This topic describes how to use two physical connections to connect an on-premises data center to Alibaba Cloud. By doing so, you can establish a highly reliable intranet communication between the on-premises data center and a VPC.

Background information

This topic takes the following scenario as an example to describe how to connect an on-premises data center to Alibaba Cloud by using redundant physical connections.

A company has an on-premises data center (CIDR block: 172.16.0.0/12) in Shanghai, and an Alibaba Cloud VPC (CIDR block: 192.168.0.0/16) in the China (Shanghai) region. To solve the issue of SPOFs, the company plans to apply for two leased lines from two different service providers and create two physical connections to connect the on-premises data center to Alibaba Cloud.

The following figure shows the configuration process.

Step 1: Apply for two physical connection interfaces

Set the name of the first physical connection interface to leasedline1. This topic provides only general configuration information. For detailed configuration information, see Apply for a physical connection interface.

  1. Apply for a physical connection interface and pay an initial installation fee.
    • Region: Select the region where the leased line is deployed.
    • SP: Select the service provider of the leased line. In this example, select China Unicom.
    • Access Point: Select an access point that is closest in geographical proximity to your on-premises data center. In this example, select Shanghai-Baoshan-B-CU.
    • Port Specification: Select the required port specification. Note that different specifications incur different resource occupation fees.
    • Port Type: Select the type of the physical connection port. In this example, select 1000Base-LX.
    • Redundant Connection ID: Select None.
  2. Click Apply for LOA in the Actions column. On the Apply for LOA page, enter your company name, the name of the data center cable installation company, the scheduled installation date and time, and the contact information of data center cable installation technician or representative, and select a construction type.
  3. After your application is approved (usually within three workdays), download the LOA to view installation information in the console, such as the location of the installation site (the Alibaba Cloud data center site), cabinet location, and port information.
    At this stage, we recommend that you instruct your installation company to start installation. After the installation is complete, click Delivery Report on the Physical Connection Interfaces page, enter the leased line code and the label numbers of cables at the installation site, and click OK. The physical connection interface enters the Waiting state.
  4. Alibaba Cloud will connect the cables to the corresponding ports according to the information you provided. After you confirm that the physical connection interface has been deployed, pay the resource occupation fee. When the physical connection interface changes to the Enabled state, the leased line connection is completed.
  5. Repeat the preceding steps to apply for a second physical connection interface. Set the name of the second physical connection interface to leasedline2.
    In this example, configure the second physical connection interface according to the following information:
    • Region: Select the region where the second leased line is deployed.
    • Access Point: Select an access point that is closest to your on-premises data center. In this example, select Shanghai-Pudong-B-CT.
    • SP: Select the service provider of the second leased line. In this example, select China Telecom.
    • Port Specification: Select the required port specification. Note that different specifications incur different resource occupation fees.
    • Port Type: Select the type of the physical connection port. In this example, select 1000Base-LX.
    • Redundant Connection ID: Select the first physical connection interface you have applied for. Make sure that you have paid the initial installation fee.
      Note
      • If the access point of the second physical connection interface is the same as that of the first physical connection interface, select the ID of the first physical connection interface. Make sure that you have paid the initial installation fee for the first physical connection interface.
      • If the access point of the second physical connection interface is different from that of the first physical connection interface, the two connections form a redundant connection by default. You do not need to select a physical connection ID.

Step 2: Create two virtual border routers

  1. On the Virtual Border Routers (VBRs) page, click Create VBR.
  2. Configure the VBR.
    The VBR configurations in this example are as follows:
    • Account: Select Current account.
    • Name: Enter vbr1.
    • Physical Connection Interface: Select the first physical connection interface.
    • VLAN ID: Enter 0.
    • Gateway IP Address on Alibaba Cloud Side: Enter 10.0.0.1.
    • Gateway IP Address on Customer Side: Enter 10.0.0.2.
    • Subnet Mask: Enter 255.255.255.252.
  3. Repeat the preceding steps to create another VBR named vbr2 for the second physical connection interface.
    The configurations of vbr2 in this example are as follows:
    • Account: Select Current account.
    • Name: Enter vbr2.
    • Physical Connection Interface: Select the second physical connection interface.
    • VLAN ID: Enter 0.
    • Gateway IP Address on Alibaba Cloud Side: Enter 10.0.0.5.
    • Gateway IP Address on Customer Side: Enter 10.0.0.6.
    • Subnet Mask: Enter 255.255.255.252.

