Cloud Enterprise Network (CEN) helps you build a high-quality network environment. CEN provides a simplified networking method to build a hybrid cloud with a scale and communication capability at the enterprise level. This topic describes how to combine Express Connect circuits, virtual private network (VPN) gateways, and Smart Access Gateway (SAG) instances to build a hybrid cloud.

Network topology

The following network topology is used in this example:
  • Data centers in the China (Beijing), China (Shanghai), China (Hangzhou), and China (Guangzhou) regions are deployed by an enterprise.
  • In addition, the enterprise created virtual private clouds (VPCs) in the China (Beijing), China (Shanghai), China (Hangzhou), and China (Shenzhen) regions.
  • The data centers in the China (Beijing) and China (Shanghai) regions are connected to Alibaba Cloud by using Express Connect circuits. The virtual border routers (VBRs) of the Express Connect circuits are attached to a CEN instance.
  • The data center in the China (Hangzhou) region is connected to the VPC in the China (Hangzhou) region by using a VPN gateway.
  • The data center in the China (Guangzhou) region is connected to Alibaba Cloud by using an SAG instance. The Cloud Connect Network (CCN) instance to which the SAG instance belongs is attached to the CEN instance.
  • The VPCs of the enterprise in the China (Beijing), China (Shanghai), China (Shenzhen), and China (Hangzhou) regions are attached to the CEN instance.Use multiple methods to connect to Alibaba Cloud

Subnetting

To build a hybrid cloud, make sure that the CIDR blocks that you want to connect do not overlap with each other. The following table describes the CIDR blocks in this example.
Network CIDR block
Data center in China (Hangzhou) 10.1.1.0/24
Data center in China (Guangzhou) 10.1.2.0/24
Data center in China (Beijing) 10.1.3.0/24
Data center in China (Shanghai) 10.1.4.0/24
VPC in China (Beijing) 192.168.1.0/24
VPC in China (Shenzhen) 192.168.2.0/24
VPC in China (Shanghai) 192.168.3.0/24
VPC in China (Hangzhou) 192.168.4.0/24

Methods that are used to connect data centers to Alibaba Cloud

Connect the data centers in the China (Beijing) and China (Shanghai) regions to Alibaba Cloud by using Express Connect circuits

Use multiple methods to connect to Alibaba Cloud-Express Connect circuits

Procedure:

  1. Connect the data centers in the China (Beijing) and China (Shanghai) regions to VBRs by using Express Connect circuits. Then, configure the data centers and the connected VBRs as Border Gateway Protocol (BGP) peers. For more information, see Configure BGP.
  2. Use the customer-premises equipment (CPE) of the data centers in the China (Beijing) and China (Shanghai) regions to advertise the CIDR blocks of the data centers to the CEN instance by using BGP. The following table describes the configurations of the CPE in the China (Beijing) and China (Shanghai) regions.
    Parameter CPE in China (Beijing) CPE in China (Shanghai)
    Local BGP ASN A B
    Peer BGP ASN 45104 45104
    Network 10.1.3.0/24 10.1.4.0/24

    After the data centers and the VBRs are configured as BGP peers, the data centers and the VBRs can learn routes from each other.

Connect the data center in the China (Hangzhou) region to Alibaba Cloud by using a VPN gateway

Use multiple methods to connect to Alibaba Cloud-VPN gateways

Procedure:

  1. Create an IPsec-VPN connection to connect the data center in the China (Hangzhou) region to the VPC in the China (Hangzhou) region. For more information, see Connect on-premises data centers to VPC networks.
  2. Configure a specific route or default route that points to Alibaba Cloud.
    Configure a specific route:
    Destination CIDR block Next hop
    10.1.2.0/24 VPN gateway
    10.1.3.0/24 VPN gateway
    10.1.4.0/24 VPN gateway
    192.168.1.0/24 VPN gateway
    192.168.2.0/24 VPN gateway
    192.168.3.0/24 VPN gateway
    192.168.4.0/24 VPN gateway
    Configure a default route:
    Destination CIDR block Next hop
    0.0.0.0/0 VPN gateway
  3. To allow the data centers to communicate with the network instances that are attached to the CEN instance, you must add a route to the VPC that is associated with the VPN gateway and advertise the route to the CEN instance. The route must point to the data center.
    Use multiple methods to connect to Alibaba Cloud-VPN gateways 2

