Virtual border routers (VBRs) can be connected to data centers through Express Connect circuits. After you attach a VBR to a Cloud Enterprise Network (CEN) instance, you can use the health check feature of CEN to test the connectivity of the Express Connect circuit.
Background information
How it works
After you configure health checks for a VBR, Alibaba Cloud automatically sends ping packets from the source IP address to the destination IP address in the data center every two seconds. If the ping packet is returned through the Express Connect circuit over which the ping packet is sent from the source IP address, the Express Connect circuit works as expected. If eight consecutive ping packets do not receive a response or are returned through another path, the Express Connect circuit is faulty.
You are not notified if health checks detect errors. We recommend that you configure alert rules that can be automatically triggered by Express Connect circuit errors so that you are notified of errors. This helps you handle Express Connect circuit errors at the earliest opportunity.
Make sure that the destination IP address of health checks is reachable and the data center does not throttle or block ping packets.
If throttling such as Control Plane Policing (CoPP) or local attack defense is enabled for the gateway devices in the data center, ping packets may be dropped. As a result, the system may frequently switch between Express Connect circuits. We recommend that you disable throttling for the gateway devices in the data center.
Usage notes on standby Express Connect circuits
If a data center is connected to Alibaba Cloud through multiple Express Connect circuits, we recommend that you configure health checks for each Express Connect circuit. If one of the Express Connect circuits is declared unhealthy by health checks, the system automatically switches to a healthy Express Connect circuit.
When you configure health checks, you can specify whether to enable Change Route.
Prerequisites
The VBR that is associated with an Express Connect circuit is attached to a CEN instance. For more information, see Connect VBRs.
Step 1: Configure health checks in the CEN console
Log on to the CEN console.
In the left-side navigation pane, click Health Checks.
On the Health Checks page, select the region where the VBR is deployed. Then, click Set Health Check.
In the Set Health Check dialog box, set the health check parameters and click OK.
Parameter
Description
Instances
Select the CEN instance to which the VBR is attached.
Virtual Border Router (VBR)
Select the VBR that you want to monitor.
Source IP
You can use one of the following methods to configure the source IP address:
Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option.
Custom IP Address: You can specify an available IP address that falls within the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address must not conflict with the destination IP address, the IP address of the VBR on the Alibaba Cloud side, or the IP address of the VBR on the user side.
NoteTake note of the following rules if you select Automatic IP Address:
In each of the following regions, at most 16 VBRs can be automatically assigned a source IP address:
Click to view the regions US (Silicon Valley), China (Hong Kong), US (Virginia), China (Beijing), China (Shanghai), China (Shenzhen), Singapore, China (Hangzhou), China (Heyuan), China (Chengdu), China (Zhangjiakou), Germany (Frankfurt), Malaysia (Kuala Lumpur), and UK (London), China (Qingdao), Indonesia (Jakarta), China (Hohhot), India (Mumbai), China (Guangzhou), China (Ulanqab), China (Nanjing-Local Region), Japan (Tokyo), and Australia (Sydney)
In the Philippines (Manila), South Korea (Seoul), China (Fuzhou-Local Region), or Thailand (Bangkok) region, at most eight VBRs can be automatically assigned a source IP address.
No matter which method you select, the CEN instance advertises a route whose destination CIDR block is the source IP address and the subnet mask is 32 bits in length to the VBR after health checks are configured.
If the VBR and data center use the BGP dynamic routing protocol, the route is advertised to the data center over BGP.
Destination IP
Set the destination IP address to the IP address of the VBR on the customer side.
Probe Interval (Seconds)
Enter a time interval at which probe packets are sent during the health check. Unit: seconds.
Valid values: 2 to 3. Default value: 2.
Probe Packets
Enter the number of consecutive probe packets that are sent during the health check. Unit: connections.
Valid values: 3 to 8. Default value: 8.
Change Route
Specify whether to allow the health check feature to switch to the redundant route.
This feature is enabled by default. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit.
If you disable this feature, health checks only perform probing. The health check feature does not switch to the redundant route even if an error is detected on the Express Connect circuit.
WarningBefore you clear the check box, make sure that network traffic can be switched to a redundant route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit fails.
Step 2: Configure health checks in the data center
You also need to configure health checks in the data center to ensure that health checks can run as expected.
Add a backhaul route for health check ping packets in the data center.
ImportantIf the VBR uses BGP, Alibaba Cloud automatically advertises the source IP address as a route whose subnet mask is 32 bits in length to the data center after health checks are performed. In this case, you do not need to add a backhaul route.
If the VBR uses static routes, you must manually add a route whose destination CIDR block is the source IP address of health checks, subnet mask is 32 bits in length in the data center, and next hop points to the Express Connect circuit. Otherwise, the ping packets cannot be returned through the Express Connect circuit, which will be declared unhealthy.
The following example shows how to add a backhaul route. The example is for reference only. For more information about the configuration commands, consult the vendor of your gateway device.
# Configure a backhaul route for probe packets. ip route <The source IP address of health checks> 255.255.255.255 <The IP address of the VBR on the Alibaba Cloud side>Add health check configurations to the data center.
You can use Bidirectional Forwarding Detection (BFD) or a network quality analyzer (NQA) to add health check configurations. Make sure that you can test the network connectivity of the Express Connect circuit from the data center. For more information about the configuration commands, consult the vendor of your gateway device.
Enable automatic route switchover in the data center.
