Enable intra-region communication between cloud and on-premises networks by using CEN and an Enterprise Edition transit router - Cloud Enterprise Network

After you connect an on-premises Internet Data Center (IDC) to Alibaba Cloud using an Express Connect circuit and a virtual border router (VBR), you can connect the VBR and VPC instances to a transit router. This enables network communication between the on-premises IDC and Virtual Private Cloud (VPC) instances in the same region, and between different VPC instances in the same region.

Example

A company has an on-premises IDC in Hangzhou that is connected to Alibaba Cloud using an Express Connect circuit and a VBR. The company also created VPC1 and VPC2 in the China (Hangzhou) region. The two VPCs use Elastic Compute Service (ECS) instances to host applications. The on-premises IDC, VPC1, and VPC2 cannot communicate with each other. Because of business growth, the company needs to enable communication and resource access among the on-premises IDC, VPC1, and VPC2.

The company can use Cloud Enterprise Network (CEN) to connect the two VPCs and the VBR to a transit router in the China (Hangzhou) region. This quickly enables resource access between the on-premises IDC and the VPCs, and between the two VPCs.

企业版-同地域互通架构图

Prerequisites

You have connected your on-premises IDC to Alibaba Cloud using an Express Connect circuit and a VBR. For more information, see and Access ECS instances from an on-premises IDC using an Express Connect circuit.

You have created two VPCs in the China (Hangzhou) region. ECS instances are deployed in both VPCs to host applications. For more information, see Create a VPC with an IPv4 CIDR block.

Sufficient vSwitches are deployed in each VPC in the zones of the Enterprise Edition transit router. Each vSwitch has at least one idle IP address.

If the Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing - Local Region), the VPC must have at least one vSwitch in the zone.
If the Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.

For more information, see How a VPC connection works.

Click to view the regions and zones that support Enterprise Edition transit routers

Table 1: Regions and zones that support Enterprise Edition transit routers

Area	Region	Zone
Chinese Mainland	China (Hangzhou)	Zone B, Zone H, Zone I, Zone J, and Zone K
	China (Shanghai)	Zone F, Zone G, Zone E, Zone B, Zone N, Zone M, and Zone L
	China (Nanjing - Local Region) Closing Down	Zone A
	China (Fuzhou - Local Region) Closing Down	Zone A
	China (Shenzhen)	Zone D, Zone E, Zone F, Zone A (unavailable to new users), and Zone C
	China (Heyuan)	Zone A and Zone B
	China (Guangzhou)	Zone A and Zone B
	China (Qingdao)	Zone B and Zone C
	China (Beijing)	Zone C, Zone F, Zone H, Zone G, Zone J, Zone K, Zone I, and Zone L
	China (Zhangjiakou)	Zone A, Zone B, and Zone C
	China (Hohhot)	Zone A and Zone B
	China (Ulanqab)	Zone A, Zone B, and Zone C
	China (Chengdu)	Zone A and Zone B
Asia Pacific	Singapore	Zone A, Zone B, and Zone C
	China (Hong Kong)	Zone B, Zone C, and Zone D
	Malaysia (Kuala Lumpur)	Zone A, Zone B and Zone C
	Indonesia (Jakarta)	Zone A, Zone B, and Zone C
	Philippines (Manila)	Zone A
	Japan (Tokyo)	Zone A, Zone B, and Zone C
	South Korea (Seoul)	Zone A, Zone B
	Thailand (Bangkok)	Zone A, Zone B
Europe	Germany (Frankfurt)	Zone A, Zone B, and Zone C
Europe	UK (London)	Zone A and Zone B
North America	US (Virginia)	Zone A and Zone B
	US (Silicon Valley)	Zone A and Zone B
	Mexico	Zone A
Middle East	SAU (Riyadh - Partner Region)	Zone A and Zone B

The following table describes the network planning for the two VPCs, one VBR, and the on-premises IDC in this example. When you plan your network, make sure that the CIDR blocks of the networks that you want to connect do not overlap.

