You can use an Express Connect circuit that connects to an Alibaba Cloud access point to connect a data center to a virtual private cloud (VPC) that belongs to a different account and region.

Scenario

An enterprise creates an Alibaba Cloud account (Account A), and then creates a VPC named VPC1 in the China (Hangzhou) region with Account A. The enterprise has a data center deployed in the same region. The private CIDR block of the data center is 172.16.0.0/12 and the private CIDR block of the VPC is 192.168.0.0/16. The enterprise uses Account A to apply for an Express Connect circuit, which is used to connect the data center and VPC1. The subsidiary of the enterprise creates a RAM user (Account B), and then creates a VPC named VPC2 in the China (Beijing) region with Account B. The private CIDR block of Account B is 10.0.0.0/8. The subsidiary wants to connect the data center to VPC2.

In this scenario, the subsidiary can reuse the Express Connect circuit purchased by Account A to connect the data center to VPC2 that belongs to Account B.

The following figure shows the network topology for connecting the data center to VPC2. Architecture
The following table describes the configurations of the resources that belong to Account A and Account B. The "-" sign in the following table indicates that the item is not involved.
ParameterAccount AAccount B
VPCsVPC1
  • Name: VPC1
  • Region: China (Hangzhou)
  • CIDR block: 192.168.0.0/16
VPC2
  • Name: VPC2
  • Region: China (Beijing)
  • CIDR block: 10.0.0.0/8
Virtual border routes (VBRs)VBR
  • Name: VBR-test
  • VLAN ID: 0
  • IPv4 address of the gateway on the Alibaba Cloud side: 10.100.1.2
  • IPv4 address of the gateway on the customer side: 10.100.2.10
  • Subnet mask: 255.255.255.0
-
VBR-to-VPC connectionsVBR-to-VPC Connection 2 (initiator)
  • Region of the initiator: China (Hangzhou)
  • VBR (initiator) name: VBR-test
  • Region of the acceptor: China (Beijing)
  • VPC (acceptor) name: VPC2
VBR-to-VPC Connection 2 (acceptor)
  • Region of the initiator: China (Hangzhou)
  • VBR (initiator) name: VBR-test
  • Region of the acceptor: China (Beijing)
  • VPC (acceptor) name: VPC2

Prerequisites

  • Establish VBR-to-VPC Connection 1 to connect the data center to VPC1 within Account A.
  • Due to security requirements, you cannot connect VBRs to VPCs that belong to a different account by default. To use this feature, contact your account manager. For more information, see Attach a VBR to a VPC that belongs to a different account.
  • VPC2 is created in the China (Beijing) region and cloud resources such as Elastic Compute Service (ECS) instances are deployed in VPC2. For more information, see Create a VPC with an IPv4 CIDR block.
  • You understand the security group rules of the Elastic Compute Service (ECS) instances in the virtual private cloud (VPC). Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.

Procedure

Procedure

Step 1: Apply for an Express Connect circuit and install the Express Connect circuit

Log on to the Express Connect console with Account A and apply for a dedicated Express Connect circuit or a shared Express Connect circuit pre-installed by the Express Connect partner. In this example, a dedicated Express Connect circuit is used. For more information, see Create and manage a dedicated connection over an Express Connect circuit.

Note You do not need to install the circuit if you choose a shared Express Connect circuit. For more information, see Operation guide for Express Connect partners.

Step 2: Create a VBR for the Express Connect circuit

Note In this example, a VBR is created for the Express Connect circuit. For more information about how to create a VBR for a shared Express Connect circuit, see Create a VBR.
  1. Log on to the Express Connect console. by using Account A.
  2. In the top navigation bar, select the region where you want to apply for an Express Connect circuit. In this example, China (Hangzhou) is selected.
  3. On the Physical Connection page, find the Express Connect circuit and click its ID.
  4. On the Express Connect circuit details page, click the VBR tab and click Create VBR.
  5. In the Create VBR panel, set the following parameters and click OK.
    ParameterDescription
    Basic Information
    AccountSpecify the Alibaba Cloud account to which the VBR belongs. The default setting is Current Account. If you select this option, a VBR is created for Account A.
    Name

    Enter a name for the VBR. In this example, VBR-test is entered.

    Physical Connection Information
    Physical Connection InterfaceSelect the type of Express Connect circuit that you want to associate with the VBR. Then, select an Express Connect circuit that is enabled and functions as expected from the drop-down list.

    Valid values:

    • Dedicated Physical Connection: a dedicated Express Connect circuit
    • Shared Physical Connection: a shared Express Connect circuit

    In this example, Dedicated Physical Connection is selected. Then, select the corresponding Express Connect circuit from the drop-down list.

    VLAN IDEnter the VLAN ID of the VBR. Valid values: 0 to 2999.

    In this example, 0 is entered.

