All Products
Search
Document Center

Cloud Enterprise Network:Configure health checks

Last Updated:Jan 29, 2024

After you attach a virtual border routers (VBR) to a Cloud Enterprise Network (CEN) instance, you can configure health checks in CEN to probe the availability of Express Connect circuits that are connected to the VBR. Health checks ensure failover between CEN and your data center if a standby route is configured. If the Express Connect circuit is declared unhealthy by health checks, network traffic is switched to the standby route to maintain data transmission.

Background information

How it works

健康检查原理

After you enable health checks for a VBR, a ping packet is transmitted from the source IP address of health checks to the destination IP address in the data center every 2 seconds. If the ping packets are returned from the Express Connect circuit, the Express Connect circuit is declared healthy. If an Express Connect circuit does not respond to eight consecutive ping packets, or the ping packets are returned from other routes, the Express Connect circuit is declared unhealthy.

Health checks do not notify you of unhealthy Express Connect circuits. We recommend that you create alert rules for Express Connect circuits. Notifications are sent to you when the alert rules are triggered, so that you can manage anomalies at the earliest opportunity.

Warning
  • Make sure that the destination IP address of health checks is reachable and the data center does not throttle or block ping packets.

  • If a throttling mechanism, such as Control Plane Policing (CoPP) or local attack defense, is enabled for the gateway devices in the data center, ping packets may be dropped. As a result, the system may frequently switch between Express Connect circuits. We recommend that you disable throttling for the gateway devices in the data center.

Usage notes on standby Express Connect circuits

健康检查-路由切换

If a data center is connected to Alibaba Cloud through multiple Express Connect circuits, we recommend that you configure health checks for each Express Connect circuit. If one of the Express Connect circuits is declared unhealthy by health checks, the system automatically switches network traffic to a healthy Express Connect circuit.

When you configure health checks, you can specify whether to enable automatic route switchover.

Prerequisites

The VBR that is associated with an Express Connect circuit is attached to a CEN instance. For more information, see Connect VBRs.

Step 1: Configure health checks in the CEN console

  1. Log on to the CEN console.

  2. In the left-side navigation pane, click Health Checks.

  3. On the Health Check page, select the region of the VBR and click Set Health Check.

  4. In the Set Health Check dialog box, set the parameters and click OK.

    Parameter

    Description

    Instances

    Select the CEN instance to which the VBR is attached.

    Virtual Border Router (VBR)

    Select the VBR that you want to monitor.

    Source IP

    You can use one of the following methods to configure a source IP address:

    • Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option.

    • Custom IP Address: You can specify an available IP address that falls within the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address must not conflict with the destination IP address, the IP address of the VBR on the Alibaba Cloud side, or the IP address of the VBR on the customer side.

    Note
    • Take note of the following rules if you select Automatic IP Address:

      • In each of the following regions, at most 16 VBRs can be automatically assigned a source IP address:

        Click to view the regions US (Silicon Valley), China (Hong Kong), US (Virginia), China (Beijing), China (Shanghai), China (Shenzhen), Singapore, China (Hangzhou), China (Heyuan), China (Chengdu), China (Zhangjiakou), Germany (Frankfurt), Malaysia (Kuala Lumpur), and UK (London), China (Qingdao), Indonesia (Jakarta), China (Hohhot), India (Mumbai), China (Guangzhou), China (Ulanqab), China (Nanjing-Local Region), Japan (Tokyo), and Australia (Sydney)

      • In the Philippines (Manila), South Korea (Seoul), China (Fuzhou-Local Region), or Thailand (Bangkok) region, at most eight VBRs can be automatically assigned a source IP address.

    • No matter which method you select, the CEN instance advertises a route whose destination CIDR block is the source IP address of the health check and the subnet mask is 32 bits in length to the VBR after the health check is configured.

      If the VBR and data center use the BGP dynamic routing protocol, the route is advertised to the data center over BGP.

    Destination IP

    Set the destination IP address to the IP address of the VBR on the customer side.

