Cloud Enterprise Network:Configure VBR health checks

Prerequisites

The VBR instance that is associated with the Express Connect circuit is connected to a CEN instance. For more information, see Create a VBR connection.

Step 1: Add a health check configuration in the CEN console

1. Log on to the CEN console.

2. In the left-side navigation pane, click VBR Health Check.

3. On the VBR Health Check page, select the region where the VBR instance is located and then click Set Health Check.

4. In the Set Health Check dialog box, configure the health check using the following information and then click OK.

   Configuration	Description
   Instances	Select the CEN instance to which the VBR instance is connected.
   Virtual Border Router (VBR)	Select the VBR instance that you want to monitor.
   Source IP	You can configure a source IP address in one of the following ways: Automatic IP Address (Recommended): The system automatically allocates an IP address from the 100.96.0.0/16 CIDR block. Custom IP Address: The source IP address can be an unused IP address from the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The IP address cannot conflict with the IP addresses that are used for communication in the CEN instance. The IP address also cannot conflict with the Alibaba Cloud Side IPv4 Address or the Data Center Side IPv4 Address of the VBR instance. Note For the Automatic IP Address method: In each of the following regions, a maximum of 16 VBR instances can be automatically allocated a source IP address. Click to view region informationUS (Silicon Valley), China (Hong Kong), US (Virginia), China (Beijing), China (Shanghai), China (Shenzhen), Singapore, China (Hangzhou), China (Heyuan), China (Chengdu), China (Zhangjiakou), Germany (Frankfurt), Malaysia (Kuala Lumpur), UK (London), China (Qingdao), Indonesia (Jakarta), China (Hohhot), China (Guangzhou), China (Ulanqab), China (Nanjing - Local Region), Japan (Tokyo) In each of the Philippines (Manila), South Korea (Seoul), China (Fuzhou - Local Region), Thailand (Bangkok), Mexico, SAU (Riyadh - Partner Region) regions, a maximum of 8 VBR instances can be automatically allocated a source IP address. Regardless of the configuration method you choose, after the health check is configured, CEN advertises a route entry to the VBR instance. The destination CIDR block of the route entry is the source IP address and the subnet mask is 32 bits in length. If the VBR instance and the data center use the Border Gateway Protocol (BGP) dynamic routing protocol, this route entry is advertised to the data center through BGP.
   Destination IP	The destination IP address is the customer-side IP address of the VBR instance.
   Probe Interval (Seconds)	The interval at which consecutive probe packets are sent for a health check. Unit: seconds. Valid values: 2 to 3. Default value: 2.
   Probe Packets	The number of consecutive probe packets that are sent for a health check. Unit: packets. Valid values: 3 to 8. Default value: 8.
   Change Route	Specifies whether to enable the route switchover feature for health checks. This feature is enabled by default. If a health check detects a faulty Express Connect circuit and redundant routes exist in the CEN instance, the health check immediately triggers a route switchover to an available link. If you disable this feature, health checks perform only link probing. If a health check detects a faulty Express Connect circuit, a route switchover is not triggered. Warning If you disable this feature, make sure that you have other methods to ensure link redundancy. Otherwise, the network is interrupted if the Express Connect circuit fails.
   Description	Add a description for the health check.

Step 2: Add a health check configuration in your data center

You need to add health check configurations in your data center to ensure that health checks work as expected.

1. Add a return route for health check probe packets in your data center.

   Important

   • If your VBR instance uses the Border Gateway Protocol (BGP), Alibaba Cloud advertises the source IP address of the health check to your data center as a route with a 32-bit mask by default after you configure the health check. You do not need to add a return route for health check probe packets in your data center.

   • If your VBR instance uses static routing, you must manually configure a route entry in your data center. The destination CIDR block of the route entry must be the source IP address of the health check, the subnet mask must be 32 bits in length, and the next hop must point to the corresponding Express Connect circuit. Otherwise, the ping packets of the health check probe cannot be returned along the original path of the probed Express Connect circuit. This causes Alibaba Cloud to incorrectly determine that the Express Connect circuit is unavailable.

   The following sample configuration shows how to manually add a return route for health check probe packets. The configuration is for reference only. For specific configuration commands, consult your device vendor.

   #Configure a return route for health check probe packets.
   ip route <Source IP address of the health check> 255.255.255.255 <Alibaba Cloud-side IP address of the destination VBR instance>

2. Add a health check configuration in your data center.

   You can add a health check configuration in your data center using Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA). This ensures that the connectivity of the Express Connect circuit can also be probed from your data center. For specific configuration commands, consult your device vendor.

   Important

   • When you configure an NQA probe, do not use the Alibaba Cloud Side IPv4 Address of the VBR as the probe destination address. Otherwise, incorrect switchovers may occur when the link is normal, or switchovers may fail when the link is faulty. You must use the source IP address of the health check in Step 1 as the destination address for the data center to probe the cloud network. This IP address supports only ICMP probes.