Step 3: Configure VBR routes

After creating the VBRs, you must add a route entry pointing to the on-premises data center in each of the two VBRs. To do so, follow these steps:

  1. Log on to the Express Connect console.
  2. In the left-side navigation pane, choose Physical Connections > Virtual Border Routers (VBRs). Find vbr1 and click the instance ID.
  3. Click the Routes tab, and then click Add Route.
  4. On the Add Route page, configure the route as follows:
    • Destination Subnet: Enter the CIDR block of the on-premises data center. In this example, enter 172.16.0.0/12.
    • Next Hop Type: Select Physical Connection Interface.
    • Next Hop: Select leasedline1.
  5. Click OK.
  6. Repeat the preceding steps to configure a route pointing to the on-premises data center and using leasedline2 as the next hop in vbr2.

Step 4: Add the VBRs and VPC to a CEN instance

After you establish the leased line connections and create the VBRs, you must add the VBRs and the VPC to be connected to a Cloud Enterprise Network (CEN) instance.

  1. Log on to the CEN console.
  2. On the Instances page, find the target CEN instance and click the instance ID.
    If you do not have any CEN instance, create a CEN instance first. For more information, see Create a CEN instance.
  3. On the Networks tab, click Attach Network and add the VBRs and VPC to be connected to the CEN instance.
    For more information, see Attach networks.
  4. If you have added routes pointing to ECS instances, VPN Gateways, or High-Availability Virtual IP Addresses (HaVips) in the VPC, you must publish these routes to the CEN instance.
    Route table

Step 5: Configure health checks

You must configure health checks for redundant physical connections. Alibaba Cloud sends a ping packet once every two seconds from the health check IP address to the customer-side IP address of the on-premises data center. If no response is received for the ping packet for eight consecutive times on one physical connection, traffic is switched to the other physical connection.

  1. Log on to the CEN console.
  2. In the left-side navigation pane, click Health Check.
  3. Select the region of the target CEN instance. In this example, select China (Shanghai). Then, click Set Health Check.
  4. On the Set Health Check page, configure health checks.
    • Instances: Select the CEN instance to which the VBRs are added.
    • Virtual Border Router (VBR): Select the VBR to be monitored. In this example, select vbr1.
    • Source IP: Enter an idle IP address of the VSwitch in the connected VPC.
    • Target IP: Enter the interface IP address of the network device of the on-premises data center.
  5. Repeat the preceding steps to configure health checks for vbr2.

Step 6: Configure routes and health checks for the on-premises data center

To connect the on-premises data center to Alibaba Cloud, you must complete the following configurations for the on-premises data center:

  1. Configure routes. You can configure a static route or BGP dynamic route to forward data between the on-premises data center and the VBRs:
    • Static route

      The following example is for reference only. Configurations for devices of different manufacturers are different.

      ip route 192.168.0.0/16 10.0.0.1
      ip route 192.168.0.0/16 10.0.0.5
    • Dynamic route
      You can use BGP to forward data between the on-premises data center and the VBRs. For more information, see Configure BGP
      Note You must advertise the CIDR block of the VPC that needs to communicate with the on-premises data center. In this example, the advertised CIDR block is 192.168.0.0/16.
  2. Configure health checks. You can use Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) to check the route from the on-premises data center to the VBRs.
    Consult the device manufacturer for specific configuration commands. We recommend that you use the BFD method.
  3. Check whether the configured routes and health checks work.

Step 7: Test the connectivity

To test the connectivity of the redundant connections, follow these steps:

  1. Open the command prompt of the PC at the on-premises data center.
  2. Run the ping command to connect to an ECS instance in the connected VPC. If the ping request succeeds, it indicates that the connection between the on-premises data center and Alibaba Cloud is established.
  3. Run the tracert command to check whether load balancing routing is implemented for the redundant connections.