how to use Express Connect circuits and IPsec-VPN gateways to establish active/standby connections to access cloud computers over private networks - WUYING Workspace

This topic describes how to use Express Connect circuits and IPsec-VPN gateways to establish active/standby connections between data centers and Alibaba Cloud so that cloud computers can be accessed over private networks from an Alibaba Cloud Workspace client.

Background

Before you begin, you must read the Access a cloud computer over a private network topic.

In this topic, an Express Connect circuit and an IPsec-VPN gateway are used to establish active/standby connections between on-premises and off-premises networks and access cloud computers over private networks. In normal cases, traffic between a data center and WUYING Workspace is forwarded by using only an Express Connect circuit. If exceptions occur in the Express Connect circuit, traffic between the data center and WUYING Workspace is forwarded by using VPN connections.

The following information describes Express Connect circuits and IPsec-VPN gateways:

Express Connect circuits
Express Connect provides a secure and convenient method to connect a data center and Alibaba Cloud. You can lease an Express Connect circuit from a third-party Express Connect partner and use the circuit to connect the data center to an Alibaba Cloud access point. Connections over the Express Connect circuit are not exposed to the Internet. Compared with Internet connections, connections over the Express Connect circuit feature higher security and reliability, faster network connection, and lower network latency. For more information, see What is a connection over an Express Connect circuit?
IPsec-VPN gateways
VPN Gateway is an Internet-based service that can be used to connect networks. You can use this service to establish secure and reliable connections between your data center and an Alibaba Cloud virtual private cloud (VPC) over encrypted channels. For more information, see VPN gateways.

CIDR blocks

Make sure that the following settings on network planning and gateways are configured:

Routing protocols for the data center and network instances are configured. In this topic, the following routing protocols are used:
- Static routing is used between the data center gateway and VPN gateway.
- Border Gateway Protocol (BGP) is used between the data center gateway and a Virtual Border Router (VBR).
  Note
  In scenarios in which a VPN gateway works as a standby connection and an Express Connect circuit works as an active connection:
  - If the VPN gateway is associated with an independent VPC, such as a user VPC, the VBR must use the BGP protocol. The VPN gateway can use static routing or the BGP protocol.
  - If the VPN gateway is associated with a business VPC, such as an office network VPC in which services are deployed, the VBR and VPN gateway must use the BGP protocol.

When you plan networks for the data center and network instances, make sure that the CIDR blocks of the data center do not overlap with the CIDR blocks of the network instances. The following table describes examples of CIDR blocks. The actual CIDR blocks that you use shall prevail.

Configuration item	CIDR block	Description
Office network VPC	172.16.0.0/12	The IP address of the cloud computer and the private gateway.
User VPC	192.168.0.0/24	The CIDR block that is used for the VPC that you created for VPN connection.
VBR	10.0.0.1/30	Virtual local area network (VLAN) ID: 0 IPv4 Address (Alibaba Cloud Gateway): 10.0.0.1/30 IPv4 Address (Data Center Gateway): 10.0.0.2/30 BGP Autonomous System Number (ASN): 45104
Data center	192.168.1.1/24	The CIDR block of the client. A connection is established from the CIDR block.
Data center gateway	10.0.0.2/30	Public IP address: 115.XX.XX.154 IP address of the port that is used to connect to an Express Connect circuit: 10.0.0.2/30 BGP ASN: 65001

Check the data center gateway. Make sure that the gateway supports standard IKEv1 and IKEv2 protocols to connect the data center gateway to the Alibaba Cloud VPN gateway. To check whether the gateway supports the IKEv1 and IKEv2 protocols, contact your gateway manufacturer.
Assign a static public IP address to the data center gateway.

Preparations

Based on the CIDR block plans that you made in the preceding section, you must create network instances on Alibaba Cloud, including an office network VPC, user VPC, and Cloud Enterprise Network (CEN) instance. Make sure that the following preparations are complete:

A Cloud Enterprise Network (CEN) instance is created. If you do not have a CEN instance, create a CEN instance before you proceed. For more information, see Create a CEN instance.
A virtual private cloud (VPC) is created. If you do not have a VPC, create a VPC and attach it to the CEN instance before you proceed. For more information, see Create a VPC and a vSwitch or Manage network instances.
An office network is created. If you do not have an office network, create a convenience office network or an Active Directory (AD) office network and attach the VPC of the office network to the CEN instance. For more information, see Create or delete a convenience office network or Create and configure an AD office network.
Important
- Before you create an office network, you must plan the IPv4 CIDR block of the office network that you want to create. This can prevent CIDR block conflicts between the office network and the CEN instance or between the office network and the on-premises data center. For more information, see Plan a CIDR block.
- If you already have a convenience office network, you must attach the convenience office network to the CEN instance.
- If you deploy your AD system on an Elastic Compute Service (ECS) instance, you must attach the VPC of the AD server to the CEN instance. If you deploy your AD system on an on-premises server, you must connect the on-premises network to the cloud. This way, WUYING Workspace can connect to your AD system. Before you configure an AD domain, you need to create an AD office network and connect the on-premises network to the cloud.

An end user and a cloud computer are created. The cloud computer is assigned to the end user.
If no end user or cloud computer exists, create an end user and a cloud computer based on the type of the office network, and assign the cloud computer to the end user.
- For information about how to create an end user, see Create a convenience user or Create and configure an AD office network.
- For information about how to create and assign a cloud computer, see Create cloud computers or Assign cloud computers to end users.
A device is prepared to connect to a cloud computer.
Note
- The solution that combines Express Connect circuits and IPsec-VPN gateways is suitable for a Windows client or macOS client.
- An Alibaba Cloud Workspace client such as the Windows client, macOS client, or web client is installed on your on-premises device. You can log on to the installed client and check whether you can access your cloud computer over the VPC.

Step 1: Deploy an Express Connect circuit

Create an Express Connect circuit.
You must apply for an Express Connect circuit in a desired region. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview of hosted connections.

Create a VBR. For more information, see Create and manage a VBR.

The following table describes the required parameters to create a VBR.

Parameter	Description	Example
Account	The Alibaba Cloud account for which you want to create a VBR. By default, Current account is selected. This value indicates that the VBR belongs to the Alibaba Cloud account that you use to log on to the Express Connect console.	167998252992****
Name	The name for the VBR. The name must comply with the on-screen naming conventions.	test-vbr
Physical Connection Interface	The type of Express Connect circuit that you want to associate with the VBR. Select an Express Connect circuit that is enabled and functions as expected from the drop-down list.	/
VLAN ID	The VLAN ID of the VBR. Valid values: 0 to 2999. If the VLAN ID is set to 0, a Layer 3 router interface is used for the switch port of the VBR. If a Layer 3 router interface is used, each Express Connect circuit is associated with a VBR. If the VLAN ID is set to a value from 1 to 2999, a Layer 3 VLAN subinterface is used for the switch port of the VBR. If a Layer 3 VLAN subinterface is used, each VLAN ID is associated with a VBR. This way, the Express Connect circuit with which the VBR is associated can be used to connect to VPCs that belong to different Alibaba Cloud accounts. VBRs in different VLANs are isolated from each other at Layer 2.	0
IPv4 Address (Alibaba Cloud Gateway)	The IPv4 address for the gateway that routes traffic from the VPC to the data center. The values of the IPv4 Address (Alibaba Cloud Gateway) and IPv4 Address (Data Center Gateway) parameters must belong to the same CIDR block.	10.0.0.1
IPv4 Address (Data Center Gateway)	The IPv4 address for the gateway that routes traffic from the data center to the VPC. Note To allow services in the VPC to access a specificIPv4 address for an Alibaba Cloud or a data center gateway, you must add a route to the route table of the VBR. Specify the destination CIDR block as the CIDR block to which the IPv4 address belongs. The next hop points to the Express Connect circuit. For information about how to add routes to a route table, see Add and manage routes.	10.0.0.2
Subnet Mask (IPv4)	The subnet mask of the IPv4 addresses that you specify for the Alibaba Cloud gateway and the data center gateway.	255.255.255.252

Create a BGP group. For more information, see the "Step 1: Create a BGP group" section of the Configure and manage BGP topic.

The following table describes the required parameters to create a BGP group.

Parameter	Description	Example
Support IPv6	Specifies whether to enable IPv6. This feature is available only if you enable IPv6 for the VBR that you created. Valid values: No: disables IPv6. Yes: enables IPv6.	N/A
Name	The name of the BGP group. The name must comply with the on-screen naming conventions.	test-bgp
Peer ASN	The ASN of the data center.	65001
BGP Key	Enter the key of the BGP group.	asde****
BGP Route Quota	The maximum number of routes supported by the BGP peer.	10

Create a BGP peer. For more information, see the "Step 2: Create a BGP peer" section of the Configure and manage BGP topic.