   • If your connection to the cloud lacks redundant links, we recommend that you configure a summary route that points to the cloud and is not affected by NQA probe results. This ensures that traffic can be forwarded normally when an NQA probe is abnormal but the connection over the Express Connect circuit is not interrupted.

3. Add a configuration that associates health checks with routing in your data center.

   If a data center is connected to Alibaba Cloud over multiple Express Connect circuits, you need to add a configuration in your data center that associates health checks with routing. This ensures that the connectivity of the Express Connect circuits can also be probed from your data center and that route switchovers can be automatically implemented based on health check results. For specific configuration commands, consult your device vendor.

Step 3: Add an alert rule in the CloudMonitor console

After you configure a health check, we recommend that you add an alert rule for the Express Connect circuit. When an alert rule is triggered for the Express Connect circuit, the system sends you an alert notification. This way, you can handle issues promptly.

1. Log on to the CloudMonitor console.

2. In the left-side navigation pane, choose Alerts > Alert Rules.

3. On the Alert Rules page, click Create Alert Rule.

4. In the Create Alert Rule panel, set Product to CEN-Router, configure the related alert rules, and then click Confirm.

   This section describes only the configurations that are closely related to this topic. For more information about other parameters, see Create an alert rule.

   Click Add Rule and select a metric type for the threshold-triggered alert rule. This topic uses Single Metric as an example. In the Configure Rule Description panel that appears, configure the following parameters and then click OK.

   Configuration	Description
   Alert Rule	The name of the threshold-triggered alert rule.
   Metric Type	The metric type of the threshold-triggered alert rule. This topic uses Single Metric as an example. For information about the parameter configurations of other metric types, see Create an alert template. Single Metric Combined Metrics Expression Dynamic Threshold
   Metric	Select the metric that you want to monitor. VBRHealthyCheckLatency: the communication latency between Alibaba Cloud and your data center. VBRHealthyCheckLossRate: the packet loss rate of communication between Alibaba Cloud and your data center. VBRInternetOutRate: the bandwidth used for traffic from Alibaba Cloud to your data center. VBRInternetInRate: the bandwidth used for traffic from your data center to Alibaba Cloud.
   Threshold and Alert Level	Configure the alert conditions, alert threshold, and alert level for the alert rule.

More operations

FAQ

In a scenario where multiple VBRs are connected to a transit router, at what granularity is redundancy implemented between Express Connect circuits?

Redundancy between Express Connect circuits is implemented at the route entry level.

In a scenario where multiple VBRs are connected to a transit router (and the Express Connect circuits are redundant), does traffic get interrupted if all VBR instances fail the health check?

• For traffic from Alibaba Cloud to your data center, Alibaba Cloud forwards the traffic through the Express Connect circuit of the last VBR instance by default.

  • If the health check of the last VBR instance fails but the Express Connect circuit is actually connected, the available bandwidth for traffic from Alibaba Cloud to your data center is reduced because traffic can be transmitted only through one Express Connect circuit.

  • If the health check of the last VBR instance fails and the Express Connect circuit is faulty, traffic from Alibaba Cloud to your data center is interrupted.

  The last VBR instance is the one that is the last to fail the health check. For example, VBR1, VBR2, and VBR3 are connected to a transit router, and the following three route entries exist in the route table of the transit router. The system first detects that the health checks of VBR1 and VBR2 have failed, and then detects that the health check of VBR3 has failed. In this case, VBR3 is the last VBR instance. All traffic from Alibaba Cloud to your data center is transmitted through the Express Connect circuit of VBR3.

  Destination CIDR block	Next hop	Network instance associated with the next hop
  192.168.1.0/24	VBR1 connection	VBR1
  192.168.1.0/24	VBR2 connection	VBR2
  192.168.1.0/24	VBR3 connection	VBR3

• For traffic from your data center to Alibaba Cloud, evaluate the impact based on your network configurations.

In a scenario where multiple VBRs are connected to a transit router (and the Express Connect circuits are redundant), does a route switchover occur if all VBR instances fail the health check?

A route switchover is triggered only by a change in the connectivity of an Express Connect circuit, for example, when a health check detects that the status of an Express Connect circuit changes from connected to disconnected, or from disconnected to connected.

Does deleting a health check configuration cause route flapping or traffic interruptions?

• If you delete the health check configuration in the CEN console, it does not cause route flapping. The system considers the Express Connect circuit normal by default and forwards traffic to the Express Connect circuit based on the existing route.

  If the current Express Connect circuit is actually faulty, traffic is interrupted.

• If you delete the health check configuration in your data center, evaluate the impact based on your network configurations.

References

• Health check tutorial

• Troubleshoot Express Connect circuit failures

• Related API operations:

  • EnableCenVbrHealthCheck: Sets a health check for a VBR instance or modifies the health check configuration of a VBR instance.

  • DescribeCenVbrHealthCheck: Queries the health check configuration information of VBR instances in a specified region.

  • DisableCenVbrHealthCheck: Deletes the health check configuration of a VBR instance.