This topic describes how to establish active/standby connections between a data center and Alibaba Cloud by using two Express Connect circuits. Under normal circumstances, only the active connection transmits data between the data center and Alibaba Cloud. Alibaba Cloud checks the connectivity of the active connection at the specified probe interval. If the active connection is not working as expected, the standby connection takes over. This ensures the availability of your services.

Scenarios

The following scenario shows how to establish active/standby connections between a data center and Alibaba Cloud by using two Express Connect circuits.

An enterprise has a data center in Shanghai and a virtual private cloud (VPC) in the China (Shanghai) region. The private CIDR block of the data center is 172.16.0.0/12, and the CIDR block of the VPC is 192.168.0.0/16. To prevent single points of failure (SPOFs), the enterprise plans to apply for two Express Connect circuits from two Internet service providers (ISPs). One of the Express Connect circuits is used for the active connection between the data center and Alibaba Cloud, and the other Express Connect circuit is used for the standby connection.

Architecture of active/standby connections

The following table describes the configurations of the two virtual border routers (VBRs) that are connected to the two Express Connect circuits.

Parameter VBR1 (VBR connected to the first Express Connect circuit) VBR2 (VBR connected to the second Express Connect circuit)
VLAN ID 0 0
IPv4 Address of Gateway at Alibaba Cloud Side 10.0.0.1 10.0.0.5
IPv4 Address of Gateway at Customer Side 10.0.0.2 10.0.0.6
Subnet Mask (IPv4 Address) 255.255.255.252 255.255.255.252

Procedure

Procedure for establishing active/standby connections

Step 1: Establish two connections over Express Connect circuits

You can establish two dedicated connections or two hosted connections over Express Connect circuits.

  • Dedicated connections: You must establish the connections by yourself. For more information, see Create a dedicated connection over an Express Connect circuit.

    If you select this method, you must configure the second Express Connect Circuit based on the access point.

    • If the first Express Connect circuit and the second Express Connect circuit have the same access point, select the ID of the first Express Connect circuit as the Redundant Connection ID when you establish a connection over the second Express Connect circuit. This ensures that the two Express Connect circuits access different devices. Make sure that you have paid the initial installation fees for the first Express Connect circuit.
    • If the two Express Connect circuits have different access points, you do not need to configure Redundant Connection ID when you establish a connection over the second Express Connect circuit. The connection over the first Express Connect circuit becomes the redundant connection by default.
  • Hosted connections: You can establish the connections through Express Connect partners. For more information, see Create a hosted connection over an Express Connect circuit.

Step 2: Create two VBRs and add routes to the VBRs

You must create a VBR for each of the two Express Connect circuits and add a route to each VBR. The route must point to the data center.

  1. Log on to the Express Connect console.
  2. Create a VBR for the first Express Connect circuit.
    1. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
    2. On the Virtual Border Routers (VBRs) page, click Create VBR.
    3. In the Create VBR panel, configure the following parameters and click OK.
      • Account: Select the type of the account that is used to create the VBR. In this example, Current Account is selected.
      • Name: Specify a name for the VBR. In this example, VBR1 is entered.
      • Physical Connection Interface: Select the Express Connect circuit that you want to associate with the VBR. The Express Connect circuit must be enabled and work as expected. In this example, the first Express Connect circuit is selected.
      • VLAN ID: Enter the VLAN ID of the VBR. In this example, 0 is entered.
      • IPv4 Address of Gateway at Alibaba Cloud Side: Enter the IPv4 address of the gateway that routes traffic from the VPC to the data center. In this example, 10.0.0.1 is entered.
      • IPv4 Address of Gateway at Customer Side: Enter the IPv4 address of the gateway that routes traffic from the data center to the VPC. In this example, 10.0.0.2 is entered.
      • Subnet Mask (IPv4 Address): Enter the IPv4 subnet mask on the Alibaba Cloud side and on the customer side. In this example, 255.255.255.252 is entered.
  3. Add a route to VBR1. The route must point to the data center.
    1. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
    2. On the Virtual Border Routers (VBRs) page, click the ID of VBR1.
    3. On the details page of VBR1, click the Routes tab and click Add Route.
    4. On the Add Route page, configure the following parameters and click OK.
      • Next Hop Type: In this example, Physical Connection Interface is selected.
      • Destination Subnet: Enter the CIDR block of the data center. In this example, 172.16.0.0/12 is entered.
      • Next Hop: Select the Express Connect circuit that you want to connect to the data center. In this example, the first Express Connect circuit is selected.
  4. Repeat the preceding steps to create VBR2 for the second Express Connect circuit and add a route to VBR2. The route must point to the data center.