    Set VBR Bandwidth ValueSpecify the maximum bandwidth of the VBR.

    In this example, 200Mb is selected.

    IPv4 Address (Alibaba Cloud Gateway)Enter an IPv4 address for the VBR to route network traffic between the VPC and data center. IPv4 Address (Alibaba Cloud Gateway) and IPv4 Address (Data Center Gateway) must belong to the same CIDR block.

    In this example, 10.100.0.1 is entered.

    IPv4 Address (Data Center Gateway)Specify an IPv4 address for the gateway device in the data center to route network traffic between the VPC and data center.
    Note To allow services in the VPC to access a specified gateway IP address, you must add a route to the route table of the VBR. Set the destination CIDR block of the route to the CIDR block to which the specified gateway IP address belongs and set the next hop to the Express Connect circuit. For more information about how to add a route, see Add a custom route.

    In this example, 10.100.0.10 is entered.

    Subnet Mask (IPv4 Address)Enter the subnet mask of the IPv4 addresses that you specify for the VBR and the gateway device in the data center. You can enter a long subnet mask because only two IP addresses are required.

    In this example, 255.255.255.0 is entered.

    Support IPv6Specify whether to enable IPv6 for the VBR. In this example, Disable is selected.
    • Disable: disables IPv6. This is the default setting.
    • Enable: enables IPv6. If you select this option, you cannot disable IPv6 after the VBR is created. Set the following parameters of the VBR:
      • IPv6 Address (Alibaba Cloud Gateway): Enter an IPv6 address for the VBR to route network traffic between the VPC and the data center. The values of the IPv6 Address (Alibaba Cloud Gateway) and IPv6 Address (Data Center Gateway) parameters must belong to the same CIDR block.
      • IPv6 Address (Data Center Gateway): Enter an IPv6 address for the gateway device in the data center to route network traffic between the VPC and the data center.
      • Subnet Mask (IPv6): Enter the subnet mask of the IPv6 addresses that you specify for the VBR and the gateway device in the data center.

Step 3: Create VBR-to-VPC Connection 2 and configure health checks

  1. Configure cross-account VPC authorization.
    1. Log on to the VPC console by using Account B.
    2. In the top navigation bar, select the region where VPC2 is deployed. In this example, China (Beijing) is selected.
    3. On the VPCs page, find VPC2 and click the ID of the VPC.
    4. On the VPC details page, click the Cross-Account VBR Authorization tab, and then click Cross-Account VBR Authorization.
    5. In the Cross-Account VBR Authorization dialog box, set the following parameters and click OK.
      ParameterDescription
      Peer Account UIDEnter the UID of Account A to which the VBR belongs.
      RegionSelect the region where the VBR is deployed. In this example, China (Hangzhou) is selected.
      VBR IDSpecify the IDs of the VBRs to which you want to grant permissions.
      • Grant Permissions to Specified VBRs: Only the specified VBRs within Account A in the specified region are granted permissions on the VPC.
      • Grant Permissions to All VBRs: All VBRs within Account A in the specified region are granted permissions on the VPC.

      In this example, Grant Permissions to Specified VBRs is selected and the ID of the VBR created in Step 2: Create a VBR for the Express Connect circuit is entered.

      After the configuration is complete, the permissions are granted to the VBR. You can view the authorization information on the Cross-Account VBR Authorization tab.
      Note You can record the UID of Account B and the ID of the VPC, which are required when you create VBR-to-VPC connections.
  2. Create VBR-to-VPC Connection 2 (cross-region and cross-account)
    1. Log on to the Express Connect console. by using Account A.
    2. In the left-side navigation pane, choose VPC Peering Connections > VBR-to-VPC.
    3. On the VBR-to-VPC page, click Create Peering Connection.
    4. On the Establish VBR-VPC Interconnection page, configure the following parameters.
      ParameterDescription
      Initiator RegionSelect the region where the initiator is deployed. In this example, China (Hangzhou) is selected.
      Initiator VBRSelect a VBR as the initiator from the drop-down list. In this example, the VBR created in Step 2: Create a VBR for the Express Connect circuit is selected.
      Acceptor Region TypeSpecify whether the initiator and acceptor belong to the same region. In this example, Inter-Region is selected.
      Acceptor RegionSelect the region of the acceptor. In this example, China (Beijing) is selected.
      Acceptor Account TypeSpecify whether the initiator and acceptor belong to the same Alibaba Cloud account. In this example, Another Account is selected.
      Acceptor Account IDWhen Acceptor Account Type is set to Another Account, you need to specify the UID of the account to which the acceptor belongs.

      Select the UID of the account to which the acceptor belongs from the drop-down list. In this example, the UID of Account B is selected.

