to the VPC in China (Hangzhou) through a VPN gateway.
  • The data center in China (Guangzhou) is connected to Alibaba Cloud through an SAG instance. The Cloud Connect Network (CCN) instance to which the SAG instance belongs is attached to the CEN instance.
  • The VPCs of the company in China (Beijing), China (Shanghai), China (Shenzhen), and China (Hangzhou) are attached to the CEN instance.Network topology

Subnetting

To build a hybrid cloud, make sure that the CIDR blocks to be connected do not overlap with each other. The following table describes the CIDR blocks in this example.
Network CIDR block
Data center in China (Hangzhou) 10.1.1.0/24
Data center in China (Guangzhou) 10.1.2.0/24
Data center in China (Beijing) 10.1.3.0/24
Data center in China (Shanghai) 10.1.4.0/24
VPC in China (Beijing) 192.168.1.0/24
VPC in China (Shenzhen) 192.168.2.0/24
VPC in China (Shanghai) 192.168.3.0/24
VPC in China (Hangzhou) 192.168.4.0/24

Services for connecting data centers to Alibaba Cloud

Connect the data centers in China (Beijing) and China (Shanghai) to Alibaba Cloud through leased lines

Connect the data centers in China (Beijing) and China (Shanghai) to Alibaba Cloud through leased lines

Procedure

  1. Connect the data centers in China (Beijing) and China (Shanghai) to VBRs through leased lines. Then, configure the data centers and the connected VBRs as BGP peers. For more information, see Configure BGP.
  2. Use the customer-premises equipment (CPE) of the data centers in China (Beijing) and China (Shanghai) to advertise the CIDR blocks of the data centers to the CEN instance through BGP. The following table describes the configurations of the CPE in China (Beijing) and China (Shanghai).
    Configuration CPE in China (Beijing) CPE in China (Shanghai)
    Local BGP ASN A B
    Peer BGP ASN 45104 45104
    Network 10.1.3.0/24 10.1.4.0/24

    After the data centers and the VBRs are configured as BGP peers, the data centers and the VBRs can learn routes from each other.

Connect the data center in China (Hangzhou) to Alibaba Cloud through a VPN gateway

Connect the data center in China (Hangzhou) to Alibaba Cloud through a VPN gateway

Procedure:

  1. Create an IPsec-VPN connection to connect the data center in China (Hangzhou) to the VPC in China (Hangzhou). For more information, see Connect on-premises data centers to VPC networks.
  2. Configure a specific route or default route that points to Alibaba Cloud.
    Configure a specific route.
    Destination CIDR block Next hop
    10.1.2.0/24 VPN gateway
    10.1.3.0/24 VPN gateway
    10.1.4.0/24 VPN gateway
    192.168.1.0/24 VPN gateway
    192.168.2.0/24 VPN gateway
    192.168.3.0/24 VPN gateway
    192.168.4.0/24 VPN gateway
    Configure the default route
    Destination CIDR block Next hop
    0.0.0.0/0 VPN gateway
  3. To allow the data center to communicate with the network instances that are attached to the CEN instance, you must add a route to the VPC that is associated with the VPN gateway and advertise the route to the CEN instance. The route must point to the data center.
    Configure a route that points to the data center in China (Hangzhou) and advertise the route to the CEN instance.

    Configure the route based on the following information:

    1. Add a route to the route table of the VPC in China (Hangzhou). The destination CIDR block is set to 10.1.1.0/24 and the next hop is set to the VPN gateway that is created for the VPC.
    2. Advertise the route from the VPC in China (Hangzhou) to the CEN instance.

    After you advertise the route to the CEN instance, the network instances that are attached to the CEN instance can learn the route. This way, the data center in China (Hangzhou) can communicate with all attached network instances.

Connect the data center in China (Guangzhou) to Alibaba Cloud through an SAG instance

Connect the data center in China (Guangzhou) to Alibaba Cloud through an SAG instance

Procedure:

  1. Log on to the SAG console, select an SAG instance to connect to the data center in China (Guangzhou), and then configure a route for the connection.
    Route configuration 1
  2. Attach the CCN instance that is associated with the SAG instance to the CEN instance. This way, the data center in China (Guangzhou) can communicate with the network instances attached in the CEN instance.

Connect the data centers in all regions

Repeat the preceding procedures to connect all data centers through CEN.
  • The data centers in China (Beijing) and China (Shanghai) are connected to Alibaba Cloud through BGP leased lines. Therefore, attach the VBRs to the CEN instance.
  • The data center in China (Hangzhou) is connected to Alibaba Cloud through a VPN gateway. Therefore, attach the VPC for which the VPN gateway is created to the CEN instance.
  • The data center in China (Guangzhou) is connected to Alibaba Cloud through an SAG instance. Therefore, attach the CCN instance that is associated with the SAG instance to the CEN instance.
The CEN instance dynamically advertises the routes from the attached network instances to avoid route overlapping. This builds a hybrid cloud through which the data centers and the attached network instances can communicate with each other. Connect the data centers in all regions
For example, the following tables describe the route tables of the CPE in China (Beijing), the VBR in China (Beijing), and the VPC in China (Shenzhen).
Table 1. CPE in China (Beijing)
Destination CIDR block Next hop Route type
10.1.1.0/24 BGP peer: VBR in China (Beijing) BGP route
10.1.2.0/24 BGP peer: VBR in China (Beijing) BGP route
10.1.4.0/24 BGP peer: VBR in China (Beijing) BGP route
192.168.1.0/24 BGP peer: VBR in China (Beijing) BGP route
192.168.2.0/24 BGP peer: VBR in China (Beijing) BGP route
192.168.3.0/24 BGP peer: VBR in China (Beijing) BGP route
192.168.4.0/24 BGP peer: VBR in China (Beijing) BGP route
Table 2. VBR in China (Beijing)
Destination CIDR block Next hop Route type
10.1.3.0/24 BGP peer: CPE in China (Beijing) BGP route
10.1.1.0/24 VPC in China (Hangzhou) CEN route
10.1.2.0/24 CCN CEN route
10.1.4.0/24 VBR in China (Shanghai) CEN route
192.168.1.0/24 VPC in China (Beijing) CEN route
192.168.2.0/24 VPC in China (Shenzhen) CEN route
192.168.3.0/24 VPC in China (Shanghai) CEN route
192.168.4.0/24 VPC in China (Hangzhou) CEN route
Table 3. VPC in China (Shenzhen)
Destination CIDR block Next hop Route type
10.1.1.0/24 VPC in China (Hangzhou) CEN route
10.1.2.0/24 CCN CEN route
10.1.3.0/24 VBR in China (Beijing) CEN route
10.1.4.0/24 VBR in China (Shanghai) CEN route
192.168.1.0/24 VPC in China (Beijing) CEN route
192.168.3.0/24 VPC in China (Shanghai) CEN route
192.168.4.0/24 VPC in China (Hangzhou) CEN route