This topic describes how to connect an on-premises data center to Alibaba Cloud by using an active physical connection and a standby physical connection. This solution enables a failover if one of the physical connections fails to ensure high availability.
This topic takes the following scenario as an example to describe how to connect an on-premises data center to Alibaba Cloud by using redundant physical connections.
A company has built an on-premises data center in Shanghai and created a Virtual Private Cloud (VPC) network in the Alibaba Cloud China (Shanghai) region. The internal CIDR block assigned to the on-premises data center is 172.16.0.0/12 and the internal CIDR block assigned to the VPC is 192.168.0.0/16. To eliminate possible single points of failure (SPOFs), the company plans to apply for two leased lines from two different service providers and create two physical connections to connect the on-premises data center to Alibaba Cloud through two access points in different regions.
The following figure shows the detailed process.
Step 1: Create two physical connections
You can create two physical connections by using exclusive ports in the Express Connect console or by sharing physical connections with Alibaba Cloud partners. For more information, see Create a dedicated physical connection or Establish a shared physical connection.
- If both physical connection interfaces share the same access point, create redundant physical connections by using the ID of the first physical connection. Make sure that you have paid the initial installation fee for the first physical connection.
- If the physical connection interfaces use different access points, the physical connections are redundant. You do not need to specify another physical connection interface.
In this example, set the following parameters for the virtual border router (VBRs) associated with both physical connections:
|Parameter||VBR1: the VBR associated with the first physical connection||VBR2: the VBR associated with the second physical connection|
|Gateway IP Address on Alibaba Cloud Side||10.0.0.1||10.0.0.5|
|Gateway IP Address on Customer Side||10.0.0.2||10.0.0.6|
Step 2: Configure VBR routes
After you create the VBRs, you must add a route entry that maps the on-premises data center to each of the VBRs. To add a route entry, follow these steps:
- Log on to the Express Connect console.
- In the left-side navigation pane, choose . On the Virtual Border Routers (VBRs) page that appears, find the VBR that you want to manage and click the VBR ID.
- On the VBR details page that appears, click the Routes tab, and click Add Route.
- On the Add Route dialog box that appears, set the following parameters:
- Destination Subnet: Enter the CIDR block of the on-premises data center. In this example, enter 172.16.0.0/12.
- Next Hop Type: Select Physical Connection Interface.
- Next Hop: Select the physical connection interface that you want to associate with the specified on-premises data center.
- Click OK.
- Repeat the preceding steps to configure a redundant route entry that maps the on-premises data center to VBR2.
Step 3: Add the VBRs and VPC to a CEN instance
After you establish the physical connections and create the VBRs, you must add the VBRs and the VPC to a Cloud Enterprise Network (CEN) instance.
- Log on to the CEN console.
- On the Instances page, find the CEN instance you want to manage and click the instance ID.
If you do not have a CEN instance, you must create one first. For more information, see Create a CEN instance.
- On the Networks tab, click Attach Network and add the VBRs and VPC to the CEN instance.
For more information, see Attach networks.
- If you have created route entries that map destination CIDR blocks to Elastic Compute
Service (ECS) instances, virtual private network (VPN) gateways, or high-availability
virtual IP addresses (HAVIPs), you must publish the required routes to the CEN instance.
Step 4: Configure health checks
You must configure health checks for redundant physical connections. Alibaba Cloud sends a ping packet every two seconds from the health check IP address to the on-premises data center. If no responses are returned for eight consecutive ping packets, the system switches network traffic to the other physical connection.
- Log on to the CEN console.
- In the left-side navigation pane, click Health Check.
- Select the region of the CEN instance that you want to manage. In this example, select China (Shanghai) and click Set Health Check.
- On the Set Health Check dialog box that appears, configure health checks.
- Instances: Select the CEN instance to which the VBRs are added.
- Virtual Border Router (VBR): Select the VBR that you want to monitor.
- Source IP: Enter an idle IP address of the VSwitch in the VPC.
- Destination IP: Enter the IP address of the network device that is installed at the on-premises data center.
- Repeat the preceding steps to configure health checks for VBR2.
Step 5: Specify the physical connection that is associated with VBR2 as the active physical connection.
To specify the physical connection associated with VBR1 as the active physical connection, follow these steps:
- Log on to the CEN console.
- In the left-side navigation pane, click Instances.
- On the Instances page, find the CEN instance that you want to manage and click Manage in the Actions column.
- On the CEN page, click the Route Maps tab and click Add Route Map.
- On the Add Route Map dialog box that appears, set the following parameters and click OK.
- Priority: Enter the priority of the route map. A smaller number represents a higher priority. In this example, enter 20.
- Region: Select the region to which the route map is applicable. In this example, select China (Shanghai).
- Transmit Direction: Select the direction of the route map. In this example, select Import to Regional Gateway.
- Match Condition: Set the matching conditions of the route map. In this example, set Source Instance ID to the instance ID of VBR1.
- Set Action: Select the action of the route map. In this example, select Permit. Then, set the priority of the permitted route. In this example, set the priority
Note By default, the priority of the permitted route is 50. You can set the priority of a route to a value from 1 to 100. A smaller value represents a higher priority.
- Repeat the preceding steps to specify the physical connection that is associated with
VBR2 as the standby physical connection.
You must follow these rules:
After you add the route maps, on the Routes pages, you can see that one of the two routes that forwards network traffic to 172.16.0.0/12 is a standby route.
- A smaller value indicates a higher priority. Therefore, to specify the physical connection that is associated with VBR2 as the standby physical connection, the priority value of VBR2 must be greater than that of VBR1, for example, 30.
- For the matching condition, set the Source Instance ID to the instance ID of VBR2.
- Set the action to Permit and set a priority value for the permitted route. A smaller value indicates a higher priority. Therefore, you must set a greater value for the route of VBR2, for example, 20.
Step 6: Configure routes and health checks for the on-premises data center
To connect the on-premises data center to Alibaba Cloud, you must set the following parameters for the on-premises data center:
- Configure routes. You can configure static routes or Border Gateway Protocol (BGP)
dynamic routes to forward data between the on-premises data center and the VBRs:
- Static routing
The following example is for reference only. Device configurations may vary, depending on the manufacturer.
ip route 192.168.0.0/16 10.0.0.1 preference 10 ip route 192.168.0.0/16 10.0.0.5 preference 20
- Dynamic routing
You can use BGP dynamic routes to forward data between the on-premises data center and the VBRs. For more information, see Configure BGP.Note You must specify the CIDR block of the VPC that you want to connect to the on-premises data center. In this example, enter 192.168.0.0/16.
- Static routing
- Configure health checks. You can use Bidirectional Forwarding Detection (BFD) or Network
Quality Analyzer (NQA) to check the routes from the on-premises data center to the
Consult the device manufacturer for specific configuration commands. We recommend that you use the BFD method. This allows the system to complete health checks within several milliseconds.
- Check whether the configured routes and health checks work as expected.
Step 7: Test the connectivity
To test the connectivity of the redundant connections, follow these steps:
- Open the command prompt on a computer in the on-premises data center.
- On the command line, run the ping command to verify connectivity to an ECS instance that is assigned with the 192.168.0.0/16 CIDR block of the connected VPC. If the ECS instance and the on-premises computer can communicate by using ping messages, the physical connections pass the connectivity test.
- Disconnect the active physical connection and send ping messages to an ECS instance in the VPC that is assigned the CIDR block of 192.168.0.0/16. If the ECS instance and on-premises computer can reach each other by using ping messages, the system has performed a failover between the physical connections.