Use Enterprise Edition transit routers to enable intra-region communication between on-premises and cloud networks

Scenario

A company has a data center in Hangzhou. The data center is connected to Alibaba Cloud through Express Connect circuits and virtual border routers (VBRs). The company has deployed two virtual private clouds (VPCs) named VPC1 and VPC2 in the China (Hangzhou) region. Elastic Compute Service (ECS) instances are deployed in the VPCs. The data center, VPC1, and VPC2 cannot communicate with each other. Due to business growth, the company wants to enable network communication among the data center, VPC1, and VPC2.

In this case, the company can use CEN to connect VPC1, VPC2, and the VBR to the transit router in the China (Hangzhou) region. This enables network communication among the data center, VPC1, and VPC2.

Prerequisites

• The data center is connected to Alibaba Cloud through Express Connect circuits and VBRs. For more information, see Connect to an ECS instance from a data center by using an Express Connect circuit.
• Two VPCs are deployed in the China (Hangzhou) region. ECS instances are deployed in the VPCs. For more information, see Create an IPv4 VPC.

  At least one vSwitch is deployed for each VPC in the zones supported by Enterprise Edition transit routers. Each vSwitch must have at least one idle IP address.

  For example, if you create one VPC in the China (Hangzhou) region, you must create at least one vSwitch in zone H and one vSwitch in zone I. Each vSwitch must have at least one idle IP address.

  Note Enterprise Edition transit routers associate elastic network interfaces (EIPs) with the vSwitches in the zones. The ENIs function as ingresses that forward network traffic from VPCs to the transit routers. Each ENI occupies one IP address.
  The following table shows the CIDR blocks allocated to VPC1, VPC2, the VBR, and the data center. Make sure that the CIDR blocks do not overlap.

  Item	VPC1	VPC2	VBR	Data center
  The region where the network instance is deployed.	China (Hangzhou)	China (Hangzhou)	China (Hangzhou)	Hangzhou
  Network instance CIDR block	VPC CIDR block: 192.168.0.0/16 vSwitch 1 CIDR block: 192.168.20.0/24 vSwitch 2 CIDR block: 192.168.21.0/24	VPC CIDR block: 10.0.0.0/16 vSwitch 1 CIDR block: 10.0.0.0/24 vSwitch 2 CIDR block: 10.0.1.0/24	VLAN ID: 0 IPv4 CIDR block at the Alibaba Cloud side: 172.16.1.2/30 IPv4 CIDR block at the customer side: 172.16.1.1/30	On-premises network CIDR block: 172.16.0.0/16
  vSwitch zone	vSwitch 1 in zone H vSwitch 2 in zone I	vSwitch 1 in zone H vSwitch 2 in zone I	N/A	N/A
  Server IP address	ECS1 IP address: 192.168.20.161	ECS2 IP address: 10.0.0.33	N/A	On-premises server IP address: 172.16.0.89

• You must be aware of the security group rules that are applied to the ECS instances in the VPCs. Make sure that the security group rules allow the VPCs to communicate with each other and with the data center. For more information, see Query security group rules and Add security group rules.

Procedure

Step 1: Create a CEN instance

CEN is used to create and manage network resources. Before you can connect networks, you must create a CEN instance.

1. Log on to the CEN console.
2. On the Instances page, click Create CEN Instance.
3. In the Create CEN Instance panel, set the following parameters and click OK.
   • Name: Enter a name for the CEN instance.

     The name must be 2 to 128 characters in length and can contain digits, hyphens (-), and underscores (_). It must start with a letter.

   • Description: Enter a description for the CEN instance.

     The description must be 2 to 256 characters in length, and cannot start with http:// or https://. You can leave this parameter empty.

Step 2: Connect the VPCs to the transit router

Connect VPC1 and VPC2 to the transit router in the China (Hangzhou) region.

1. On the Instances page, click the ID of the CEN instance created in Step 1.
2. On the Basic Information tab, click in the VPC section.
   
3. On the Connection with Peer Network Instance page, set the following parameters and click OK.
   The following table shows the settings of VPC1 and VPC2. Connect VPC1 and VPC2 to the transit router that belongs to Account A.

   Note When you perform this operation, the system automatically creates the service-linked role AliyunServiceRoleForCEN. This role allows transit routers to create ENIs on vSwicthes in VPCs. For more information, see AliyunServiceRoleForCEN.

