Connect a data center to a VPC by using an Express Connect circuit - Express Connect

You can connect a data center to a virtual private cloud (VPC) on Alibaba Cloud by using an Express Connect circuit. This way, the data center and the VPC can exchange data by using private connections. This topic describes how to use an Express Connect circuit to connect a data center to a VPC.

Scenario

The following figure shows the scenario that is used in this example. An enterprise has a data center in Hangzhou, China, and deploys a VPC in the China (Hangzhou) region. In this case, the enterprise needs to apply for an Express Connect circuit to connect the data center to the VPC based on the business requirements of the enterprise.

Connect a data center to a VPC by using an Express Connect circuit

Configuration item	IP address/CIDR block
Classless Inter-Domain Routing (CIDR) block of the VPC	192.168.0.0/16
CIDR block of the data center	172.30.0.0/24
Peer IP addresses configured on the virtual border router (VBR)	VPC side: 10.0.0.1/30 Data center side: 10.0.0.2/30 Subnet mask: 255.255.255.252
IP addresses used for health checks	Source IP address: 172.16.0.2 Destination IP address: 10.0.0.2

Prerequisites

A VPC is created in the China (Hangzhou) region. For more information, see Create a VPC with an IPv4 CIDR block.
Note Before you connect an Enterprise Edition transit router to a VPC, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. In this example, the transit router is deployed in the China (Hangzhou) region, and the supported zones are Zone H and Zone I.
An access point of an Express Connect circuit is chosen, and a pre-installation site survey is completed by your connectivity provider. For more information, see Preparations.
You have read and understood the billing rules of dedicated Express Connect circuits. For more information, see Billing overview.
A Cloud Enterprise Network (CEN) instance is created. For more information, see Create a CEN instance.
An Enterprise Edition transit router is created in the region where the VPC resides. For more information, see Create a transit router.

Configuration process

Step 1: Apply for an Express Connect circuit and install the Express Connect circuit

Log on to the Express Connect console.
In the top navigation bar, select a region.

Apply for an Express Connect circuit.

On the Physical Connection page, click Create Physical Connection.
You can create a connection over an Express Connect circuit only after you enable billing for outbound data transfer. You can perform the following steps to enable billing for outbound data transfer. If billing for outbound data transfer is enabled, skip the steps.
1. In the Sign Agreement dialog box, read and select the agreement on billing for outbound data transfer, and then click Continue.
2. On the page that appears, read and select Terms of Service, and then click Activate Now.
3. Go back to the homepage of the Express Connect console. On the Physical Connection page, click Create Physical Connection.

Set the following parameters and click OK.

Note The Connection Status column displays the actual status of a connection over an Express Connect circuit only after the Express Connect circuit is installed and paid. Otherwise, the Connection Status column displays Down.

Parameter	Description
Region	Select the region where you want to create a connection over an Express Connect circuit. In this example, China > China (Hangzhou) is chosen.
Connectivity Provider	Select a connectivity provider. The access points that you can choose vary based on the connectivity provider. In this example, China Mobile is selected. Important If you choose China Unicom, China Telecom, or China Mobile as the connectivity provider, you can lease lines only from the selected connectivity provider. You cannot lease lines from other connectivity providers. If you choose China Unicom, China Telecom, or China Mobile as the connectivity provider, bare optical fibers are not supported. You must lease lines from the selected connectivity provider.
Access Point	Select the access point that is nearest to your data center. In this example, Hangzhou-Xiaoshan-D is selected. Access points are Alibaba Cloud data centers that are located in different regions. The access points allow you to connect your data center to Alibaba Cloud from different geographical locations and support different connection types. Each region contains one or more access points. For more information, see Locations of access points.
Understand Billing Rules	Read the billing rules and click Yes. For more information about the billing, see Billing overview.
Port Specification	The resource usage fee varies based on the port specification. We recommend that you select a port specification based on your business requirements. In this example, 1G and below is selected.
Port Type	Select a copper Ethernet port or an optical port. In this example, 1000Base-LX is selected.
Redundant Physical Connection ID	Select a redundant Express Connect circuit in the same region to configure equal-cost multi-path (ECMP) routing. In this example, None is selected.

