This topic describes how to use two Express Connect circuits to establish active/active connections between a data center and Alibaba Cloud. If your data center is connected to Alibaba Cloud through two Express Connect circuits, network traffic is distributed across both connections by default. If one of the Express Connect circuits is down, the other Express Connect circuit takes over to serve your workloads. This ensures service availability.

Scenario

The following scenario is used as an example to show how to use two Express Connect circuits to establish active/active connections.

A company has a data center in Shanghai and a virtual private cloud (VPC) in the China (Shanghai) region. The private CIDR block of the data center is 172.16.0.0/12, and the CIDR block of the VPC is 192.168.0.0/16. To prevent single points of failure (SPOFs), the company plans to lease two Express Connect circuits from different connectivity providers to configure active-active failover.

Active-active failover architecture

The following table describes the configurations of the virtual border routers (VBRs) connected to the Express Connect circuits.

Configuration item VBR1 (connected to Express Connect circuit 1) VBR2 (connected to Express Connect circuit 2)
VLAN ID 0 0
Peer IPv4 Address of Gateway at Alibaba Cloud Side 10.0.0.1 10.0.0.5
Peer IPv4 Address of Gateway at Customer Side 10.0.0.2 10.0.0.6
Subnet Mask (IPv4 Address) 255.255.255.252 255.255.255.252

Prerequisites

  • A VPC is created in the China (Shanghai) region and cloud resources such as Elastic Compute Service (ECS) instances that host your business systems are deployed in the VPC. For more information, see Create an IPv4 VPC.
  • You understand the security group rules of the ECS instances in the VPC. Make sure that the rules allow access from the data center. For more information, see Query security group rules and Add security group rules.

Procedure

Procedure for establishing active/active connections

Step 1: Create two connections over Express Connect circuits

In this example, two dedicated connections are created. For more information, see Create a dedicated connection over an Express Connect circuit.

When you apply for the second Express Connect circuit, you may need to specify a redundant Express Connect circuit based on the access point.
  • If you want to connect the Express Connect circuits to the same access point, you must specify the redundant Express Connect circuit. Set Redundant Connection ID to the first Express Connect circuit. This way, the Express Connect circuits will be connected to different access devices.
  • If you want to connect the Express Connect circuits to different access points, you do not need to specify the redundant Express Connect circuit. In this case, you do not need to specify Redundant Connection ID.

    In this example, the Express Connect circuits are connected to different access points.

Step 2: Create VBRs and configure routing

You must create a VBR for each Express Connect circuit and add a route to each VBR. Set the destination of both routes to the data center.

  1. Log on to the Express Connect console.
  2. Create a VBR for Express Connect Circuit 1.
    1. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
    2. On the Virtual Border Routers (VBRs) page, click Create VBR.
    3. In the Create VBR panel, set the following parameters and click OK:
      • Account: Specify the type of account for which you want to create the VBR. In this example, Current Account is selected.
      • Name: Enter a name for the VBR. In this example, VBR1 is entered.
      • Physical Connection Interface: In this example, Dedicated Physical Connection is selected and then Express Connect Circuit 1 is selected.
      • VLAN ID: Enter the VLAN ID of the VBR. In this example, 0 is entered.
      • Peer IPv4 Address of Gateway at Alibaba Cloud Side: Specify an IPv4 address for the VBR. In this example, 10.0.0.1 is entered.
      • Peer IPv4 Address of Gateway at Customer Side: Specify an IPv4 address for the gateway device in the data center. In this example, 10.0.0.2 is entered.
      • Subnet Mask (IPv4 Address): Enter the IPv4 subnet mask of the specified IP addresses. In this example, 255.255.255.252 is entered.
  3. Add a route whose destination is the data center to VBR1.
    1. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
    2. On the Virtual Border Routers (VBRs) page, click the ID of VBR1.
    3. On the details page of VBR1, click the Routes tab and click Add Route.
    4. In the Add Route Entry panel, set the following parameters and click OK:
      • Next Hop Type: In this example, Physical Connection Interface is selected.
      • Destination Subnet: Enter the CIDR block of the data center. In this example, 172.16.0.0/12 is entered.
      • Next Hop: Select an Express Connect circuit. In this example, Express Connect Circuit 1 is selected.
  4. Repeat the preceding steps to create VBR2 for Express Connect Circuit 2 and add a route to VBR2. Set the destination of the route to the data center.

Step 3: Attach the VBR and VPC to a CEN instance

To enable communication between the data center and the VPC, you must attach the VBRs and the VPC to a Cloud Enterprise Network (CEN) instance.

