Create active/standby connections and configure BGP routing - Express Connect

This topic describes how to use Express Connect circuits and Cloud Enterprise Network (CEN) to create active/standby connections between a data center and a virtual private cloud (VPC) and configure Border Gateway Protocol (BGP) routing for the connections.

Scenario

The following example shows how to use Express Connect circuits to create active/standby connections between a data center and a VPC and configure BGP routing for the connections. An enterprise has a data center in Shanghai and deploys business-critical systems such as database clusters in the data center. In addition, the enterprise creates a VPC in the China (Shanghai) region and deploys applications on Elastic Compute Service (ECS) instances in the VPC. To ensure the stability of data transfer, the enterprise needs to lease two Express Connect circuits to connect the customer-premises equipment (CPE) and virtual border routers (VBRs). Each Express Connect circuit connects to a separate piece of CPE in the data center. Then, attach the VBRs and the VPC to a CEN instance. This way, the data center and the VPC can communicate with each other. The data center is connected to the VPC by using a primary Express Connect circuit and a secondary Express Connect circuit. The enterprise configures BGP routing and Bidirectional Forwarding Detection (BFD) to accelerate route convergence between the data center and the VPC and improve service availability. Configure BGP routing for active/standby connections

Configure BGP routing for active/standby connections

Preparations

Before you start, make sure that the following preparations are completed:

An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one. For more information, see Create an Alibaba Cloud account.
A VPC is created in the China (Shanghai) region and cloud resources such as ECS instances that host your business systems are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
Note Before you connect an Enterprise Edition transit router to a VPC, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. In this example, the transit router is created in the China (Shanghai) region. Shanghai Zone F and Shanghai Zone G support Enterprise Edition transit routers.
You understand the security group rules of the Elastic Compute Service (ECS) instances in the virtual private cloud (VPC). Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see Query security group rules and Add a security group rule.
A CEN instance is created. For more information, see Create a CEN instance.
An Enterprise Edition transit router is created in the region where the VPC resides. For more information, see Create a transit router.

The following table describes how CIDR blocks are planned in this example. You can plan CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap with each other.


Entity	CIDR block	Server or client IP address
Data center	10.1.1.0/24	Client IP address: 10.1.1.1
VPC	192.168.20.0/24	Server IP address: 192.168.20.161
VBR1	Virtual local area network (VLAN): 110 IPv4 CIDR block for the VBR: 172.16.1.2/30 IPv4 CIDR block for the gateway device in the data center: 172.16.1.1/30	N/A
VBR2	VLAN: 120 IPv4 CIDR block for the VBR: 172.16.2.2/30 IPv4 CIDR block for the gateway device in the data center: 172.16.2.1/30	N/A

Procedure

Step 1: Create two connections over Express Connect circuits

In this example, two dedicated connections are created. For more information, see Create and manage a dedicated connection over an Express Connect circuit.

When you apply for the second Express Connect circuit, you may need to specify a redundant Express Connect circuit based on the access point.

If you want to connect the Express Connect circuits to the same access point, you must specify the redundant Express Connect circuit. Set Redundant Connection ID to the first Express Connect circuit. This way, the Express Connect circuits will be connected to different access devices.
If you want to connect the Express Connect circuits to different access points, you do not need to specify the redundant Express Connect circuit. In this case, you do not need to specify Redundant Connection ID.
In this example, the Express Connect circuits are connected to different access points.

Step 2: Create VBRs

Create a VBR for each Express Connect circuit. The VBRs serve as bridges for data exchange between the data center and the VPC.

Log on to the Express Connect console.
In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.

In the Create VBR panel, set the following parameters and click OK.


Parameter	Description
Account	Select whether to create a VBR for the current or another Alibaba Cloud account. In this example, Current Account is selected.
Name	Enter a name for the VBR. In this example, `VBR1` is entered.
Physical Connection Interface	Select Dedicated Physical Connection and select Express Connect circuit 1.
VLAN ID	Enter the VLAN ID of the VBR. In this example, `110` is entered.
Set VBR Bandwidth Value	Set the bandwidth value of the VBR. In this example, 200Mb is selected.
IPv4 Address (Alibaba Cloud Gateway)	Enter an IPv4 address for the VBR to route network traffic between the VPC and the data center. In this example, `172.16.1.2` is entered.
IPv4 Address (Data Center Gateway)	Enter an IPv4 address for the gateway device in the data center to route network traffic between the data center and the VPC. In this example, `172.16.1.1` is entered.
Subnet Mask (IPv4)	Enter the subnet mask of the IPv4 addresses that you specified for the VBR and the gateway device in the data center. In this example, `255.255.255.252` is entered.

Repeat the preceding steps to create a VBR for the other Express Connect circuit.

The following table describes the parameters related to VBR2.


