This topic describes how to use Enterprise Edition transit routers to enable communication between on-premises and cloud networks.

Scenario

A company has a data center in Hangzhou. The data center is connected to Alibaba Cloud through Express Connect circuits and virtual border routers (VBRs). The company has deployed two virtual private clouds (VPCs) named VPC1 and VPC2 in the China (Hangzhou) region. Elastic Compute Service (ECS) instances are deployed in the VPCs. The data center, VPC1, and VPC2 cannot communicate with each other. Due to business growth, the company wants to enable network communication among the data center, VPC1, and VPC2.

In this case, the company can use CEN to connect VPC1, VPC2, and the VBR to the transit router in the China (Hangzhou) region. This enables network communication among the data center, VPC1, and VPC2.

Enterprise Edition transit routers - intra-region connection

Prerequisites

  • The data center is connected to Alibaba Cloud through Express Connect circuits and VBRs. For more information, see Connect to an ECS instance from a data center by using an Express Connect circuit.
  • Two VPCs are deployed in the China (Hangzhou) region. ECS instances are deployed in the VPCs. For more information, see Create a VPC with an IPv4 CIDR block.

    At least one vSwitch is deployed for each VPC in the zones supported by Enterprise Edition transit routers. Each vSwitch must have at least one idle IP address.

    Click to view regions and zones that support Enterprise Edition transit routers
    Table 1. Regions and zones that support Enterprise Edition transit routers
    Area Region Zone
    Chinese mainland China (Hangzhou) Zone H, Zone I, Zone J, and Zone K
    China (Shanghai) Zone F, Zone G, Zone E, Zone B, Zone N, Zone M, and Zone L
    China (Nanjing - Local Region) Zone A
    China (Fuzhou - Local Region) Zone A
    China (Shenzhen) Zone D and Zone E
    China (Heyuan) Zone A and Zone B
    China (Guangzhou) Zone A and Zone B
    China (Qingdao) Zone B and Zone C
    China (Beijing) Zone H, Zone G, Zone J, Zone K, Zone I, and Zone L
    China (Zhangjiakou) Zone A, Zone B, and Zone C
    China (Hohhot) Zone A and Zone B
    China (Ulanqab) Zone A, Zone B, and Zone C
    China (Chengdu) Zone A and Zone B
    Asia Pacific Singapore (Singapore) Zone A, Zone B, and Zone C
    China (Hong Kong) Zone B and Zone C
    Malaysia (Kuala Lumpur) Zone A and Zone B
    India (Mumbai) Zone A and Zone B
    Indonesia (Jakarta) Zone A and Zone B
    Philippines (Manila) Zone A
    Japan (Tokyo) Zone A and Zone B
    South Korea (Seoul) Zone A
    Thailand (Bangkok) Zone A
    Europe Germany (Frankfurt) Zone A and Zone B
    UK (London) Zone A and Zone B
    North America US (Virginia) Zone A and Zone B
    US (Silicon Valley) Zone A and Zone B
    Australia Australia (Sydney) Zone A and Zone B
    For example, if you create one VPC in the China (Hangzhou) region, you must create at least one vSwitch in Zone H or Zone I. The vSwitch must have at least one idle IP address.
    Note Enterprise Edition transit routers associate elastic network interfaces (ENIs) with the vSwitches in the zones. The ENIs function as ingresses that forward network traffic from VPCs to the transit routers. Each ENI occupies one IP address.
    The following table shows the CIDR blocks allocated to VPC1, VPC2, the VBR, and the data center. Make sure that the CIDR blocks do not overlap.
    Item VPC1 VPC2 VBR Data center
    The region where the network instance is deployed. China (Hangzhou) China (Hangzhou) China (Hangzhou) China (Hangzhou)
    Network instance CIDR block
    • VPC CIDR block: 192.168.0.0/16
    • vSwitch 1 CIDR block: 192.168.20.0/24
    • vSwitch 2 CIDR block: 192.168.21.0/24
    • VPC CIDR block: 10.0.0.0/16
    • vSwitch 1 CIDR block: 10.0.0.0/24
    • vSwitch 2 CIDR block: 10.0.1.0/24
    • VLAN ID: 0
    • IPv4 CIDR block at the Alibaba Cloud side: 172.16.1.2/30
    • IPv4 CIDR block at the customer side: 172.16.1.1/30
    		 On-premises network CIDR block: 172.16.0.0/16
    vSwitch zone
    • vSwitch 1 in Zone H
    • vSwitch 2 in Zone I
    • vSwitch 1 in Zone H
    • vSwitch 2 in Zone I
    		 N/A N/A
    Server IP address ECS1 IP address: 192.168.20.161 ECS2 IP address: 10.0.0.33 N/A On-premises server IP address: 172.16.0.89
  • You must be aware of the security group rules that are applied to the ECS instances in the VPCs. Make sure that the security group rules allow the VPCs to communicate with each other and with the data center. For more information, see Query security group rules and Add a security group rule.