Property	VPC1	VPC2	VBR	On-premises IDC
Region of the network instance	China (Hangzhou)	China (Hangzhou)	China (Hangzhou)	Hangzhou
CIDR block planning for the network instance	VPC CIDR block: 192.168.0.0/16 vSwitch 1 CIDR block: 192.168.20.0/24 vSwitch 2 CIDR block: 192.168.21.0/24	VPC CIDR block: 10.0.0.0/16 vSwitch 1 CIDR block: 10.0.0.0/24 vSwitch 2 CIDR block: 10.0.1.0/24	VLAN ID: 0 Peer IPv4 address on the Alibaba Cloud side: 172.16.1.2. The subnet mask is 255.255.255.252. Peer IPv4 address on the customer side: 172.16.1.1. The subnet mask is 255.255.255.252.	On-premises network CIDR block: 172.16.0.0/16
Zone of the vSwitch	vSwitch 1 is in Hangzhou Zone H. vSwitch 2 is in Hangzhou Zone I.	vSwitch 1 is in Hangzhou Zone H. vSwitch 2 is in Hangzhou Zone I.	Not applicable	Not applicable
Server IP address	ECS1 IP address: 192.168.20.161	ECS2 IP address: 10.0.0.33	Not applicable	On-premises server IP address: 172.16.0.89

You are familiar with the security group rules for the ECS instances in the two VPCs and the access control rules for the on-premises IDC server. Make sure that the security group rules of the ECS instances and the access control rules of the on-premises IDC server allow resource access between the VPCs, and between the VPCs and the on-premises IDC. For more information, see Query security group rules and Add a security group rule.

Configuration flow

快速入门-企业版-云上云下互通-配置流程

Step 1: Create a CEN instance

A CEN instance is the basic resource for creating and managing an integrated network. Before you can enable network communication, you must create a CEN instance.

Log on to the CEN console.
On the Instances page, click Create CEN Instance.
In the Create CEN Instance dialog box, configure the following parameters and click OK.
- Name: Enter a name for the CEN instance.
- Description: Enter a description for the CEN instance.
- Resource Group: Select a resource group for the CEN instance.
  In this example, no resource group is selected. After the CEN instance is created, it is added to the default resource group.
- Tag: Add tags to the CEN instance. In this example, no tag is added to the CEN instance.

Step 2: Create a transit router instance

Before you connect network instances, you must create a transit router in the region where the network instances are deployed.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you created in Step 1.
On the Basic Settings > Transit Router tab, click Create Transit Router.

In the Create Transit Router dialog box, configure the following parameters for the transit router, and click OK.

Parameter	Description	Configuration
Region	Select the region where the transit router is deployed.	In this example, China (Hangzhou) is selected.
Edition	The edition of the transit router.	The system automatically selects and displays the transit router edition for the current region.
Enable Multicast	Specify whether to enable the multicast feature for the transit router.	In this example, the default setting is used, and the multicast feature is disabled.
Name	Enter a name for the transit router.	Enter a custom name for the transit router.
Description	Enter a description for the transit router.	Enter a custom description for the transit router.
Tag	Enter a tag for the transit router.	In this example, this parameter is left empty.
Transit Router CIDR	Enter a CIDR block for the transit router. For more information, see Transit router CIDR blocks.	In this example, you do not need to configure a CIDR block for the transit router.

Step 3: Connect the VPC instances

Connect VPC1 and VPC2 to the transit router in the China (Hangzhou) region.

On the Instances page, click the ID of the CEN instance that you created in Step 1.
Go to the Basic Information > Transit Router tab, find the transit router that you want to manage, and then click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure the following parameters and click OK.

The following table describes the parameters and their values for VPC1 and VPC2. Connect VPC1 and VPC2 to the transit router based on the information in the table.

Note

When you perform this operation, the system automatically creates the service-linked role AliyunServiceRoleForCEN. This role allows transit routers to create elastic network interfaces (ENIs) on vSwitches in VPCs. For more information, see AliyunServiceRoleForCEN.

Parameter	Description	VPC1	VPC2
Network Type	Select the type of the network instance that you want to connect.	VPC	VPC
Region	Select the region where the network instance is deployed.	China (Hangzhou)	China (Hangzhou)
Transit Router	The system automatically displays the ID of the transit router that is created in the region.
Resource Owner ID	Select the type of account to which the network instance belongs.	Your Account	Your Account
Billing Method	Default value: Pay-As-You-Go. For more information, see Billing.
Attachment Name	Enter a name for the network instance connection.	`VPC1-test`	`VPC2-test`
Tag	Add a tag to the network instance connection.	In this example, this parameter is left empty.	In this example, this parameter is left empty.
Networks	Select the network instance that you want to connect.	Select VPC1.	Select VPC2.
VSwitch	Select a vSwitch in a zone that the transit router supports. If you have vSwitches in multiple zones that the transit router supports, you can select multiple zones and a vSwitch in each zone to implement zone-disaster recovery.	Hangzhou Zone H: Select vSwitch 1. Hangzhou Zone I: Select vSwitch 2.	Hangzhou Zone H: Select vSwitch 1. Hangzhou Zone I: Select vSwitch 2.
Advanced Settings	The system selects the following three advanced features by default. You can clear one or more of the features as needed. For VPC1 and VPC2, use the default configurations. All advanced features are selected. Associate with Default Route Table of Transit Router After you enable this feature, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards traffic from the VPC instance based on the default route table. Propagate System Routes to Default Route Table of Transit Router After you enable this feature, the VPC instance propagates its system routes to the default route table of the transit router. This is used for network communication. Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC After you enable this feature, the system automatically adds three route entries to all route tables of the VPC instance: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hop of these routes points to the VPC connection. This is used to direct traffic from the VPC instance to the transit router. By default, the transit router does not propagate routes to the VPC instance. Important If the VPC instance requires IPv6 communication, after creating the VPC connection, you must enable the route synchronization feature for the VPC connection or manually add IPv6 route entries pointing to the VPC connection in the VPC. Only then can the IPv6 traffic enter the transit router.