  1. Log on to the CEN console.
  2. A CEN instance is created.
    1. On the Instances page, click Create CEN Instance.
    2. In the Create CEN Instance panel, set the parameters of the CEN instance and click OK.
      • Name: Enter a name for the CEN instance.
      • Description: Enter a description for the CEN instance.
      • Network Type: Select the type of network instance that you want to attach. In this example, Virtual Border Router (VBR) is selected.
      • Region: Select the region where the network instance is created. In this example, China (Shanghai) is selected, which is the region of VBR1.
      • Networks: Select the network instance. In this example, VBR1 is selected.
    3. In the Create CEN Instance panel, click OK.
  3. Attach the VPC and VBR2 to the CEN instance.
    1. On the Instances page, find the CEN instance that you want to manage and click its ID.
    2. Click the Networks tab and then click Attach Network.
    3. In the Attach Network panel, click the Your Account tab.
    4. Set the parameters of the network instance that you want to attach and click OK.
      • Network Type: Select the type of network instance that you want to attach. In this example, Virtual Border Router (VBR) is selected.
      • Region: Select the region where the network instance is created. In this example, China (Shanghai) is selected, which is the region of VBR2.
      • Networks: Select the network instance. In this example, VBR2 is selected.
    5. In the Attach Network panel, click OK.
    6. Repeat the preceding steps to attach the VPC to the CEN instance.
      Notice If you have created routes that point to ECS instances, VPN gateways, or HAVIPs in the VPC, you must advertise these routes to the CEN instance in the VPC console. For more information, see Publish a route to CEN.

Step 4: Configure health checks on Alibaba Cloud

By default, after you configure health checks, Alibaba Cloud sends a probe packet every 2 seconds over the Express Connect circuits from the source IP address to the destination IP address in the data center. If no responses are returned for eight consecutive probe packets over one of the Express Connect circuits, the other Express Connect circuit takes over.

  1. Log on to the CEN console.
  2. In the left-side navigation pane, click Health Check.
  3. On the Health Check page, select the region where the VBR is deployed. Then, click Set Health Check.
    In this example, China (Shanghai) is selected, which is the region of VBR1.
  4. In the Set Health Check panel, set the health check parameters and click OK.
    Parameter Description
    Instances Select the CEN instance to which the VBR is attached.
    Virtual Border Router (VBR) Select the VBR that you want to monitor. In this example, VBR1 is selected.
    Source IP

    You can use one of the following methods to configure the source IP address:

    • Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option.
    • Custom IP Address: You must specify an idle IP address from the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address must not be the same as the IP address with which you want to communicate, the IP address of the VBR, or the IP address of the gateway device in the data center.
    Destination IP Set the destination IP address to the IP address of the gateway device in the data center.
    Probe Interval (Seconds) Specify the interval at which probe packets are sent for a health check. Unit: seconds.

    Default value: 2. Valid values: 2 to 3.

    Probe Packets Specify the number of probe packets to be sent for a health check. Unit: packets.

    Default value: 8. Valid values: 3 to 8.

    Note The system sends probe packets at the specified intervals. If the number of consecutively dropped packets reaches the specified number of probe packets, the health check fails.
  5. Repeat Step 3 to Step 4 to configure health checks for VBR2.

Step 5: Configure routes and health checks in the data center

You must configure routes and health checks in the data center, and then configure the gateway device to route network traffic based on health check results to achieve network redundancy.

  1. Configure routes in the data center.

    The configuration may vary based on the gateway device. For more information about the configuration commands, consult the vendor of your gateway device.

    #Configure routes in the data center to route network traffic to the VPC.
    ip route 192.168.0.0 255.255.0.0 10.0.0.1
    ip route 192.168.0.0 255.255.0.0 10.0.0.5
    #Configure routes to return probe packets.
    ip route <The source IP address for health checks> 255.255.255.255 10.0.0.1
    ip route <The source IP address for health checks> 255.255.255.255 10.0.0.5
  2. Configure health checks in the data center.
    You can configure Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) on the gateway device in the data center to monitor the reachability of routes destined for the VBRs. For more information about the configuration commands, consult the vendor of your gateway device.
  3. Configure the gateway device to route network traffic based on health check results.
    The configuration may vary based on the network environment. For more information about the configuration commands, consult the vendor of your gateway device.

Step 6: Test the connectivity

After you complete the preceding configurations, you must test the connectivity of the Express Connect circuits.

  1. Open the command-line interface (CLI) on a computer in the data center.
  2. Run the ping command to test the connectivity between the data center and an ECS instance in the VPC. The CIDR block of the VPC is 192.168.0.0/16.
    If echo reply packets are returned, it indicates that the destination is reachable.
  3. To check whether active/active connections are established between the data center and Alibaba Cloud, run the tracert command to query the routes through which packets are sent.

Related topics