This topic describes how to use leased lines and Cloud Enterprise Network (CEN) to connect an on-premises data center to Alibaba Cloud and enable the on-premises data center to communicate with VPCs in different regions.

Prerequisites

Before you begin, make sure that you have completed the following actions:

Background information

A company has an on-premises data center in Shanghai with a CIDR block of 10.1.1.0/24. The company has created three VPCs in the China (Beijing), China (Shanghai), and China (Hong Kong) regions, with the corresponding CIDR blocks being 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24. Due to business development, the company needs to connect its on-premises data center to VPCs in China (Beijing), China (Hong Kong), and China (Shanghai) regions, and to minimize the risk of the single point of failure (SPOF) in the on-premises data center.Network topology

As shown in the preceding figure, one way to prevent the SPOF is to connect the on-premises data center to different Virtual Border Routers (VBRs) of Alibaba Cloud through redundant leased lines. Then add the VBRs and the VPCs to be connected to the same CEN. This allows the on-premises data center to communicate with VPCs in all regions.

Procedure:Configuration flowchart

Step 1: Create redundant leased lines

Apply for two physical connections in the China (Shanghai) region. In this example, name the physical connection connecting to the local CPE1 as leasedline1, and the physical connection connecting to the local CPE2 as leasedline2. For more information, see Created a dedicated physical connection.

Step 2: Create VBRs

Follow the following steps to create a VBR for each of the two leased lines as the data forwarding channel from the VPC to the on-premises data center.

  1. Log on to the Express Connect console.
  2. Log on to the Express Connect console.
  3. In the left-side navigation pane, choose Physical Connections > Virtual Border Routers (VBRs).
  4. In the top navigation bar, select the region of the VBR.
    In this example, select China (Shanghai).
  5. On the Virtual Border Routers (VBRs) page, click Create VBR.
  6. On the Create VBR page, configure the VBR according to the following information, then click OK.
    • Account: Current account.
    • Name: VBR1.
    • Physical Connection Interface: Select a physical connection Interface for leasedline1.
    • VLAN ID: 0.
    • Gateway IP Address on Alibaba Cloud Side: 172.16.1.2/24.
    • Gateway IP Address on Customer Side: 172.16.1.1/24.
    • Subnet Mask: 255.255.255.252.
  7. Repeat the preceding steps to create a VBR for the second leased line.
    The configurations are as follows:
    • Account: Current account.
    • Name: VBR2.
    • Physical Connection Interface: Select a physical connection Interface for leasedline2.
    • VLAN ID: 0.
    • Gateway IP Address on Alibaba Cloud Side: 172.16.2.2/24.
    • Gateway IP Address on Customer Side: 172.16.2.1/24.
    • Subnet Mask: 255.255.255.252.

Step 3: Configure VBR routes

You need to configure routes pointing to the on-premises data center on the VBRs.

  1. Log on to the Express Connect console.
  2. Log on to the Express Connect console.
  3. In the left-side navigation pane, choose Physical Connections > Virtual Border Routers (VBRs).
  4. In the top navigation bar, select the region of the VBR.
    In this example, select China (Shanghai).
  5. On the Virtual Border Routers (VBRs) page, find the target VBR and click the VBR ID.
  6. Click the Routes tab and then click Add Route.
  7. On the Add Route page, configure the route according to the following information, then click OK.
    • Destination Subnet: Enter the CIDR block of the on-premises data center. In this example, enter 10.1.1.0/24.
    • Next Hop Type: Select Physical Connection Interface.
    • Next Hop: Select the physical connection Interface for leasedline1.
  8. Repeat the preceding steps to configure a route pointing to the redundant leased line for the other VBR.
    The configurations are as follows:
    • Destination Subnet: Enter the CIDR block of the on-premises data center. In this example, enter 10.1.1.0/24.
    • Next Hop Type: Select Physical Connection Interface.
    • Next Hop: Select the physical connection Interface for leasedline2.

The following figure shows the VBR routes:

VBR routes

Step 4: Add the VBRs and VPCs to a CEN instance

After the physical connections are established, you need to add the VBRs and the VPCs to be connected to the same CEN instance.

  1. Log on to the CEN console.
  2. Log on to the CEN console.
  3. On the Instances page, find the target CEN instance, then click Manage in the Actions column.
  4. Click the Networks tab, then click Attach Network to add the VBRs and the VPCs to be connected.
    In this example, the VBR1, VBR2, Beijing VPC, Shanghai VPC, and Hong Kong VPC are attached to the same CEN instance.
  5. Set a cross-region interconnection bandwidth for the networks in different regions.
  6. If you have added routes destined for Elastic Compute Service (ECS) instances, VPN Gateways, or High-Availability Virtual IP Addresses (HaVips) in the VPC, you need to publish these routes to the CEN instance.
    For more information, see Publish a route to CEN.

The following figure shows the CEN routes:

CEN route table

Step 5: Configure health checks

You must configure health checks for redundant physical connections. Alibaba Cloud sends a ping packet once every two seconds from the health check IP address to the customer-side IP address of the on-premises data center. If no response is received for the ping packet for eight consecutive times on one physical connection, traffic is switched to the other physical connection.

  1. Log on to the CEN console.
  2. Log on to the CEN console.
  3. In the left-side navigation pane, click Health Check.
  4. Select the region of the CEN instance, and then click Set Health Check.
  5. On the Set Health Check page, configure the health check according to the following information, then click OK.
    • Instances: Select the CEN instance to which the VBR is attached.
    • Virtual Border Router (VBR): Select the VBR to be monitored.
    • Source IP: Enter an idle IP address in the VSwitch of the connected VPC.
    • Target IP: Enter the interface IP address of the network device of the on-premises data center.
  6. Repeat the preceding steps to configure health check for the second VBR.

Step 6: Configure routes and health checks for the on-premises data center

To connect the on-premises data center to Alibaba Cloud, you must complete the following configurations for the on-premises data center:

  1. Configure routes to forward data between the on-premises data center and the VBRs:
    The following example is for reference only. Configurations for devices of different manufacturers are different.
    ip route 192.168.0.0/16 172.16.1.2/24
    ip route 192.168.0.0/16 172.16.2.2/24
    The following figure shows the routes of the on-premises data center:Local routes
  2. Configure health checks. You can use Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) to check the route from the on-premises data center to the VBRs.
    Consult the device manufacturer for specific configuration commands. We recommend that you use the BFD method.
  3. Configure routing interaction. Consult the device manufacturer for specific configuration commands.

Step 7: Test the connectivity

To test the connectivity of the redundant connections, follow these steps:

  1. Open the command prompt of the PC at the on-premises data center.
  2. Run the ping command to connect to an ECS instance in the connected VPC. If the ping request succeeds, it indicates that the connection between the on-premises data center and Alibaba Cloud is established.
  3. Disconnect a physical connection (for example, from VBR1 to CPE1), and run the tracert command. You can see that the CEN switches routes, and all traffic from the cloud to the IDC go through VBR2.