Click Return to List to return to the details page of the CEN instance.

Step 4: Connect the VBR instance

On the Instances page, click the ID of the CEN instance that you created in Step 1.
Go to the Basic Information > Transit Router tab, find the transit router that you want to manage, and then click Create Connection in the Actions column.
On the Connection With Peer Network Instance page, configure the following parameters and click OK:
- Network Type: Select Virtual Border Router (VBR).
- Region: Select the region where the network instance is deployed. In this example, China (Hangzhou) is selected.
- Transit Router: The ID of the transit router in the current region is automatically displayed.
- Resource Owner ID: Select the Alibaba Cloud account to which the network instance belongs. In this example, the default value Your Account is selected.
- Attachment Name: Enter a name for the attachment. In this example, enter VBR.
- Tag: Add tags to the network instance connection. In this example, no tag is added to the network instance connection.
- Networks: Select the ID of the network instance that you want to connect to the transit router. In this example, the ID of the VBR is selected.
- Advanced Settings: By default, the following advanced features are selected. In this example, the default settings are used.
  - Associate with Default Route Table of Transit Router
    After this feature is enabled, the VBR connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VBR based on the default route table.
  - Propagate System Routes to Default Route Table of Transit Router
    After this feature is enabled, the system routes of the VBR are advertised to the default route table of the transit router. This way, the VBR can communicate with other network instances that are connected to the transit router.
  - Propagate Routes to VBR
    After this feature is enabled, the system automatically advertises the routes in the transit router route table that is associated with the VBR connection to the VBR.
Click Return to List to return to the details page of the CEN instance.

Step 5: Test the connectivity

After you complete the preceding steps, VPC1, VPC2, and the on-premises IDC can communicate with each other. You can perform the following operations to test the connectivity among the VPCs and the on-premises IDC.

Note

Before you begin, make sure that the security group rules of the ECS instances allow ICMP access. For more information, see Query security group rules and Add a security group rule.

Test the connectivity between VPC1 and VPC2.
1. Log on to the ECS instance that is deployed in VPC1. For more information, see Connect to an ECS instance.
2. On the ECS instance in VPC1, run the ping command to access the ECS instance in VPC2.
```
ping <IP address of the ECS instance in VPC2>
```
  If you receive a reply message, it indicates that VPC1 and VPC2 are connected and can access each other's resources.
Test the connectivity between VPC1 and the on-premises IDC.
1. Log on to the ECS instance in VPC1.
2. On the ECS instance in VPC1, run the ping command to access the server in the on-premises IDC.
```
ping <IP address of the on-premises IDC server> 
```
  If you receive a reply message, it indicates that VPC1 and the on-premises IDC are connected and can access each other's resources.
Test the connectivity between VPC2 and the on-premises IDC.
1. Log on to the ECS instance in VPC2.
2. On the ECS instance in VPC2, run the ping command to access the server in the on-premises IDC.
```
ping <IP address of the on-premises IDC server> 
```
  If you receive a reply message, it indicates that VPC2 and the on-premises IDC are connected and can access each other's resources.

Route description

In this example, when you connect VPC1, VPC2, and the VBR, CEN automatically distributes and learns routes to enable communication among the VPCs and the on-premises IDC:

The transit router in the China (Hangzhou) region automatically learns the routes from VPC1, VPC2, and the VBR.
The VBR automatically learns the routes to VPC1 and VPC2 from the transit router.
CEN automatically adds three custom route entries to the system route tables of VPC1 and VPC2: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hop of these routes points to the transit router.
The two VPCs send traffic to the transit router based on these routes. The transit router then enables communication between the VPCs, and between the VPCs and the on-premises IDC.

The following figures show the routes of the transit router, VPC1, VPC2, and the VBR in this example. This helps you understand the routing principles. You can view the routes of the transit router, VBR, VPC1, and VPC2 in the CEN console. For more information, see View the route table of an Enterprise Edition transit router and View the route table of a network instance.