Procedure

Enterprise Edition transit routers - intra-region - procedure

Step 1: Create a CEN instance

CEN is used to create and manage network resources. Before you can connect network instances, you must create a CEN instance.

  1. Log on to the CEN console.
  2. On the Instances page, click Create CEN Instance.
  3. In the Create CEN Instance panel, set the following parameters and click OK.
    • Name: Enter a name for the CEN instance.

      The name must be 2 to 128 characters in length and can contain digits, hyphens (-), and underscores (_). It must start with a letter.

    • Description: Enter a description for the CEN instance.

      The description must be 2 to 256 characters in length, and cannot start with http:// or https://. You can leave this parameter empty.

Step 2: Connect the VPCs to the transit router

Connect VPC1 and VPC2 to the transit router in the China (Hangzhou) region.

  1. On the Instances page, click the ID of the CEN instance created in Step 1.
  2. On the Basic Settings tab, click Add in the VPC section.
    Connect to the VPC
  3. On the Connection with Peer Network Instance page, set the following parameters and click OK.
    The following table shows the settings of VPC1 and VPC2. Connect VPC1 and VPC2 to the transit router that belongs to Account A.
    Note When you perform this operation, the system automatically creates the service-linked role AliyunServiceRoleForCEN. This role allows transit routers to create elastic network interfaces (ENIs) on vSwitches in VPCs. For more information, see AliyunServiceRoleForCEN.
    Parameter Description VPC1 VPC2
    Network Type Select the type of network instance that you want to attach. VPC VPC
    Region Select the region where the network instance is deployed. China (Hangzhou) China (Hangzhou)
    Transit Router The system automatically creates a transit router in the selected region.
    Resource Owner ID Select the Alibaba Cloud account to which the network instance belongs. Your Account Your Account
    Billing Method Default value: Pay-As-You-Go.

    For more information, see Billing rules.

    Attachment Name Enter a name for the network connection. VPC1-test VPC2-test
    Networks Select the ID of the network instance. VPC1 VPC2
    VSwitch Select a vSwitch in a zone that supports transit routers.

    If vSwitches are deployed in multiple zones that support transit routers, you can select multiple zones and select a vSwitch in each zone.

    • Hangzhou Zone H: Select vSwitch 1
    • Hangzhou Zone I: Select vSwitch 2
    • Hangzhou Zone H: Select vSwitch 1
    • Hangzhou Zone I: Select vSwitch 2
    Advanced Settings By default, the system automatically enables the following advanced features. You can enable or disable the advanced features based on business requirements.

    Keep the default settings for VPC1 and VPC2. All advanced features are enabled for the VPCs.

    • Associate with Default Route Table of Transit Router

      After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC based on the default route table.

    • Propagate System Routes to Default Route Table of Transit Router

      After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the transit router.

    • Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC

      After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the VPC connection.

