Cloud Enterprise Network (CEN) provides a high-quality network transmission environment. By simplifying the networking process, CEN helps you rapidly build a hybrid cloud network with enterprise-level scale and communication capability. This topic describes how to rapidly build a hybrid cloud network by using CEN together with Express Connect physical connections, VPN Gateway, and Smart Access Gateway.

Network topology

This topic takes the following network topology as an example:
  • A company has deployed on-premises data centers in Beijing, Shanghai, Hangzhou, and Guangzhou.
  • The company has also deployed services on the cloud. It has created separate VPCs in the China (Beijing), China (Shanghai), China (Hangzhou), and China (Shenzhen) regions.
  • Beijing and Shanghai on-premises data centers are connected to access points of Alibaba Cloud through physical connections and their corresponding Virtual Border Routers (VBRs) are attached to a CEN instance.
  • Hangzhou data center is connected to the Hangzhou VPC through VPN Gateway.
  • Guangzhou on-premises data center accesses Alibaba Cloud through Smart Access Gateway. The Cloud Connect Network (CCN) to which the Smart Access Gateway belongs is attached to the CEN instance.
  • The VPCs in the China (Beijing), China (Shanghai), China (Shenzhen), and China (Hangzhou) regions are attached to the CEN instance.

IP address planning

When you build a hybrid cloud, you must ensure that no CIDR blocks conflict with each other. The CIDR blocks used in this example are as follows:
Network CIDR block
Hangzhou data center 10.1.1.0/24
Guangzhou data center 10.1.2.0/24
Beijing data center 10.1.3.0/24
Shanghai data center 10.1.4.0/24
Beijing VPC 192.168.1.0/24
Shenzhen VPC 192.168.2.0/24
Shanghai VPC 192.168.3.0/24
Hangzhou VPC 192.168.4.0/24

Access methods

Beijing and Shanghai data centers access Alibaba Cloud through physical connections

Configuration description:
  1. Beijing and Shanghai data centers are connected to VBRs through physical connections, and each data center and the corresponding VBR are each other's BGP peer. For more information, see Configure BGP.
  2. The CPEs of Beijing and Shanghai data centers advertise the CIDR blocks of the data centers to CEN through BGP. The main configurations of the CPEs are as follows:
    Configuration Beijing CPE Shanghai CPE
    Local BGP ASN A B
    Peer BGP ASN 45104 45104
    Network 10.1.3.0/24 10.1.4.0/24

    After each data center and the corresponding VBR become each other's BGP peer, the data center and the VBR can learn each other's routes.

Hangzhou data center accesses Alibaba Cloud through VPN Gateway

Configuration description:
  1. Hangzhou data center accesses the Hangzhou VPC through VPN Gateway. For more information, see Establish a connection between a VPC and an on-premises data center.
  2. An IPsec-VPN connection is established between the on-premises data center and the VPN Gateway, and contributing routes or default routes pointing to Alibaba Cloud are configured.
    Contributing routes:
    Destination CIDR block Next hop
    10.1.2.0/24 VPN Gateway
    10.1.3.0/24 VPN Gateway
    10.1.4.0/24 VPN Gateway
    192.168.1.0/24 VPN Gateway
    192.168.2.0/24 VPN Gateway
    192.168.3.0/24 VPN Gateway
    192.168.4.0/24 VPN Gateway
    Default route:
    Destination CIDR block Next hop
    0.0.0.0/0 VPN Gateway
  3. To enable the communication between the on-premises data center and the networks attached to CEN, you must configure a route entry pointing to the data center (VPN Gateway) in the VPC connected to the VPN Gateway and publish the route to CEN.

    To configure the route, follow these steps:
    1. Configure a route of which the destination CIDR block is 10.1.1.0/24 and the next hop is VPN Gateway in the route table of the VPC.

    2. Publish the route to CEN from the VPC.

      Through the preceding steps, all networks in the CEN instance can learn the route pointing to the data center and the data center can communicate with any network in the CEN instance. For more information, see Connect a local data center to Alibaba Cloud through a VPN Gateway.

Guangzhou data center accesses Alibaba Cloud through Smart Access Gateway

Configuration description:
  1. In the Smart Access Gateway console, configure the CIDR block of Guangzhou data center connected to Smart Access Gateway as a private CIDR block.
  2. Attach the CCN associated with the Smart Access Gateway to the CEN instance. Then Guangzhou data center can communicate with any network in the CEN instance.

Interconnection of on-premises data centers and networks

Through the preceding ways:
  • Beijing and Shanghai data centers access Alibaba Cloud through physical connections and the BGP protocol. The VBRs of the physical connections are attached to the CEN instance.
  • Hangzhou data center accesses Alibaba Cloud through VPN Gateway. The VPC connected to the VPN Gateway is attached to the CEN instance.
  • Guangzhou data center accesses Alibaba Cloud through Smart Access Gateway. The CCN associated with the Smart Access Gateway is attached to the CEN instance.
CEN ignores conflict routes and dynamically forwards routes of attached networks to build a fully connected hybrid cloud.

Take Beijing CPE, Beijing VBR, and Shenzhen VPC as examples and view their route tables.
Table 1. Beijing CPE
Destination CIDR block Next hop Route type
10.1.1.0/24 BGP peer (Beijing VBR) BGP route
10.1.2.0/24 BGP peer (Beijing VBR) BGP route
10.1.4.0/24 BGP peer (Beijing VBR) BGP route
192.168.1.0/24 BGP peer (Beijing VBR) BGP route
192.168.2.0/24 BGP peer (Beijing VBR) BGP route
192.168.3.0/24 BGP peer (Beijing VBR) BGP route
192.168.4.0/24 BGP peer (Beijing VBR) BGP route
Table 2. Beijing VBR
Destination CIDR block Next hop Route type
10.1.3.0/24 BGP peer (Beijing CPE) BGP route
10.1.1.0/24 Hangzhou VPC CEN route
10.1.2.0/24 CCN CEN route
10.1.4.0/24 Shanghai VPC CEN route
192.168.1.0/24 Beijing VPC CEN route
192.168.2.0/24 Shenzhen VPC CEN route
192.168.3.0/24 Shanghai VPC CEN route
192.168.4.0/24 Hangzhou VPC CEN route
Table 3. Shenzhen VPC
Destination CIDR block Next hop Route type
10.1.1.0/24 Hangzhou VPC CEN route
10.1.2.0/24 CCN CEN route
10.1.3.0/24 Beijing VBR CEN route
10.1.4.0/24 Shanghai VBR CEN route
192.168.1.0/24 Beijing VPC CEN route
192.168.3.0/24 Shanghai VPC CEN route
192.168.4.0/24 Hangzhou VPC CEN route