      Acceptor VPCSelect the ID of the VPC on which the initiator has permissions. In this example, the ID of VPC2 is selected.
      Billing MethodThe value is automatically set to Subscription, Pay-By-Bandwidth.
      Select BandwidthSpecify the maximum bandwidth of VBR-to-VPC Connection 2.
      Subscription DurationSpecify the subscription duration.
      Fee DetailsThe bandwidth fee is automatically displayed in the Bandwidth Fee field.
    5. Select I have read and agree to Terms of Service for Express Connect - Peering Connections (Pay-As-You-Go). and click OK.

      After the connection is established, the status of the initiator and acceptor changes to Activated.

Step 4: Add routes to the VBR

You need to add routes to the VBR to route traffic destined for the data center and VPC2. This way, the VBR can exchange data between the data center and VPC2.

Add a route to the VBR to route traffic destined for the data center

Add a route to the VBR to route traffic destined for the data center (172.16.0.0/12) to the Express Connect circuit.

  1. Log on to the Express Connect console. by using Account A.
  2. In the top navigation bar, select the region where the VBR is deployed. In this example, China (Hangzhou) is selected.
  3. In the left-side navigation pane, click Virtual Border Routers (VBRs). On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
  4. On the VBR details page, choose Routes > Custom Route and click Add Route.
  5. In the Add Route panel, set the following parameters and click OK.
    ParameterDescription
    Next Hop TypeSelect the type of next hop. Valid values:
    • VPC: The VBR routes network traffic destined for the destination CIDR block to a VPC.
    • Physical Connection Interface: The VBR routes network traffic destined for the destination CIDR block to an Express Connect circuit.

    In this example, Physical Connection Interface is selected.

    Destination CIDR BlockEnter the CIDR block of the data center.

    In this example, 172.16.0.0/12 is entered.

    Next HopSelect the ID of the next hop based on the specified next hop type.

    In this example, the ID of the Express Connect circuit created in Step 1: Apply for an Express Connect circuit and install the Express Connect circuit is selected.

    DescriptionEnter a description for the route.

Add a route to the VBR to route traffic destined for the VPC

Add a route to the VBR to route traffic destined for VPC2 (10.0.0.0/8) to VPC2.

  1. Log on to the Express Connect console. by using Account A.
  2. In the top navigation bar, select the region where you want to apply for an Express Connect circuit. In this example, China (Hangzhou) is selected.
  3. In the left-side navigation pane, click Virtual Border Routers (VBRs). On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
  4. On the VBR details page, choose Routes > Custom Route and click Add Route.
  5. In the Add Route dialog box, set the following parameters and click OK.
    ParameterDescription
    Next hop typeSelect the type of next hop. Valid values:
    • VPC: The VBR routes network traffic destined for the destination CIDR block to a VPC.
    • Physical Connection Interface: The VBR routes network traffic destined for the destination CIDR block to an Express Connect circuit.

    In this example, VPC is selected.

    Destination CIDR BlockEnter the CIDR block of VPC2.

    In this example, 10.0.0.0/8 is entered.

    Next HopSelect the ID of the next hop based on the specified next hop type.

    In this example, the ID of VPC2 is entered.

    DescriptionEnter a description for the route.

Step 5: Add routes to VPC2

You need to add routes to VPC2 to route traffic destined for the data center (172.16.0.0/12) to the VBR.

  1. Log on to the Express Connect console. by using Account B.
  2. In the top navigation bar, select the region where VPC2 is deployed. In this example, China (Beijing) is selected.
  3. In the left-side navigation pane, choose VPC Peering Connections > VBR-to-VPC.
  4. On the VBR-to-VPC page, find the acceptor VBR that you want to manage in the Acceptor column and click Route Settings.
  5. In the Basic Information panel, click Add Route.
  6. In the Add Route dialog box, set Destination CIDR Block to 172.16.0.0/12 and click OK.

Step 6: Configure routes and health checks on the data center side

You need to add routes that point to VPC2 to the gateway device in the data center. This way, the gateway device can exchange data between the data center and VPC2. You also need to add routes to route health check probe packets to Alibaba Cloud, configure health checks, and associate the routes with health checks so that traffic can be routed over two redundant connections.

  1. Add routes to the gateway device in the data center.

    The configuration commands may vary based on the gateway device. The following example is for reference only. For more information about the configuration commands, consult the vendor of your gateway device.

    #Add a route to route traffic to VPC2.
    ip route 10.0.0.0 255.255.0.0 10.100.1.2
  2. Configure health checks on the data center side. For more information, see Configure and manage health checks.

Step 7: Test network connectivity

After you perform the preceding steps, you must test the connectivity of the Express Connect circuit.

  1. Open the command-line interface (CLI) on a computer in the data center.
  2. Run the ping command to verify the connectivity between the data center and an ECS instance in VPC2 (10.0.0.0/8).
    If echo reply packets are returned, the data center is connected to VPC2.