Parameter	Description
Account	Select whether to create a VBR for the current or another Alibaba Cloud account. In this example, Current Account is selected.
Name	Enter a name for the VBR. In this example, `VBR2` is entered.
Physical Connection Interface	Select Dedicated Physical Connection and select Express Connect circuit 2.
VLAN ID	Enter the VLAN ID of the VBR. In this example, `120` is entered.
Set VBR Bandwidth Value	Set the bandwidth value of the VBR. In this example, 200Mb is selected.
IPv4 Address (Alibaba Cloud Gateway)	Enter an IPv4 address for the VBR to route network traffic between the VPC and the data center. In this example, `172.16.2.2` is entered.
IPv4 Address (Data Center Gateway)	Enter an IPv4 address for the gateway device in the data center to route network traffic between the data center and the VPC. In this example, `172.16.2.1` is entered.
Subnet Mask (IPv4)	Enter the subnet mask of the IPv4 addresses that you specified for the VBR and the gateway device in the data center. In this example, `255.255.255.252` is entered.

Step 3: Connect the VBRs and VPC to the transit router

After the Express Connect circuit is installed, you need to connect the transit router in the China (Shanghai) region to the VBRs that are associated with the Express Connect circuits. Then, connect the transit router to the VPC that you want to connect to the data center. This way, the VPC and the data center can communicate with each other.

Log on to the CEN console.
On the Instances page, find the CEN instance that you want to manage and click the instance ID.
On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, set the following parameters and click OK to create a VPC connection.

Note When you perform this operation for the first time, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router to create an elastic network interface (ENI) in a vSwitch of the VPC. For more information, see AliyunServiceRoleForCEN.


Parameter	Description
Network Type	Select the type of network instance that you want to attach to the CEN instance. In this example, VPC is selected.
Region	Select the region where the network instance is deployed. In this example, China (Shanghai) is selected.
Transit Router	The system automatically displays the transit router in the selected region.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Your Account is selected.
Billing Method	By default, transit routers use the Pay-As-You-Go billing method. For more information about the billing rules, see Billing rules.
Attachment Name	Enter a name for the VPC connection. In this example, `VPC-test` is used.
Networks	Select the VPC to be connected. In this example, the VPC that you created is selected.
VSwitch	Select a vSwitch in a zone that supports transit routers. In this example, the vSwitch in the corresponding zone is selected.
Advanced Settings	By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC. In this example, the default settings are used.

On the Connection with Peer Network Instance page, click Create More Connections.

On the Connection with Peer Network Instance page, set the following parameters and click OK to create a connection for VBR1.


Parameter	Description
Network Type	In this example, Virtual Border Router (VBR) is selected.
Region	Select the region where the network instance is deployed. In this example, China (Shanghai) is selected.
Transit Router	The system automatically displays the transit router in the selected region.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Your Account is selected.
Attachment Name	Enter a name for the VBR connection. In this example, `VBR-test` is entered.
Networks	Select the ID of the VBR that you want to connect. In this example, VBR1 is selected.
Advanced Settings	By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC. In this example, the default settings are used.

Repeat Step 5 and Step 6 to create a connection for VBR2.
After the network connections are created, you can view the details about the connections on the Intra-region Connections tab. For more information, see View network instance connections.

Step 4: Configure routes

You need to configure BGP routing between the data center and the VBRs. You can use the Autonomous System (AS) path attribute to configure route priorities in the data center.

Set the data center and the VBRs as BGP peers and advertise routes. For more information, see Configure and manage BGP.
The Autonomous System Number (ASN) of Alibaba Cloud is 45104. The data center can use 2-byte or 4-byte ASNs.
When you configure BGP routing in the data center, you must set the destination CIDR block of the BGP routes that you want to advertise to Alibaba Cloud. In this example, the CIDR block is 10.1.1.0/24. To establish active/standby connections from Alibaba Cloud to the data center, set the AS path length to configure route priorities.

The primary Express Connect circuit connects to CPE 1. The secondary Express Connect circuit connects to CPE 2. You can set the AS path length to configure route priorities. A shorter AS path indicates a higher priority. The following table describes how BGP routing is configured on the two pieces of CPE in the data center. For more information about the commands, contact the service provider of the CPE.


Parameter	CPE1	CPE2
Vlan Tag	110	120
Network	10.1.1.0/24	10.1.1.0/24
BGP ASN	6***3	6***4
Interface IP	172.16.1.1/24	172.16.2.1/24
AS-Path	B, A	C, B, A

Transit routers automatically learn and advertise routes. After you configure BGP routing, transit routers automatically learn routes based on the route priorities. The following table describes the route learning details.

BGP routing information of the VBRs
Item VBR1 VBR2
Destination CIDR Block 10.1.1.0/24 10.1.1.0/24
Next Hop 172.16.1.1 172.16.2.1
The preceding table describes the routing information that the VBRs learn from the BGP peers. A VBR connection is created on the transit router. Therefore, the VBR can advertise the BGP routes learned from the data center to the transit router, including AS paths.