The following table describes the required parameters to create a BGP peer.

Parameter	Description	Example
BGP Group	The BGP group to which you want to add the BGP peer that you want to create. In this example, the BGP group that you created in the previous step is used.	test-bgp
BGP Peer IP Address	Enter the IP address of the BGP peer. In this example, the IP address of the port used by the data center gateway is used.	10.0.0.2
Enable BFD	Specifies whether to enable bidirectional forwarding detection (BFD).	No

Step 2: Deploy a VPN gateway

Use the VPN gateway to advertise the route of the data center to the user VPC. For more information, see the "Create a destination-based route" section of the Manage destination-based routes topic.

The following table describes the parameters that are configured to create a destination-based route.

Parameter	Description	Example
Destination CIDR Block	The CIDR block of the data center.	192.10.0.0/16
Next Hop Type	The type of the next hop. Select IPsec Connection.	IPsec Connection
Next Hop	The next hop. Select the IPsec connection that you created.	test-ipsec
Advertise to VPC	Specifies whether to advertise the route to the route table of the user VPC.	Yes
Weight	The weight of the destination-based route.	100

Add the VPN configurations to the data center gateway.
1. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
2. In the top navigation bar, select the region of the IPsec-VPN connection.
3. On the IPsec Connections page, find the IPsec-VPN connection and click Download Peer Configuration in the Actions column.
4. Add the IPsec connection configurations to the data center gateway.
  For more information, see Configure an H3C firewall device.

Step 3: Configure a CEN instance

After you configure the VBR and VPN gateway, attach the VBR to the CEN instance to which the office network VPC and user VPC are attached. This way, the data center and the office network VPC can be connected.

Log on to the CEN console.

Attach the VBR to a CEN instance.

Make sure that the following prerequisites are met: A CEN instance is created, and the office network VPC and user VPC are attached to the CEN instance.

On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Settings > Transfer Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure parameters and click OK.

Parameter	Description
Network Type	Select Virtual Border Router (VBR).
Region	Select the region where the network instance is deployed.
Transit Router	The transit router in the selected region is displayed. If no transit router is available in the selected region, the system automatically creates a transit router.
Resource Owner ID	Select the Alibaba Cloud account that owns the network instance. If the network instance and the transit router that you want to connect belong to the same Alibaba Cloud account, select Current Account. If the network instance and the transit router that you want to connect belong to different Alibaba Cloud accounts, select Different Account, and enter the ID of the Alibaba Cloud account to which the network instance belongs.
Network Instance	Select the ID of the network instance that you want to connect.

Configure health checks for the Express Connect circuit in the CEN console. For more information, see Configure health checks.

You must configure health checks for the Express Connect circuit. Probe packets are sent during health checks based on the interval that you specify. If the specified number of probe packets are consecutively lost within a period of time, the CEN instance routes traffic over VPN connections.

The following table describes the required parameters to perform health checks.

Parameter	Description	Example
Instances	The CEN instance to which you want to attach the VBR.	test-cen
Virtual Border Router (VBR)	The VBR that you want to monitor.	test-vbr
Source IP	The source IP address. Select Automatic IP Address. The system allocates IP addresses from the 100.96.0.0/16 CIDR block to probe connection connectivity.	Automatic IP Address
Destination IP	The destination IP address. Enter the IP address for the data center gateway that you specify when you configure the VBR.	10.0.0.2
Probe Interval (Seconds)	The interval at which probe packets are sent for health checks.	2
Probe Packets	The number of consecutive probe packets that are sent during the health check.	8
Change Route	Specifies whether to trigger route change. When a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. By default, Yes is selected. This value indicates that the health check feature can switch to the redundant route.	Yes

Step 4: Configure the data center gateway

The following sample code is provided only for reference. The commands may vary based on the vendor. The code that you use in actual business scenarios shall prevail.