  4. Click Return to the List to go to the details page of the CEN instance.

Step 3: Connect a VBR to the transit router

  1. On the Basic Settings tab, click Add in the VBR section.
    Create a VBR
  2. On the Connection with Peer Network Instance page, set the following parameters and click OK.
    • Network Type: Select the type of network instance that you want to attach. In this example, Virtual Border Router (VBR) is selected.
    • Region: Select the region where the network instances are deployed. In this example, China (Hangzhou) is selected.
    • Transit Router: The system automatically displays the transit router created in the selected region.
    • Resource Owner ID: Select the Alibaba Cloud account to which the network instance belongs. Your Account is selected in this example.
    • Attachment Name: Enter a name for the network instance. VBR is used in this example.
    • Networks: Select the ID of the network instance that you want to attach. In this example, the ID of the VBR is selected.
    • Advanced Settings: By default, the system automatically enables the following advanced features. In this example, the default settings are used.
      • Associate with Default Route Table of Transit Router

        After this feature is enabled, the VBR connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VBR based on the default route table.

      • Propagate System Routes to Default Route Table of Transit Router

        After this feature is enabled, the system routes of the VBR are automatically advertised to the default route table of the transit router.

      • Propagate Routes to VBR

        After this feature is enabled, the system automatically advertises the routes in the route table that is associated with the VBR connection to the VBR.

  3. Click Return to the List to go to the details page of the CEN instance.

Step 4: Test the network connectivity

After you complete the preceding steps, VPC1, VPC2, and the data center can communicate with each other.

Note In this example, VPC1 and VPC2 run the Alibaba Cloud Linux operating system. For more information about how to use the ping command on other operating systems, see the manual of the operating system that you use.
  1. Test the network connectivity between VPC1 and VPC2.
    1. Log on to an ECS instance that is deployed in VPC 1. For more information, see Guidelines on instance connection.
    2. On the ECS instance, run the ping command to test whether you can access an ECS instance in VPC2. 
      ping <The IP address of an ECS instance in VPC2>

      If you receive an echo reply packet, it indicates that VPC1 and VPC2 are connected.

      VPC1 to VPC2
  2. Test the network connectivity between VPC1 and the data center.
    1. Log on to an ECS instance that is deployed in VPC 1.
    2. On the ECS instance, run the ping command to test whether you can access servers in the data center. 
      ping <The IP address of a server in the data center>

      If you receive an echo reply packet, it indicates that VPC1 and the data center are connected.

  3. Test the network connectivity between VPC2 and the data center.
    1. Log on to an ECS instance in VPC 2.
    2. On the ECS instance, run the ping command to test whether you can access servers in the data center. 
      ping <The IP address of a server in the data center>

      If you receive an echo reply packet, it indicates that VPC2 and the data center are connected.

Route descriptions

In this topic, the CEN instance automatically learns and advertises routes for the VPCs and the data center when you connect the VPCs or VBR to the transit router.
  • The transit router in the China (Hangzhou) region automatically learns routes from VPC1, VPC2, and the VBR.
  • The VBR uses the transit router to learn routes from VPC1 and VPC2.
  • The CEN instance automatically adds the following route entries to the route tables of VPC1 and VPC2: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The next hops are the transit router.

    Network traffic from VPC1 and VPC2 is routed to the transit router. The transit router enables the VPCs and the data center to communicate with each other.

The following table describes the route entries of VPC1 and VPC2. You can check route entries in the console. For more information, see View routes of an Enterprise Edition transit router and View routes of network instances.

Figure 1. Default route entries of the transit router in China (Hangzhou)
Default route entries of the transit router
Figure 2. Default route entries of VPC1
Quick start for transit routers - route entries of VPC1
Figure 3. Default route entries of VPC2
Quick start for transit routers - route entries of VPC2
Figure 4. Route entries of the VBR
Quick start for transit routers - route entries of the VBR