Step 3: Attach the VBRs and the VPC to a CEN instance

To enable communication between the VBRs and the VPC, you must attach the VBRs and the VPC to a Cloud Enterprise Network (CEN) instance.

  1. Log on to the CEN console.
  2. On the Instances page, click the ID of the CEN instance that you want to manage.
    If you do not have a CEN instance, create one. For more information, see Create a CEN instance.
  3. Click the Networks tab and click Attach Network.
  4. In the Attach Network panel, click the Your Account tab to attach VBR1, and then click OK.
    • Network Type: Select Virtual Border Router (VBR).
    • Region: Select the region where VBR1 is deployed.
    • Networks: Select the ID of VBR1.
  5. Repeat the preceding steps to attach VBR2 and the VPC to the CEN instance.
    Notice If you have created route entries that point to Elastic Compute Service (ECS) instances, virtual private network (VPN) gateways, or high-availability virtual IP addresses (HAVIPs), advertise these routes to the CEN instance in the VPC console. For more information, see Publish a route to CEN.

Step 4: Configure health checks on Alibaba Cloud

Alibaba Cloud sends a ping packet every 2 seconds over the Express Connect circuits from the source IP address to the destination IP address in the data center. If no responses are returned for eight consecutive ping packets over one of the Express Connect circuits, the other Express Connect circuit takes over.

  1. Log on to the CEN console.
  2. In the left-side navigation pane, click Health Check.
  3. Select the region where VBR1 is deployed and click Set Health Check.
    In this example, China (Shanghai) is selected.
  4. On the Set Health Check page, configure the following parameters and click OK.
    Parameter Description
    CEN Instances Select the CEN instance to which the VBR is attached.
    VBR Select the VBR for which you want to monitor network connections.
    Source IP

    Valid values:

    • Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block.
    • Custom IP Address: You can specify an idle IP address from the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The source IP address must not conflict with the IP address of the VBR interface that is connected to Alibaba Cloud or the customer-premises device. In addition, the source IP address must not conflict with the IP addresses with which the VBR communicates in the CEN.
    Destination IP The IP address of the VBR interface that is connected to the customer-premises device.
    Probe Interval (Seconds) The interval at which probe packets are sent for health checks. Unit: seconds.

    Default value: 2. Valid values: 2 to 3.

    Probe Packets The number of probe packets to be sent for health checks. Unit: packets.

    Default value: 8. Valid values: 3 to 8.

  5. Repeat the preceding steps to configure health checks for VBR2.

Step 5: Specify the active connection and the standby connection

To specify the active connection and the standby connection, you must configure route maps for the CEN instance. In this example, the Express Connect circuit connected to VBR1 is specified as the active connection, and the Express Connect circuit connected to VBR2 is specified as the standby connection.

  1. Log on to the CEN console.
  2. In the left-side navigation pane, click Instances.
  3. On the Instances page, find the CEN instance that you want to manage and click Manage in the Actions column.
  4. On the CEN page, click the Route Maps tab and click Add Route Map.
  5. In the Add Route Map panel, configure the following parameters and click OK.
    Parameter Description
    Route Map Priority Set a priority for the route map. A lower value indicates a higher priority.