# Configure BGP dynamic routing, establish a BGP peering connection to the VBR, and then advertise the CIDR block of the data center to Alibaba Cloud. 
interface GigabitEthernet 0/12                     # The port is used to connect the data center gateway to the Express Connect circuit.
no switchport ip address 10.0.0.2 255.255.255.252  # The IP address of the port. The IP address must be the same as the IPv4 address of the data center gateway that you specify when you configure the VBR.

router bgp 65001 bgp
router-id 10.0.0.2
network 192.168.1.1 mask 255.255.0.0    # The private CIDR block of the data center that is advertised to Alibaba Cloud.
neighbor 10.0.0.1 remote-as 45104      # The peer relationship with the VBR.

# Configure the priority of the static route that points to the office network VPC over the VPN gateway. The priority must be lower than that of the BGP route.
ip route 192.168.0.0 255.240.0.0 <Public IP address of the VPN gateway> preference 255

# Configure a backhaul route for probe packets.
ip route <Source IP address for health checks> 255.255.255.255 10.0.0.1

Step 5: Test the network connectivity

Open the command-line interface (CLI) on your local computer in the data center.
In the CLI, run the ping command to connect to the IP address of a cloud computer in the CIDR block of the office network VPC. If response packets are returned, the data center is connected to the office network VPC.
If no cloud computer is available in the office network, create a cloud computer. For more information about specific operations, see Create a cloud computer.
Note
After you create the cloud computer, go to the Cloud Computers page in the WUYING Workspace console, find the cloud computer, and then click the ID of the cloud computer. On the Basic Information tab, you can view the IP address of the cloud computer.
On the data center gateway, disable the port of the Express Connect circuit and stop the Express Connect circuit connection. Run the ping command on the Alibaba Cloud client again to test the network connectivity between the data center and the office network VPC. If response packets are returned, the standby IPsec-VPN connection can work as expected.

Step 6: Configure routing and DNS for cloud services

Configure routing for cloud services.
The CIDR block of the cloud services in Alibaba Cloud that can be accessed over a VPC is 100.64.0.0/10. This CIDR block is a reserved CIDR block that is defined in RFC 6598. To ensure that you can call the WUYING Workspace API from an Alibaba Cloud Workspace client as expected, configure a route for the CIDR block 100.64.0.0/10 in the on-premises data center network to forward requests that are destined for the CIDR block to the user VPC in the cloud.
Before you configure Domain Name System (DNS), run the following command to test whether the domain name can be resolved:
```
nslookup ecd-vpc.cn-hangzhou.aliyuncs.com
```
If an IP address is returned, the domain name can be resolved. In this case, you can skip the next step. If no IP address is returned, perform the following step to configure DNS.
(Optional) Configure DNS.
DNS addresses are required to resolve the domain names involved in the WUYING Workspace API and streaming gateways that reside in the VPC. In this example, set the DNS addresses to the following values:
- 100.100.2.136
- 100.100.2.138
You can use one of the following methods to configure the DNS addresses:
- Add the preceding DNS addresses to the Dynamic Host Configuration Protocol (DHCP) service of the on-premises data center.
- Configure transit routers on the DNS server of the on-premises data center to route domain name resolution requests that end with aliyuncs.com to 100.100.2.136 or 100.100.2.138.

Step 7: Verify whether the cloud computer can be connected over the private network

The solution that combines Express Connect circuits and IPsec-VPN gateways is suitable for a Windows client or macOS client.

Note

In this example, a Windows client of Alibaba Cloud Workspace V5.2.0 is used to check whether the access to a cloud computer over a VPC is allowed. You can also use another client to access your cloud computer over a VPC based on your business requirements.

Obtain information, such as the office network ID, username, and password, that is required to log on to the Windows client from the received email.
1. Double-click the icon to open the Windows client.
2. Follow the on-screen instructions to enter the username and password.
  Important
  If you log on to a client by using only an office network ID, select Alibaba Cloud VPC.
3. Click Connection Type, select Alibaba Cloud VPC, and then click Confirm.
4. Click Next.
5. Follow the on-screen instructions to enter the username and password. Then, click Next.
Connect to the cloud computer.
If the client logon is successful, your cloud computer is displayed as a card on your screen. You can click Connect Cloud Computer on the card to connect to your cloud computer. If the connection is successful, you can view and use your cloud computer in a new window.
Important
If a network request timeout error is reported, the network is inaccessible. In this case, you need to check your parameter settings. After you confirm your parameter settings, you can log on to your client and connect to your cloud computer again.