    Probe Interval (Seconds)

    Enter a time interval at which probe packets are sent during the health check. Unit: seconds.

    Valid values: 2 to 3. Default value: 2.

    Probe Packets

    Enter the number of consecutive probe packets that are sent during the health check. Unit: packets.

    Valid values: 3 to 8. Default value: 8.

    Change Route

    Specifies whether to allow the health check feature to switch to the standby route.

    This feature is enabled by default. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit.

    If you disable this feature, health checks perform only probing. The health check feature does not switch to the standby route even if an error is detected on the Express Connect circuit.

    Warning

    Before you turn off Change Route, make sure that network traffic can be switched to a standby route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit fails.

    Description

    Enter a description for the health check.

Step 2: Configure health checks in the data center

You also need to configure health checks in the data center to ensure that health checks can run as expected.

  1. Add a backhaul route for health check ping packets in the data center.

    Important
    • If the VBR uses BGP, Alibaba Cloud automatically advertises the source IP address of the health check as a route whose subnet mask is 32 bits in length to the data center after the health check is configured. In this case, you do not need to add a backhaul route.

    • If the VBR uses static routes, you must manually add a route whose destination CIDR block is the source IP address of the health check, subnet mask is 32 bits in length in the data center, and next hop points to the Express Connect circuit. Otherwise, the ping packets cannot be returned through the Express Connect circuit, which will be declared unhealthy.

    The following example shows how to add a backhaul route. The example is for reference only. For more information about the configuration commands, consult the vendor of your gateway device.

    #Configure a backhaul route for probe packets.
    ip route <The source IP address of the health check> 255.255.255.255 <The IP address of the VBR on the Alibaba Cloud side>
  2. Add health check configurations to the data center.

    You can use Bidirectional Forwarding Detection (BFD) or a network quality analyzer (NQA) to add health check configurations. This ensures that you can test the network connectivity of the Express Connect circuit from the data center. For more information about the configuration commands, consult the vendor of your gateway device.

  3. Enable automatic route switchover in the data center.

    If your data center is connected to Alibaba Cloud through multiple Express Connect circuits, you need to enable automatic route switchover during health checks in your data center to ensure that you can test the connectivity of the Express Connect circuits from the data center, and the system can switch between routes based on health check results. For more information about the configuration commands, consult the vendor of your gateway device.

Step 3: Add an alert rule in the CloudMonitor console

After you configure health checks, we recommend that you add an alert rule in the CloudMonitor console so that you can be notified of Express Connect circuit anomalies at the earliest opportunity.

  1. Log on to the CloudMonitor console.

  2. In the left-side navigation pane, choose Alerts > Alert Rules.

  3. On the Alert Rules page, click Create Alert Rule.

  4. In the Create Alert Rule panel, set Product to CEN-Router, set the other parameters, and then click Confirm.

    The following table describes the parameters that are related to this topic. For more information about how to configure other parameters, see Create an alert rule.

    Click Add Rule. In the Add Rule Description panel, set the following parameters and click OK.

    Parameter

    Description

    Alert Rule

    Enter a name for the alert rule.

    Metric Type

    Select a metric type for the alert rule. In this example, Single Metric is selected. For more information about how to configure multiple metrics and dynamic thresholds, see Create an alert template.

    • Single Metric

    • Multiple Metrics

    • Dynamic Threshold

    Metric

    Select a metric for the alert rule.

    • Health Check Latency: monitors the network latency between Alibaba Cloud and the data center.

    • Health Check Loss Rate: monitors the packet loss rate between Alibaba Cloud and the data center.

    • Internet Out Rate: monitors the bandwidth that is used to transmit data from Alibaba Cloud to the data center.

    • Internet In Rate: monitors the bandwidth that is used to transmit data from the data center to Alibaba Cloud.

    Threshold and Alert Level

    Set the alert conditions, alert threshold, and alert level of the alert rule.

    Chart Preview

    The monitoring data of the selected metric is displayed in the chart.

What to do next

Operation

Description

Procedure

Modify a health check

After you add a health check rule, you can modify the source IP address, destination IP address, probe interval, and the number of probe packets.