Item	VBR1	VBR2
Destination CIDR Block	10.1.1.0/24	10.1.1.0/24
Next Hop	172.16.1.1	172.16.2.1

Global route configurations


CPE route configurations
Parameter	CPE1	CPE2
Vlan Tag	110	120
Network	10.1.1.0/24	10.1.1.0/24
BGP ASN	6***3	6***4
Interface IP	172.16.1.1/24	172.16.2.1/24
AS-Path	B, A	C, B, A
Route configurations of the VBRs
Parameter	VBR1	VBR2
Destination CIDR Block	10.1.1.0/24	10.1.1.0/24
Next Hop	172.16.1.1	172.16.2.1
Route configurations in the data center
Destination CIDR Block	192.168.20.0/24
Next Hop	172.16.1.2 172.16.2.2
Route configurations of the transit router
Destination CIDR Block	10.1.1.0/24
Next Hop	VBR1

A VBR connection and a VPC connection are created on the transit router. Therefore, the BGP routes learned from the VBR can be advertised to the transit router based on route priorities.

The BGP routes that the VBRs learn from the data center share the same destination CIDR block but have different priorities. The Express Connect circuit that is connected to VBR1 serves as the primary link (the AS path is shorter). The Express Connect circuit that is connected to VBR2 serves as the secondary link (the AS path is longer). After the BGP routes are advertised to the transit router, network instances connected to the transit router, such as a VPC, can learn the routes. The 10.1.1.0/24 routes whose next hop is VBR1 are displayed in the route table of the VPC.

The transit router also advertises its system routes to the BGP route table in the data center. Routes that point to the IP addresses of the interfaces on the VBRs are displayed in the BGP route table in the data center. The interfaces are the ones that you set as the BGP peers of the data center.

To specify a primary and a secondary routing path from the data center to the VPC (192.168.20.0/24), you can set the priorities of routes learned by VBR1 and VBR2 by using the AS path attribute.

Step 5: Configure health checks

You must configure health checks for the Express Connect circuits. After health checks are configured, probe packets are sent at the specified time interval. If no response is returned from one of the Express Connect circuits after the specified number of probe packets are sent, CEN automatically switches to the other Express Connect circuit.

Log on to the Cloud Enterprise Network console.
In the left-side navigation pane, click Health Check.
On the Health Check page, select the region where the VBR is deployed. Then, click Set Health Check.
In this example, China (Shanghai) is selected.

In the Set Health Check dialog box, set the following parameters and click OK.


Parameter	Description
Instances	Select the CEN instance to which the VBR is attached.
Virtual Border Router (VBR)	Select the VBR that you want to monitor. In this example, VBR1 is selected.
Source IP	You can use one of the following methods to specify the source IP address: Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option. Custom IP Address: You must specify an idle IP address from the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address cannot be the IP address with which you want to communicate, the IP address of the VBR on the Alibaba Cloud side, or the IP address on the user side.
Destination IP	Set the destination IP address to the IP address of the gateway device in the data center.
Probe Interval (Seconds)	Specify an interval at which probe packets are sent for health checks. Unit: seconds. Default value: 2. Valid values: 2 to 3.
Probe Packets	Specify the number of probe packets that are sent for health checks. Unit: packets. Default value: 8. Valid values: 3 to 8.
Change Route	Specify whether to allow the health check feature to switch to the redundant route. By default, Change Route is turned on. This indicates that the health check feature can switch to the redundant route. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. If you turn off Change Route, the health check feature does not switch to the redundant route. Only probing is performed. The health check feature does not switch to the redundant route even if an error is detected on the Express Connect circuit. Warning Before you turn off Change Route, make sure that the system can switch to a redundant route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit is down.

Note The system sends probe packets at the specified intervals. If the number of consecutively dropped packets reaches the specified value, the health check fails.

Repeat Step 3 to Step 4 to configure health checks for VBR2.

Step 6: Enable BFD for the VBRs

Enable BFD for the VBRs to accelerate route convergence.

Log on to the Express Connect console.
In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.
On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click Edit in the Actions column.

In the Modify VBR panel, set the following parameters and click OK.

The following table describes the parameters related to BFD. Use default values for the other parameters.


Parameter	Description
Interval to Send	Specify the time interval at which BFD packets are sent. Unit: milliseconds. Default value: 1000. In this example, the default value is used.
Interval to Receive	Specify the time interval at which BFD packets are received. Unit: milliseconds. Default value: 1000. In this example, the default value is used.
Detection Time Multiple	Specify the detection time multiplier that is used to determine the maximum number of packets to be sent. Default value: 3. In this example, the default value is used.

Return to the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
On the details page of the VBR, click the BGP Peers tab.
Find the BGP peer and click Edit in the Actions column.
In the Modify BGP Peer panel, select the Enable BFD check box, specify BFD hop count, and then click OK.
Note BFD supports single-hop and multi-hop authentication. You can set hops based on your network configuration.

Step 7: Test the connectivity

To test the connectivity of the primary and secondary Express Connect circuits, perform the following operations:

Open the Command Prompt window of your computer at the on-premises data center.
Run the ping command to connect to an ECS instance that belongs to the 192.168.0.0/24 CIDR block in the VPC. If the ping request is successful, the connection between the on-premises data center and Alibaba Cloud is established.
Disconnect a leased line (for example, from VBR1 to CPE1) and run the tracert command. You can see that the CEN instance switches routes and that all traffic from Alibaba Cloud to the on-premises data center is forwarded over VBR2.