If your data center is connected to Alibaba Cloud through multiple Express Connect circuits, you need to enable automatic route switchover during health checks in your data center to ensure that you can test the connectivity of the Express Connect circuits from the data center, and the system can switch between routes based on health check results. For more information about the configuration commands, consult the vendor of your gateway device.
Step 3: Add an alert rule in the CloudMonitor console
After you configure health checks, we recommend that you add an alert rule in the CloudMonitor console so that you can be notified when the alert rule is triggered. This way, you can handle Express Connect circuit errors at the earliest opportunity.
Log on to the CloudMonitor console.
- In the left-side navigation pane, choose .
On the Alert Rules page, click Create Alert Rule.
In the Create Alert Rule panel, set Product to CEN-Router, set the other parameters, and then click OK.
The following table describes the parameters that are relevant to this topic. For more information about the other parameters, see Create an alert rule.
Click + Add Rule, set the following parameters in the Add Rule Description panel, and then click OK.
Parameter
Description
Alert Rule
Enter a name for the alert rule.
Metric Type
Select a metric type for the alert rule. Single Metric is selected in this example. For more information, see Create an alert template.
Single Metric
Multiple Metrics
Dynamic Threshold
Metric
Select a metric for the alert rule.
Health Check Latency: monitors the network latency between Alibaba Cloud and the data center.
Health Check Loss Rate: monitors the packet loss rate between Alibaba Cloud and the data center.
Internet Out Rate: monitors the bandwidth that is used to transmit data from Alibaba Cloud to the data center.
Internet In Rate: monitors the bandwidth that is used to transmit data from the data center to Alibaba Cloud.
Threshold and Alert Level
Set the alert conditions, alert threshold, and alert level of the alert rule.
Chart Preview
Displays the preview of the metric in a chart.
More operations
Operation | Description | Procedure |
Modify health checks | After you add a health check rule, you can modify the source IP address, destination IP address, probe interval, and the number of probe packets. Note The value of the Change Route parameter cannot be changed. If you want to specify another value, clear the health check settings and specify a different value for the Change Route parameter when you configure the health check feature. |
|
Delete health checks | If you no longer need to monitor the connectivity of an Express Connect circuit, you can delete the health checks. |
|
FAQ
In a scenario where multiple VBRs are connected to a transit router, what granularity is the redundancy between Express Connect circuits?
The Express Connect circuits use redundant routes.
For example, VBR1 and VBR2 are connected to a transit router and the routes in the following table are added to the route table of the transit router. In this case, network traffic is switched between VBR1 and VBR2:
If VBR1 fails health checks, network traffic that is destined for 192.168.1.0/24 is switched from VBR1 to the Express Connect circuit connected to VBR2.
If VBR2 fails health checks, network traffic that is destined for 192.168.1.0/24 is switched from VBR2 to the Express Connect circuit connected to VBR1. However, network traffic that is destined for 192.168.2.0/24 is not switched to VBR1.
Destination CIDR block | Next hop | Network instance associated with the next hop |
192.168.1.0/24 | VBR1 connection | VBR1 |
192.168.1.0/24 | VBR2 connection | VBR2 |
192.168.2.0/24 | VBR2 connection | VBR2 |
In a scenario where multiple VBRs are connected to a transit router and Express Connect circuits are redundant with each other, will traffic be interrupted if all the VBRs fail health checks?
By default, network traffic destined for Alibaba Cloud is transmitted through the Express Connect circuit connected to the last VBR.
If the last VBR fails health checks but the Express Connect circuit works as expected, the bandwidth for network traffic from Alibaba Cloud to the data center is reduced because only one Express Connect circuit remains functional.
If the last VBR fails health checks and the Express Connect circuit is also faulty, network traffic from Alibaba Cloud to the data center is interrupted.
The last VBR refers to the last VBR that fails health checks. For example, VBR1, VBR2, and VBR3 are connected to a transit router and the routes in the following table are added to the route table of the transit router. The system first detects that VBR1 and VBR2 failed health checks, and then the system detects that VBR3 failed health checks. In this case, the last VBR refers to VBR3. Network traffic from Alibaba Cloud to the data center is transmitted through the Express Connect circuit connected to VBR3.
Destination CIDR block
Next hop
Network instance associated with the next hop
192.168.1.0/24
VBR1 connection
VBR1
192.168.1.0/24
VBR2 connection
VBR2
192.168.1.0/24
VBR3 connection
VBR3
How network traffic from the data center to Alibaba Cloud is transmitted is determined by your network configurations.
In a scenario where multiple VBRs are connected to a transit router and Express Connect circuits are redundant with each other, is a route switchover performed if all the VBRs fail health checks?
Whether the system switches to another route is determined by the connectivity of the Express Connect circuit. A route switchover is performed only when the health status of the Express Connect circuit is changed.
Does the deletion of health check configurations cause frequent route switchover or traffic interruptions?
If you delete health check configurations in the CEN console, the deletion does not cause frequent route switchover. By default, the system considers the Express Connect circuit healthy and continues forwarding network traffic to the Express Connect circuit based on specified routes.
However, network traffic will be interrupted if the Express Connect circuit is faulty.
If you delete health check configurations in the data center, whether the traffic will be interrupted is determined by your network configurations.
References
Troubleshooting: troubleshoots Express Connect circuit errors.
EnableCenVbrHealthCheck: configures or modifies health checks for a VBR.
DescribeCenVbrHealthCheck: queries the health check configurations of a VBR.
DisableCenVbrHealthCheck: deletes health checks for a VBR.