This topic describes how to use two physical connections to connect an on-premises data center to Alibaba Cloud. This solution enables failovers to ensure high availability if one of the physical connections fails.
In this example, the following scenario describes how to connect an on-premises data center to Alibaba Cloud by using redundant physical connections:
A company has an on-premises data center in Shanghai and a virtual private cloud (VPC) in the China (Shanghai) region. The internal CIDR block of the on-premises data center is 172.16.0.0/12, and the internal CIDR block of the VPC is 192.168.0.0/16. To eliminate possible single points of failure (SPOFs), the company plans to apply for two leased lines from two different service providers and create two physical connections to connect the on-premises data center to Alibaba Cloud by using two access points in different regions.
The following figure shows the detailed process.
Step 1: Create two physical connections
You can create two physical connections by using exclusive ports in the Express Connect console or by sharing physical connections with Alibaba Cloud partners. For more information, see Create a dedicated physical connection or Establish a shared physical connection.
- If both physical connection interfaces share the same access point, create redundant physical connections by using the ID of the first physical connection. Make sure that you have paid the initial installation fee for the first physical connection.
- If the physical connection interfaces use different access points, the physical connections are redundant. You do not need to specify another physical connection interface.
In this example, set the following parameters for the virtual border routers (VBRs) associated with both physical connections.
|Parameter||VBR1 (VBR for the first physical connection)||VBR2 (VBR for the second physical connection)|
|Gateway IP Address on Alibaba Cloud Side||10.0.0.1||10.0.0.5|
|Gateway IP Address on Customer Side||10.0.0.2||10.0.0.6|
Step 2: Configure VBR routes
After you create the VBRs, you must add a route entry that maps the on-premises data center on each of the VBRs. To add a route entry, perform the following operations:
- Log on to the Express Connect console.
- In the left-side navigation pane, click Virtual Border Routers (VBRs). On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click the VBR ID.
- On the VBR details page, click the Routes tab, and click Add Route.
- In the Add Route panel, set the following parameters:
- Destination Subnet: Enter the CIDR block of the on-premises data center. In this example, enter 172.16.0.0/12.
- Next Hop Type: Select Physical Connection Interface.
- Next Hop: Select the physical connection interface that you want to associate with the specified on-premises data center.
- Click OK.
- Repeat the preceding operations to configure a redundant route entry that maps the on-premises data center on VBR2.
Step 3: Add the VBRs and the VPC to a CEN instance
After you establish the physical connections and create the VBRs, you must add the VBRs and the VPC to a Cloud Enterprise Network (CEN) instance.
- Log on to the CEN console.
- On the Instances page, find the CEN instance that you want to manage and click the instance ID.If you do not have a CEN instance, you must create one first. For more information, see Create a CEN instance.
- On the Networks tab, click Attach Network and add the VBRs and the VPC to the CEN instance.For more information, see Attach networks.
- If you have created route entries that point to Elastic Compute Service (ECS) instances,
virtual private network (VPN) gateways, or high-availability virtual IP addresses
(HAVIPs), publish these routes to the CEN instance on the Route Tables page in the VPC console.
Step 4: Configure health checks
You must configure health checks for redundant physical connections. Alibaba Cloud sends a ping packet every two seconds from the health check IP address to the on-premises data center. If no responses are returned for eight consecutive ping packets, the system switches network traffic to the other physical connection.
- Log on to the CEN console.
- In the left-side navigation pane, click Health Check.
- Select the region of the CEN instance that you want to manage. In this example, select China (Shanghai) and click Set Health Check.
- In the Set Health Check panel, configure health checks.
- Instances: Select the CEN instance to which the VBRs are added.
- Virtual Border Router (VBR): Select the VBR that you want to monitor.
- Source IP: Enter an idle IP address of the VSwitch in the VPC.
- Destination IP: Enter the IP address of the network device that is installed at the on-premises data center.
- Click OK.
- Repeat the preceding operations to configure health checks for VBR2.
Step 5: Configure routes and health checks for the on-premises data center
To connect the on-premises data center to Alibaba Cloud, perform the following operations for the on-premises data center:
- Configure routes. You can configure static routes or Border Gateway Protocol (BGP)
dynamic routes to forward data between the on-premises data center and the VBRs.
- Static routing
The following example is for reference only. Device configurations may vary with manufacturers.
ip route 192.168.0.0/16 10.0.0.1 ip route 192.168.0.0/16 10.0.0.5
- Dynamic routing
You can use BGP dynamic routes to forward data between the on-premises data center and the VBRs. For more information, see Configure BGP.Note You must advertise the CIDR block of the VPC that you want to connect to the on-premises data center. In this example, the advertised CIDR block is 192.168.0.0/16.
- Static routing
- Configure health checks. You can use Bidirectional Forwarding Detection (BFD) or Network
Quality Analyzer (NQA) to check the routes from the on-premises data center to the
VBRs.Consult the device manufacturer for specific configuration commands. We recommend that you use the BFD method. This allows the system to complete health checks within several milliseconds.
- Check whether the configured routes and health checks work as expected.
Step 6: Test the connectivity
To test the connectivity of the redundant connections, perform the following operations:
- Open the command prompt on a computer in the on-premises data center.
- On the command line, run the ping command to verify connectivity to an ECS instance in the VPC assigned to the 192.168.0.0/16 CIDR block. If the ECS instance and the local computer can communicate with each other by using ping messages, the physical connections pass the connectivity test.
- On the command line, run the tracert command to check whether the redundant connections support load-balancing routing.