This topic describes how to establish active/standby connections between a data center and Alibaba Cloud by using two Express Connect circuits. If the primary Express Connect circuit is up, data is transmitted only through the primary Express Connect circuit. To ensure service availability, you can configure health checks to monitor the status of your Express Connect circuits. Probe packets are sent at the specified health check internal. If the primary Express Connect circuit is down, the secondary Express Connect circuit takes over.

Scenario

The following example shows how to establish active/standby connections between a data center and Alibaba Cloud by using two Express Connect circuits.

A company has a data center in Shanghai and a virtual private cloud (VPC) in the China (Shanghai) region. The private CIDR block of the data center is 172.16.0.0/12, and the CIDR block of the VPC is 192.168.0.0/16. To prevent single points of failure (SPOFs), the company plans to lease two Express Connect circuits from different connectivity providers to establish active/standby connections between the data center and Alibaba Cloud.

Architecture

The following table describes the configurations of the two virtual border routers (VBRs) that are connected to the Express Connect circuits.

Configuration VBR 1 (connected to the primary Express Connect circuit) VBR 2 (connected to the secondary Express Connect circuit)
VLAN ID 0 0
Peer IPv4 Address of Gateway at Alibaba Cloud Side 10.0.0.1 10.0.0.5
Peer IPv4 Address of Gateway at Customer Side 10.0.0.2 10.0.0.6
Subnet Mask (IPv4 Address) 255.255.255.252 255.255.255.252

Procedure

Establish active/standby connections

Step 1: Create two connections over Express Connect circuits

Express Connect supports dedicated connections and hosted connections.

  • Dedicated connection: If you want to create two dedicated connections, you must apply for two Express Connect circuits in the console. For more information, see Create a dedicated connection over an Express Connect circuit.

    When you apply for the second Express Connect circuit in the console, you may need to specify a redundant Express Connect circuit based on the access point.

    • If you want to connect the Express Connect circuits to the same access point, you must specify the redundant Express Connect circuit. Set Redundant Connection ID to the first Express Connect circuit that you applied. Make sure that the initial installation fee for the first Express Connect circuit is paid. Then, the Express Connect circuits will be connected to different access devices.
    • If you want to connect the Express Connect circuits to different access points, you do not need to specify the redundant Express Connect circuit. Therefore, you can leave the Redundant Connection ID parameter empty.
  • Hosted connection: Contact two different Express Connect partners and request them to create two hosted connections for you. For more information, see Overview.

Step 2: Create two VBRs and configure routing

You must create a VBR for each Express Connect circuit and add a route to each VBR. You must set the destination of both routes to the data center.

  1. Log on to the Express Connect console.
  2. Create a VBR for the first Express Connect circuit.
    1. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
    2. On the Virtual Border Routers (VBRs) page, click Create VBR.
    3. In the Create VBR panel, set the following parameters and click OK:
      • Account: Specify whether you want to create the VBR for the current account or another account. In this example, Current Account is selected.
      • Name: Enter a name for the VBR. In this example, VBR1 is entered.
      • Physical Connection Interface: Select the Express Connect circuit that you want to associate with the VBR. The Express Connect circuit must be enabled and work as expected. In this example, the first Express Connect circuit is selected.
      • VLAN ID: Enter the VLAN ID of the VBR. In this example, 0 is entered.
      • Peer IPv4 Address of Gateway at Alibaba Cloud Side: Specify an IPv4 address for the VBR. In this example, 10.0.0.1 is entered.
      • Peer IPv4 Address of Gateway at Customer Side: Specify an IPv4 address for the gateway device in the data center. In this example, 10.0.0.2 is entered.
      • Subnet Mask (IPv4 Address): Enter the IPv4 subnet mask of the specified IP addresses. In this example, 255.255.255.252 is entered.
  3. Add a route whose destination is the data center to VBR1.
    1. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
    2. On the Virtual Border Routers (VBRs) page, click the ID of VBR1.
    3. On the details page of VBR1, click the Routes tab and click Add Route.
    4. On the Add Route page, set the following parameters and click OK:
      • Next Hop Type: In this example, Physical Connection Interface is selected.
      • Destination Subnet: Enter the CIDR block of the data center. In this example, 172.16.0.0/12 is entered.
      • Next Hop: Select the Express Connect circuit that you want to connect to the data center. In this example, the first Express Connect circuit is selected.
  4. Repeat the preceding steps to create VBR2 for the second Express Connect circuit and add a route whose destination is the data center to VBR2.

Step 3: Attach the VBRs and the VPC to a CEN instance

To enable communication between the VBRs and the VPC, you must attach the VBRs and the VPC to a Cloud Enterprise Network (CEN) instance.

  1. Log on to the CEN console.
  2. On the Instances page, click the ID of the CEN instance that you want to manage.
    If you do not have a CEN instance, create one. For more information, see Create a CEN instance.
  3. Click the Networks tab and click Attach Network.
  4. In the Attach Network panel, click the Your Account tab to attach VBR1 and then click OK.
    • Network Type: Select Virtual Border Router (VBR).
    • Region: Select the region where VBR1 is deployed.
    • Networks: Select the ID of VBR1.
  5. Repeat the preceding steps to attach VBR2 and the VPC to the CEN instance.
    Notice If you have created routes that point to Elastic Compute Service (ECS) instances, virtual private network (VPN) gateways, or high-availability virtual IP addresses (HAVIPs), you must advertise these routes to the CEN instance in the VPC console. For more information, see Publish a route to CEN.

