All Products
Search

This Product

    Cloud Enterprise Network:Best practices for networking based on transit routers

    Document Center

    Cloud Enterprise Network:Best practices for networking based on transit routers

    Last Updated:Mar 08, 2024

    This topic describes the best practices for networking based on transit routers. We recommend that you read this topic before you use transit routers to connect network instances.

    • To connect a virtual private cloud (VPC) to an Enterprise Edition transit router, the VPC must have a vSwitch in a zone of the Enterprise Edition transit router. We recommend that you do not specify vSwitches that forward service traffic. You can create a vSwitch in a zone of the Enterprise Edition transit router. Take note of the following rules for vSwitches:

      • When you create a vSwitch, specify a minimum CIDR block for the vSwitch to prevent IP address waste.

        We recommend that the length of the vSwitch subnet mask does not exceed 28 bits. For example, you can specify the 192.168.10.0/28 CIDR block.

      • If the vSwitch does not require access control, we recommend that you associate vSwitches that are used to create VPC connections with the same network access control list (ACL). Make sure that the inbound and outbound rules in the ACL allow all network traffic. Associate vSwitches that forward service traffic with other ACLs for access control.

      • We recommend that you associate vSwitches that are used to create VPC connections with the same VPC route table.

    • When you attach an IPsec-VPN connection to an Enterprise Edition transit router, we recommend that you specify BGP dynamic routing for the IPsec-VPN connection.

      If the on-premises gateway of the IPsec peer supports equal-cost multi-path routing (ECMP), we recommend that you enable ECMP for the on-premises gateway.

    • If a virtual border router (VBR) and an IPsec-VPN connection are attached to the Enterprise Edition transit router, we recommend that you enable route learning for the VBR connection and VPN attachment. Route learning allows the VBR and IPsec-VPN connection to automatically advertise routes to the route tables of the Enterprise Edition transit router. Manual route configuration is not recommended.

    • If your network topology requires only one route table of Enterprise Edition transit routers, we recommend that you use the default route table of your Enterprise Edition transit router. If your network topology requires more than one route table of Enterprise Edition transit routers, we recommend that you classify network instances based on service types and associate the network instances with proper route tables. Maintain the number of route tables within a proper range to avoid complex management.

    • Each transit router supports high availability. You do not need to deploy multiple transit routers to achieve high availability.

    • To ensure high network availability, configure a redundant route for the transit router after a network instance is connected to the transit router, including but not limited to the following scenarios:

      • When you connect a VPC to an Enterprise Edition transit router, specify a vSwitch in each zone of the Enterprise Edition transit router to implement zone disaster recovery for the VPC and shorten the data transmission distance.

      • When you connect an on-premises network to Alibaba Cloud, create multiple VPN attachments between the on-premises network and transit router to implement ECMP. You can also create a VPN attachment and a VBR connection between the on-premises network and transit router. The VPN attachment and VBR connection function as active and standby connections.