This topic describes how to access an Elastic Compute Service (ECS) instance in an Alibaba Cloud Virtual Private Cloud (VPC) from a server of an on-premises data center by using Express Connect.

Background information

If you need to access the cloud resources in a VPC from your on-premises data center by using a physical connection, you must add a route entry with the destination CIDR block 100.64.0.0/10 and the next hop of the target VPC in the corresponding Virtual Border Router (VBR). Also, you must add a route entry that points to 100.64.0.0/10 with the Alibaba Cloud-side IP address of the VBR as the next hop on the gateway device of your on-premises data center.

The CIDR block 100.64.0.0/10 is reserved for VPCs. It is used by the cloud services in VPCs, such as Domain Name System (DNS), Object Storage Service (OSS), and Log Service.

Note Because the CIDR block 100.64.0.0/10 is reserved for VPCs, you cannot directly add a route entry that points to 100.64.0.0/10 in the VBR. You can divide the CIDR block 100.64.0.0/10 into 100.64.0.0/11 and 100.96.0.0/11, and add two route entries in the VBR.

Background information

In this topic, the configurations of the VPC and on-premises data center shown in the following figure are used as an example. Assume that your on-premises data center (CIDR block: 172.17.1.0/24) is located in Hangzhou. You have a VPC (CIDR block: 172.16.0.0/16) in the China (Hangzhou) region. You want to use a physical connection to access an ECS instance (IP address: 172.16.1.1) in the VPC from a server (IP address: 172.17.1.2) at the on-premises data center.

Parameter Value
CIDR block of the VPC 172.16.0.0/16
CIDR block of the VSwitch 172.16.0.0/24
IP address of the ECS instance 172.16.1.1/24
CIDR block of the on-premises data center 172.17.1.0/24
IP addresses used for the connection
  • IP address used by the VBR: 10.0.0.1/30
  • IP address used by the on-premises data center: 10.0.0.2/30
IP address of the local server 172.17.1.2/24
IP addresses used for health checks
  • Source IP address: 172.16.1.2
  • Destination IP address: 10.0.0.2

Step 1: Establish a physical connection

You can establish an exclusive physical connection by applying for a physical connection interface in the Express Connect console yourself or establish a shared physical connection by using a shared port of an Alibaba Cloud partner. For more information, see Created a dedicated physical connection and Establish a shared physical connection.

In this example, configure the VBR associated with the physical connection as follows:

Configuration Value
VLANID 0
Alibaba Cloud-side IP address 10.0.0.1
Customer-side IP address 10.0.0.2
Subnet mask 255.255.255.252

Step 2: Add the VPC and VBR to a CEN instance

After the physical connection is established, add the VBR and VPC to be connected to the same Cloud Enterprise Network (CEN) instance.

  1. Log on to the CEN console.
  2. On the Instances page, find the target CEN instance and click the instance ID.
    Make sure that a CEN instance is created. For more information, see Create a CEN instance.
  3. On the Networks tab, click Attach Network and add the VBR to the CEN instance.
    For more information, see Attach networks.Attach a network
  4. Click Attach More to add the VPC to the CEN instance.

Step 3: Configure VBR routes

After you add the VBR and VPC to the same CEN instance, add a route pointing to the on-premises data center in the VBR.

  1. Log on to the Express Connect console.
  2. In the left-side navigation pane, choose Virtual Border Routers (VBRs) > Virtual Border Routers (VBRs). Find the target VBR and click the instance ID.
  3. On the VBR details page, click the Routes tab and then click Add route.
  4. In the Add Route dialog box that appears, configure the route as follows:
    • Destination Subnet: Enter the CIDR block of the on-premises data center. In this example, enter 172.17.1.0/24.
    • Next Hop Type: Select Physical Connection Interface.
    • Next Hop: Select the physical connection you established in Step 1.
  5. Click OK.

Step 4: Configure health checks

To configure health checks, follow these steps:

  1. Log on to the CEN console.
  2. In the left-side navigation pane, click Health Check.
  3. Select the region of the target CEN instance. In this example, select China (Hangzhou). Then, click Set Health Check.
  4. On the Set Health Check page, configure health checks as follows:
    • Instances: Select the CEN instance with which the VBR is associated.
    • Virtual Border Router (VBR): Select the VBR to be monitored.
    • Source IP: Enter an idle IP address under the VSwitch of the connected VPC, for example, 172.16.1.2.
    • Destination IP: Enter the interface IP address of the network device at the on-premises data center, for example, 10.0.0.2.

Step 5: Configure routes for the on-premises data center

After you complete the preceding steps, the route configurations on Alibaba Cloud are completed. You must configure a route pointing to the VPC on the network device of the on-premises data center. You can configure a static route or BGP route to forward traffic from the on-premises data center to the VBR.

  1. Configure a static route or BGP dynamic route on the gateway device of the on-premises data center.
    • The following is an example of a static route and is for reference only. Configurations for devices of different manufacturers are different. 
      ip route 172.16.0.0 255.255.0.0 10.0.0.1
    • You can also configure a BGP route. For more information, see Configure BGP.

      The CIDR block to be advertised is the CIDR block of the VPC that needs to communicate with the on-premises data center. The IP address of the next hop, namely, the VBR, is 10.0.0.1. In this example, the CIDR block of the VPC is 172.16.0.0/16.

  2. On the local gateway device, ping the IP address of the VBR to check the connectivity.
    Run the ping command ping 10.0.0.1. If the ping test succeeds, the physical connection between the local gateway and Alibaba Cloud is successful.
  3. Run the following command to add a default route that points to the local gateway on the local server: 
    route add default gw 172.17.1.1

Step 6: Test the connectivity from the local server

To test the connectivity between the local server and Alibaba Cloud, follow these steps:

  1. Open the command prompt on the server of the on-premises data center.
  2. Run the ping command to ping the IP address of the VBR 10.0.0.1. If the ping test succeeds, the physical connection from the local server to Alibaba Cloud is successful.
Note At this stage, if you run a ping test on the ECS instance to ping the IP address of the VBR, the ping test will fail.

Step 7: Test the connectivity from the ECS instance

Make sure that an ECS instance is created. IP addresses of ECS instances are dynamically allocated. Use the actual internal IP address of the ECS instance in this step. In this example, the IP address of the ECS instance is 172.16.1.1.

  1. Open the command prompt on the local server.
  2. Run the ping command ping 172.16.1.1.
  3. Open the command prompt on the ECS instance.
  4. Run the ping command ping 172.17.1.2. If the ping test succeeds, the physical connection between the local server and the ECS instance is successful.