Note

The status of the Change Route feature cannot be changed. If you want to turn on or turn off Change Route, delete the health check and create another health check.

  1. Log on to the CEN console.

  2. In the left-side navigation pane, click Health Check.

  3. On the Health Check page, select the region where the VBR is deployed.

  4. Find the health check that you want to modify and click Edit in the Actions column.

  5. In the Edit Health Check dialog box, modify the source IP address, destination IP address, probe interval, and number of probe packets. Then, click OK.

Delete a health check

If you no longer need to monitor the connectivity of an Express Connect circuit, you can delete the health check.

  1. Log on to the CEN console.

  2. In the left-side navigation pane, click Health Check.

  3. On the Health Check page, select the region where the VBR is deployed.

  4. Find the health check that you want to delete and click Delete in the Actions column.

  5. In the Delete Healthcheck message, click OK.

FAQ

In a scenario where multiple VBRs are connected to a transit router, what granularity is the redundancy between Express Connect circuits?

The Express Connect circuits perform failover based on routes.

For example, VBR1 and VBR2 are connected to a transit router and the routes in the following table are added to the route table of the transit router. In this case, network traffic is switched between VBR1 and VBR2:

  • If VBR1 fails health checks, network traffic that is destined for 192.168.1.0/24 is switched from VBR1 to the Express Connect circuit connected to VBR2.

  • If VBR2 fails health checks, network traffic that is destined for 192.168.1.0/24 is switched from VBR2 to the Express Connect circuit connected to VBR1. However, network traffic that is destined for 192.168.2.0/24 is not switched to VBR1.

Destination CIDR block

Next hop

Network instance associated with the next hop

192.168.1.0/24

VBR1 connection

VBR1

192.168.1.0/24

VBR2 connection

VBR2

192.168.2.0/24

VBR2 connection

VBR2

In a scenario where multiple VBRs are connected to a transit router and Express Connect circuits are redundant with each other, will traffic be interrupted if all the VBRs fail health checks?

  • By default, network traffic destined for Alibaba Cloud is transmitted through the Express Connect circuit connected to the last VBR.

    • If the last VBR fails health checks but the Express Connect circuit works as expected, the bandwidth for network traffic from Alibaba Cloud to the data center is reduced because only one Express Connect circuit remains functional.

    • If the last VBR fails health checks and the Express Connect circuit is also declared unhealthy, network traffic from Alibaba Cloud to the data center is interrupted.

    The last VBR refers to the last VBR that fails health checks. For example, VBR1, VBR2, and VBR3 are connected to a transit router and the routes in the following table are added to the route table of the transit router. The system first detects that VBR1 and VBR2 failed health checks, and then the system detects that VBR3 failed health checks. In this case, the last VBR refers to VBR3. Network traffic from Alibaba Cloud to the data center is transmitted through the Express Connect circuit connected to VBR3.

    Destination CIDR block

    Next hop

    Network instance associated with the next hop

    192.168.1.0/24

    VBR1 connection

    VBR1

    192.168.1.0/24

    VBR2 connection

    VBR2

    192.168.1.0/24

    VBR3 connection

    VBR3

  • How network traffic from the data center to Alibaba Cloud is transmitted is determined by your network configurations.

In a scenario where multiple VBRs are connected to a transit router and Express Connect circuits are redundant with each other, is a route switchover performed if all the VBRs fail health checks?

Whether the system switches to another route is determined by the connectivity of the Express Connect circuit. A route switchover is performed only when the health status of the Express Connect circuit is changed.

Does the deletion of health check configurations cause frequent route switchover or traffic interruptions?

  • If you delete health check configurations in the CEN console, the deletion does not cause frequent route switchover. By default, the system considers the Express Connect circuit healthy and continues forwarding network traffic to the Express Connect circuit based on specified routes.

    However, network traffic will be interrupted if the Express Connect circuit is faulty.

  • If you delete health check configurations in the data center, whether the traffic will be interrupted is determined by your network configurations.

References