Step 4: Configure health checks on Alibaba Cloud

By default, after you configure health checks, Alibaba Cloud sends a probe packet every 2 seconds over the Express Connect circuits from the source IP address to the destination IP address in the data center. If no responses are returned for eight consecutive probe packets over one of the Express Connect circuits, the other Express Connect circuit takes over.

  1. Log on to the CEN console.
  2. In the left-side navigation pane, click Health Check.
  3. Select the region where VBR1 is deployed and click Set Health Check.
    In this example, China (Shanghai) is selected.
  4. On the Set Health Check page, set the parameters of the health check and click OK.
  5. Repeat the preceding steps to configure health checks for VBR2.

Step 5: Specify the primary and secondary Express Connect circuits

To specify the primary and secondary Express Connect circuits, you must configure route maps on the regional gateways of the CEN instance. In this example, the primary Express Connect circuit is connected to VBR1. The secondary Express Connect circuit is connected to VBR2.

  1. Log on to the CEN console.
  2. In the left-side navigation pane, click Instances.
  3. On the Instances page, find the CEN instance that you want to manage and click Manage in the Actions column.
  4. On the CEN page, click the Route Maps tab and click Add Route Map.
  5. In the Add Route Map panel, set the following parameters and click OK.
    Parameter Description
    Route Map Priority Set a priority for the route map. A lower value indicates a higher priority.

    The priority of each route map applied in one region and direction must be unique. The system evaluates route maps in descending order of priority. A lower value indicates a higher priority. Therefore, you must set the priority based on your actual needs.

    In this example, 20 is entered.

    Description Enter a description for the route map.
    Region Select the region to which the route map applies.

    In this example, China (Shanghai) is selected.

    Transmit Direction Select the direction to which the route map applies.
    • Import to Regional Gateway: If you select this option, the route map applies to the routes that are advertised to the regional gateway. For example, routes are advertised to a regional gateway from a network instance in the same region, or from a network instance in a different region.
    • Export from Regional Gateway: If you select this option, the route map applies to the routes that are advertised from the regional gateway. For example, routes are advertised from a regional gateway to a network instance in the same region or to a regional gateway in a different region.

    In this example, Import to Regional Gateway is selected.

    Match Conditions Select a match condition for the route map.

    In this example, Source Instance IDs is selected and VBR1 is selected. This way, the route map applies to all of the routes from VBR1.

    Note Click + Add Match Condition to add more match conditions.
    Action Policy Select Permit for Action Policy, and set Preference and Associated Priority.
    • Preference: Click Add Policy Entry, select Preference, and then set a priority for routes that match the conditions. A lower value indicates a higher priority.

      In this example, Preference is set to 10.

    • Associated Priority: Set a priority for the next route map to be evaluated.
      • If Associated Priority is not set, no route map is associated with the current one.
      • If Associated Priority is set to 1, the next route map evaluated by the system is determined by the predefined priority. This means that the route map with the highest priority among the remaining route maps will be evaluated next.
      • If Associated Priority is set to a value other than 1, the next route map evaluated by the system is determined by the Associated Priority. You must set Associated Priority to a value greater than the priority value of the current route map. This means that the priority of the next route map evaluated by the system must be lower than the priority of the current route map.

      In this example, Associated Priority is set to 20.

  6. Repeat the preceding steps to specify the Express Connect circuit that is associated with VBR2 as the secondary Express Connect circuit.
    • Route Map Priority: A lower value indicates a higher priority. The priority value of the route map for VBR2 must be greater than that of the route map for VBR1. In this example, 30 is entered.
    • Match Conditions: In this example, Source Instance IDs is selected and VBR2 is selected. This way, the route map applies to all routes from VBR2.
    • Action Policy: Select Permit for Action Policy, and set a priority for the route map.
      • A lower value indicates a higher priority. The priority of the route map for VBR1 must be higher than the priority of the route map for VBR2. In this example Preference is set to 20.
      • In this example, Associated Priority is not set for VBR2.
    After you create the route maps, you can view two 172.16.0.0/12 routes on the Routes tab, which are destined for the data center. One of the routes is the secondary route.

Step 6: Configure health checks in the data center

You must configure routes and health checks in the data center so that the gateway device in the data center can route traffic to Alibaba Cloud when one of the Express Connect circuits is down.

  1. Configure routes in the data center.

    The following example is only for reference. Route configurations may vary based on the vendor of the gateway device.

    ip route 192.168.0.0 255.255.0.0 10.0.0.1 preference 10
    ip route 192.168.0.0 255.255.0.0 10.0.0.5 preference 20
  2. Configure health checks.
    You can configure Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) on the gateway device in the data center to monitor the reachability of routes destined for the VBRs. For more information about the configuration commands, consult the vendor of your gateway device. BFD can detect a link failure within milliseconds. Therefore, we recommend that you configure BFD on your gateway device.
  3. Configure the gateway device to route network traffic based on the health check results.
    Configurations may vary based on the vendor of the gateway device. For more information, consult the vendor of your gateway device.

Step 7: Verify network connectivity

You must verify the connectivity of both Express Connect circuits to ensure that when one of the Express Connect circuits is down, the other one can serve your workloads.

  1. Open the command prompt on a computer in the data center.
  2. Run the ping command to verify the connectivity between the data center and an ECS instance in the VPC whose CIDR block is 192.168.0.0/16.
    If echo reply messages are returned, it indicates that the connection is reachable.
  3. Disconnect the primary Express Connect circuit and run the ping command to verity the connectivity between the data center and an ECS instance in the VPC whose CIDR block is 192.168.0.0/16.
    If echo reply messages are returned, it indicates that the secondary Express Connect circuit can serve your workloads when the primary Express Connect is down.

Related topics