After you create peering connections between two virtual border routers (VBRs) and a virtual private cloud (VPC), you can configure health checks and route weights for each peering connection for redundancy. This way, when one of the Express Connect circuits is down, the other Express Connect circuit can take over.

Scenario

The following scenario is used as an example to show how to configure health checks and route weights for peering connections to achieve high availability.

After you configure health checks, Alibaba Cloud sends a ping packet from the specified source IP address to the IP address of the gateway device in the data center every 2 seconds. If no response is received after eight consecutive ping packets are sent, the other Express Connect circuit takes over.

Note If throttling such as Control Plane Policing (CoPP) or local attack defense is enabled for the gateway devices in the data center, probe packets may be dropped. As a result, the system may frequently switch between the two Express Connect circuits. We recommend that you disable throttling for the gateway devices in the data center.
Access from the data center to the VPC

The following table describes the network topology.

Parameter IP address/CIDR block
VPC 192.168.0.0/16
Data center 172.16.0.0/16
IP address of VBR 1 and Gateway Device 1 in the data center
  • VBR 1: 10.10.10.1
  • Gateway Device 1: 10.10.10.2
  • Subnet mask: 255.255.255.252
IP address of VBR 2 and Gateway Device 2 in the data center
  • VBR 2: 10.10.11.1
  • Gateway Device 2: 10.10.11.2
  • Subnet mask: 255.255.255.252
Health checks for the peering connection established on VBR 1
  • Source IP address: 192.168.10.1
  • Destination IP address: 10.10.10.2
Health checks for the peering connection established on VBR 2
  • Source IP address: 192.168.10.2
  • Destination IP address: 10.10.11.2

Prerequisites

Note In this example, static routes are configured on the VBRs and the customer-premises equipment (CPE).

Step 1: Configure health checks

You must configure health checks for both peering connections.

  1. Log on to the Express Connect console.
  2. In the top navigation bar, select the region and choose VPC Peering Connections > VBR-to-VPC in the left-side navigation pane.
  3. Find the peering connection that you want to manage and choose More > Health Check in the Actions column.
  4. In the Health Check panel, click Settings.
  5. In the Modify VBR panel, set the following parameters and click OK.
    Parameter Description
    Source IP address An idle private IP address from the connected VPC.
    Destination IP address Enter the private IP address of the interface on a gateway device in the data center.

    You can enable the gateway device in the data center to perform health checks by sending ICMP packets. When you configure health checks on the gateway device, we recommend that you set the IP address to be probed to the specified IP address in the health check configuration at the Alibaba Cloud side. In addition, add a route that points to the specified IP address to the route table of the gateway device.

  6. Repeat the preceding steps to configure health checks for the other peering connection.
    Notice When you configure health checks for the second peering connection, make sure that the source IP address is different from the first one.

Step 2: Configure route weights

In this example, a route is added to establish active/active peering connections.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route tables.
  3. On the Route Tables page, click the ID of the VPC that you want to access and then click the ID of the route table to which you want to add a route.
  4. On the Route Entry List tab, click the Custom Route tab.
  5. Click Add Route Entry, set the following parameters, and then click OK to add a route to forward network traffic from the VPC to the data center:
    • Destination CIDR Block: Enter the destination CIDR block.
    • Next Hop Type: Select the next hop type. In this example, Router Interface (To VBR) is selected. This specifies that network traffic destined for the specified CIDR block is forwarded to the router interface of a VBR.

      Select Load Balancing Routing and specify the two VBRs that are connected to the VPC as the next hops. You can set the weight of each VBR to an integer from 0 to 255. The default value is 100. The weights of the VBRs must be the same. This way, network traffic can be evenly distributed to each VBR.

  6. Click Add Route Entry, set the following parameters, and then click OK to add a route for the health check of the peering connection established on VBR 1:
    • Destination CIDR Block: Enter the destination CIDR block.
    • Next Hop Type: Select the next hop type. In this example, Router Interface (To VBR) is selected. This specifies that network traffic destined for the specified CIDR block is forwarded to the router interface of a VBR.

      Select General Routing and specify the interface of VBR 1 as the next hop.

  7. Click Add Route Entry, set the following parameters, and then click OK to add a route for the health check of the peering connection established on VBR 2:
    • Destination CIDR Block: Enter the destination CIDR block.
    • Next Hop Type: Select the next hop type. In this example, Router Interface (To VBR) is selected. This specifies that network traffic destined for the specified CIDR block is forwarded to the router interface of a VBR.

      Select General Routing and specify the interface of VBR 2 as the next hop.

Step 3: Configure health check routes in the data center

If Border Gateway Protocol (BGP) routing is not configured, you must configure static routes on the gateway devices in the data center based on the following information:

  • Configure a static route that is used to perform health checks on the peering connection established on VBR 1. Set the next hop to the IP address of VBR 1.
  • Configure a static route that is used to perform health checks on the peering connection established on VBR 2. Set the next hop to the IP address of VBR 2.

Step 4: Test the network connectivity

  1. Open the command prompt on a server in the data center.
  2. Run the ping command to check whether the data center can access an ECS instance in the VPC.
    If the ping succeeds, the data center and the ECS instance are connected.
  3. Disable one of the peering connections and run the ping command again.
    If the ping command succeeds, it indicates that you can reach the ECS instance through at least one of the connections.

Related operations

If BGP routing is configured on the VBRs and the gateway devices in the data center, you must advertise the BGP CIDR block that is used for health checks to the VBR. To advertise a BGP CIDR block, perform the following operations:

  1. Log on to the Express Connect console.
  2. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
  3. On the Virtual Border Routers (VBRs) page, click the ID of VBR 1.
  4. On the VBR details page, click the Routes tab and then click Add Route.
  5. In the Add Route panel, set the following parameters and click OK:
    • Destination CIDR Block: Enter the CIDR block of the source IP address that is used for health checks. 192.168.10.1/32 is entered in this example.
    • Next Hop Type: Select VPC.
    • Next Hop: Select the VPC that you want to access.
  6. On the VBR details page, click Advertised BGP Subnets and then click Advertise BGP Subnet.
  7. On the Advertise BGP Subnet page, enter the source IP address that is used to perform health checks on VBR 1.
  8. Repeat the preceding steps to advertise the BGP CIDR block of the source IP address that is used to perform health checks on VBR 2.