    Configure the route based on the following information:

    1. Add a route to the route table of the VPC in the China (Hangzhou) region. The destination CIDR block is set to 10.1.1.0/24 and the next hop is set to the VPN gateway that is created for the VPC.
    2. Advertise the route from the VPC in the China (Hangzhou) region to the CEN instance.
      Use multiple methods to connect to Alibaba Cloud-Route advertisement

    After you advertise the route to the CEN instance, the network instances that are attached to the CEN instance can learn the route. This way, the data centers in the China (Hangzhou) region can communicate with all network instances that are attached to the CEN instance.

Connect the data center in the China (Guangzhou) region to Alibaba Cloud by using an SAG instance

Use multiple methods to connect to Alibaba Cloud-SAG instances

Procedure:

  1. Log on to the SAG console, select an SAG instance to connect to the data center in the China (Guangzhou) region, and then configure a route for the connection. For more information, see Advertise routes to Alibaba Cloud.
    Route configuration 1
  2. Attach the CCN instance that is associated with the SAG instance to the CEN instance. This way, the data center in the China (Guangzhou) region can communicate with the network instances that are attached to the CEN instance. For more information, see Associate a CCN instance with a CEN instance.
    Use multiple methods to connect to Alibaba Cloud-CEN instance association

Connect the data centers in all regions

Repeat the preceding procedures to connect all data centers by using CEN.
  • The data centers in the China (Beijing) and China (Shanghai) regions are connected to Alibaba Cloud by using Express Connect circuits over BGP. Therefore, attach the VBRs to the CEN instance.
  • The data center in the China (Hangzhou) region is connected to Alibaba Cloud by using a VPN gateway. Therefore, attach the VPC for which the VPN gateway is created to the CEN instance.
  • The data center in the China (Guangzhou) region is connected to Alibaba Cloud by using an SAG instance. Therefore, attach the CCN instance that is associated with the SAG instance to the CEN instance.
The CEN instance dynamically advertises the routes from the attached network instances to avoid route overlapping. This way, a hybrid cloud is built for the data centers and the attached network instances can communicate with each other. Use multiple methods to connect to Alibaba Cloud-Network-wide interconnection
For example, the following tables describe the route tables of the CPE in the China (Beijing) region, the VBR in the China (Beijing) region, and the VPC in the China (Shenzhen) region:
Table 1. CPE in China (Beijing)
Destination CIDR block Next hop Route type
10.1.1.0/24 BGP peer: VBR in China (Beijing) BGP route
10.1.2.0/24 BGP peer: VBR in China (Beijing) BGP route
10.1.4.0/24 BGP peer: VBR in China (Beijing) BGP route
192.168.1.0/24 BGP peer: VBR in China (Beijing) BGP route
192.168.2.0/24 BGP peer: VBR in China (Beijing) BGP route
192.168.3.0/24 BGP peer: VBR in China (Beijing) BGP route
192.168.4.0/24 BGP peer: VBR in China (Beijing) BGP route
Table 2. VBR in China (Beijing)
Destination CIDR block Next hop Route type
10.1.3.0/24 BGP peer: CPE in China (Beijing) BGP route
10.1.1.0/24 VPC in China (Hangzhou) CEN route
10.1.2.0/24 CCN CEN route
10.1.4.0/24 VBR in China (Shanghai) CEN route
192.168.1.0/24 VPC in China (Beijing) CEN route
192.168.2.0/24 VPC in China (Shenzhen) CEN route
192.168.3.0/24 VPC in China (Shanghai) CEN route
192.168.4.0/24 VPC in China (Hangzhou) CEN route
Table 3. VPC in China (Shenzhen)
Destination CIDR block Next hop Route type
10.1.1.0/24 VPC in China (Hangzhou) CEN route
10.1.2.0/24 CCN CEN route
10.1.3.0/24 VBR in China (Beijing) CEN route
10.1.4.0/24 VBR in China (Shanghai) CEN route
192.168.1.0/24 VPC in China (Beijing) CEN route
192.168.3.0/24 VPC in China (Shanghai) CEN route
192.168.4.0/24 VPC in China (Hangzhou) CEN route