    After you specify a priority value for a route map, you cannot set the same priority value for another route map that applies in the same region and direction. The system evaluates whether the routes meet the match conditions specified in the route map with the highest priority. Therefore, set proper priorities for route maps to meet your business requirements.

    In this example, 20 is entered.

    Description Enter a description for the route map.
    Region Select the region where the route map applies.

    In this example, China (Shanghai) is selected.

    Transmit Direction Select the direction in which the route map applies.
    • Import to Regional Gateway: Routes are imported to a regional gateway. For example, routes are imported to a regional gateway from a network instance in the same region, or from a network instance that is created in a different region.
    • Export from Regional Gateway: Routes are exported from a regional gateway. For example, routes are exported from a regional gateway to a network instance in the same region, or to a regional gateway in another region.

    In this example, Import to Regional Gateway is selected.

    Match Conditions Select a match condition for the route map.

    In this example, Source Instance IDs is selected and the ID of VBR1 is configured. This way, all routes that originate from VBR1 are matched.

    Note Click + Add Match Condition to add multiple match conditions at the same time.
    Action Policy Select Permit for Action Policy, and configure Preference and Associated Priority.
    • Configure Preference: Click Add Policy Entry, select Preference, and then configure a priority for permitted routes. A lower value indicates a higher priority.

      In this example, Preference is set to 10.

    • Configure Associated Priority: Configure a priority for the associated next route map.
      • If Associated Priority is not set, no next route map is associated with the current one.
      • If the value is set to 1, the current route map is associated with the next route map.
      • If the value is set to a number other than 1, the value must be greater than the priority value that you set for the current route map. This means that the priority of the associated route map must be lower than that of the current one.

      In this example, Associated Priority is set to 20.

  6. Repeat the preceding steps to specify the Express Connect circuit that is connected with VBR2 as the standby connection.
    • Route Map Priority: A lower value indicates a higher priority. The priority value of the route map for VBR2 must be greater than that of the route map for VBR1. In this example, 30 is entered.
    • Match Conditions: In this example, Source Instance IDs is selected and the ID of VBR2 is configured. This way, all routes that originate from VBR2 are matched.
    • Action Policy: Select Permit for Action Policy, and configure Preference.
      • A lower value indicates a higher priority. The Preference value of VBR2 must be greater than that of VBR1. In this example Preference is set to 20.
      • In this example, Associated Priority is not configured for VBR2.
    After you add the route maps, on the Routes tab, you can view two routes that forward network traffic to the data center, whose CIDR block is 172.16.0.0/12. One of the routes is a standby route.

Step 6: Configure routes, health checks, and interaction rules for the data center

To establish the connections, you must configure routes and health checks for the data center. You must also configure interaction rules between the routes and health checks.

  1. Configure routes for the data center.

    The following example is only for reference. Route configurations may vary based on the vendor of the gateway device.

    ip route 192.168.0.0 255.255.0.0 10.0.0.1 preference 10
    ip route 192.168.0.0 255.255.0.0 10.0.0.5 preference 20
  2. Configure health checks.
    You can use Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) to check the routes from the data center to the VBRs. Consult the vendor of your gateway device for specific configuration commands. We recommend that you use the BFD method. This method allows the system to complete health checks within several milliseconds.
  3. Configure interaction rules between the routes and health checks.
    Configurations may vary based on the vendor of the gateway device. Consult the vendor for more information and configure interaction rules based on your business requirements.

Step 7: Test the connectivity

After you establish the connections, you must test the connectivity and check whether the standby connection can take over if the active connection does not work as expected.

  1. Open a Command Prompt window on a computer in the data center.
  2. On the command line, run the ping command to check the connectivity between the data center and an ECS instance in the VPC. The CIDR block of the VPC is 192.168.0.0/16.
    If the ECS instance can be pinged, the active connection is established.
  3. Close the active connection and run the ping command to check the connectivity between the data center and an ECS instance in the VPC. The CIDR block of the VPC is 192.168.0.0/16.
    If the ECS instance can be pinged, the standby connection takes over after the active connection is closed.

References