   Parameter	Description	VPC1	VPC2
   Instance Type	Select the type of network instance that you want to attach.	VPC	VPC
   Region	Select the region where the network instance is deployed.	China (Hangzhou)	China (Hangzhou)
   Transit Router	The system automatically creates a transit router in the selected region.
   Select the primary and secondary zones for the transit router	Select the primary and secondary zones for the transit router.	Primary Zone: Hangzhou Zone H Secondary Zone: Hangzhou Zone I	Primary Zone: Hangzhou Zone H Secondary Zone: Hangzhou Zone I
   Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs.	Your Account	Different Account
   Billing Method	Default value: Pay-As-You-Go. For more information, see Billing.
   Attachment Name	Enter a name for the network connection.	VPC1-test	VPC2-test
   Networks	Select the ID of the network instance.	VPC1	VPC2
   VSwitch	Select a vSwitch from the primary zone and secondary zone.	Hangzhou Zone H (Primary): vSwitch 1 Hangzhou Zone I (Secondary): vSwitch 2	Hangzhou Zone H (Primary): vSwitch 1 Hangzhou Zone I (Secondary): vSwitch 2
   Advanced Settings	By default, the system automatically enables the following advanced features. You can enable or disable the advanced features based on business requirements. Keep the default settings for VPC1 and VPC2. All advanced features are enabled for the VPCs. Associate with Default Route Table of Transit Router After this feature is enabled, the VPC connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VPC through the default route table. Propagate System Routes to Default Route Table of Transit Router After this feature is enabled, the system routes of the VPC are advertised to the default route table of the transit router. This way, the VPC can communicate with other network instances that are connected to the same CEN instance. Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC After this feature is enabled, the system automatically adds the following three routes to all route tables of the VPC: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The routes point to the transit router.

Step 3: Connect the VBR to the transit router

1. On the Basic Information tab, click in the VBR section.
   
2. On the Connection with Peer Network Instance page, set the following parameters and click OK.
   • Network Type: Select the type of network instance that you want to attach. In this example, Virtual Border Router (VBR) is selected.
   • Region: Select the region where the network instances are deployed. In this example, China (Hangzhou) is selected.
   • Transit Router: The system automatically creates a transit router in the selected region.
   • Resource Owner ID: Select the Alibaba Cloud account to which the network instance belongs. Your Account is selected in this example.
   • Attachment Name: Enter a name for the network instance. VBR is used in this example.
   • Networks: Select the ID of the network instance that you want to attach. In this example, the ID of the VBR is selected.
   • Advanced Settings: By default, the system automatically enables the following advanced features. In this example, the default settings are used.
     • Associate with Default Route Table of Transit Router

       After this feature is enabled, the VBR connection is automatically associated with the default route table of the transit router. The transit router forwards the traffic of the VBR based on the default route table.

     • Propagate System Routes to Default Route Table of Transit Router

       After this feature is enabled, the system routes of the VBR are automatically advertised to the default route table of the transit router.

     • Propagate Routes to VBR

       After this feature is enabled, the system automatically advertises the routes in the route table that is associated with the VBR connection to the VBR.

3. Click Return to the List to go to the details page of the CEN instance.

Step 4: Test network connectivity

After you complete the preceding steps, VPC1, VPC2, and the data center can communicate with each other.

1. Test the network connectivity between VPC1 and VPC2.
   1. Log on to the ECS instance that is deployed in VPC 1. For more information, see Guidelines on instance connection.
   2. On the ECS instance, run the ping command to test whether you can access the ECS instance in VPC2.

      ping <The IP address of the ECS instance in VPC2>

      The following echo reply packet indicates that VPC1 and VPC2 are connected.

      
2. Test the network connectivity between VPC1 and the data center.
   1. Log on to the ECS instance that is deployed in VPC 1.
   2. On the ECS instance, run the ping command to test whether you can access servers in the data center.

      ping <The IP address of a server in the data center>

      If you receive an echo reply packet, it indicates that VPC1 and the data center are connected.

3. Test the network connectivity between VPC2 and the data center.
   1. Log on to the ECS instance in VPC 2.
   2. On the ECS instance, run the ping command to test whether you can access servers in the data center.

      ping <The IP address of a server in the data center>

      If you receive an echo reply packet, it indicates that VPC2 and the data center are connected.

Route descriptions

The following table describes the route entries of VPC1 and VPC2. You can check route entries in the console. For more information, see View routes of an Enterprise Edition transit router and View routes of network instances.