Apply for a Letter of Authorization (LOA).
Note
- To obtain information about the access point location and ports in advance, Submit a ticket.
- After the Express Connect circuit is enabled, the system automatically allocates resources. You can apply for an LOA only after resources are allocated.
1. On the Physical Connection page, find the connection over the Express Connect circuit and click Apply for LOA in the Actions column.
2. In the Apply for LOA panel, enter the information about the Express Connect circuit installation, add information about field engineers, and then click OK.
3. In the Notes dialog box, read the note and click OK.
  After you apply for an LOA, the Status of the connection over the Express Connect circuit changes to In Application. Alibaba Cloud reviewers will review your application within two business days. After your application is approved, the Status of the connection over the Express Connect circuit changes to Approved LOA. Then, you can download the LOA in the console.
  Note If the access point is deployed outside the Chinese mainland, Alibaba Cloud reviewers will review your application within three business days.
Install the Express Connect circuit.
1. On the Physical Connection page, find the connection over the Express Connect circuit and click View LOA in the Actions column.
2. In the View LOA panel, click Download to download the LOA.
3. Send the LOA to the connectivity provider and contact the connectivity provider to connect the Express Connect circuit to the access device in the Alibaba Cloud data center. The connectivity provider must follow the instructions in the LOA during the installation.
  Note
  You need to send the LOA to Alibaba Cloud, fill in the on-site installation form, and send the form to the on-site engineers of Alibaba Cloud one day before the connectivity provider enters the Alibaba Cloud data center.
  After the connectivity provider completes the installation, you can request a survey report from the connectivity provider to ensure that the Express Connect circuit functions as expected.
  If the access point is deployed in the Chinese mainland, engineers from Alibaba Cloud will assist the connectivity provider in installing the Express Connect circuit. After you click Confirm Delivery in the console, engineers will install the fiber pigtail and connect it to the corresponding physical port.
  If the access point is deployed outside the Chinese mainland, the connectivity provider independently completes the installation. The access device that is connected to the Express Connect circuit can be an optical distribution frame (ODF) or a patch panel. After you click Confirm Delivery in the console, engineers will complete the installation by installing the fiber pigtail.
  If the connectivity provider needs to enter the Alibaba Cloud data center after the installation is completed, contact the account manager to apply for the required permissions.
4. After the connectivity provider installs the Express Connect circuit, contact the connectivity provider to obtain the ID of the Express Connect circuit, IDs of other cables, or optical distribution frame (ODF) port specification. Then, click Confirm Delivery on the Physical Connection page.
5. On the Confirm Delivery page, enter the information about the Express Connect circuit and click OK.
  Then, the Status of the Express Connect circuit changes to Waiting for Pigtail Installation. Field engineers from Alibaba Cloud will install the fiber pigtail within two business days. After the fiber pigtail is installed, the Status of the Express Connect circuit changes to Pending for Payment.
  Note If the access point is deployed outside the Chinese mainland, field engineers from Alibaba Cloud will install the fiber pigtail within three business days.
Pay the resource usage fee.
1. On the Physical Connection page, find the connection over the Express Connect circuit and click Pay Resource Occupation Fees in the Actions column.
2. Select a subscription duration and a renewal method, click Buy Now, and then complete the payment.
After you complete the payment, the Status of the Express Connect circuit changes to Enabled.

Step 2: Create a VBR and add a route to the VBR

After the Express Connect circuit is installed, you must create a VBR to exchange data between the VPC and the data center.

Log on to the Express Connect console.
In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.

Create a VBR.

On the Virtual Border Routers (VBRs) page, click Create VBR.

In the Create VBR panel, set the following parameters and click OK.

Parameter	Description
Account	By default, Current account is selected.
Name	Enter a name for the VBR.
Physical Connection Interface	In this example, Dedicated Physical Connection is selected, and the Express Connect circuit created in Step 1: Apply for an Express Connect circuit and install the Express Connect circuit is selected.
VLAN ID	Enter the virtual local area network (VLAN) ID of the VBR. In this example, 0 is used.
Set VBR Bandwidth Value	Set the bandwidth of the VBR.
IPv4 Address (Alibaba Cloud Gateway)	Enter an IPv4 address for the VBR to route network traffic between the VPC and the data center. In this example, 10.0.0.1/30 is used.
IPv4 Address (Data Center Gateway)	Enter an IPv4 address for the gateway device in the data center to route network traffic between the data center and the VPC. In this example, 10.0.0.2/30 is used.
Subnet Mask (IPv4)	Enter the subnet mask of the IPv4 addresses that you specified for the VBR and the gateway device in the data center. In this example, 255.255.255.252 is used.

Add a route to the VBR. The route must point to the data center.

On the Virtual Border Routers (VBRs) page, click the ID of the VBR to which you want to add a route.
On the details page of the VBR, click the Routes tab and click Add Route.

In the Add Route panel, set the following parameters and click OK.

Parameter	Description
Next Hop Type	In this example, Physical Connection Interface is selected.
Destination CIDR Block	Enter the CIDR block of the data center. In this example, 172.30.0.0/24 is used.
Next Hop	Select an Express Connect circuit. In this example, the Express Connect circuit created in Step 1: Apply for an Express Connect circuit and install the Express Connect circuit is selected.

Step 3: Attach the VBR and the VPC to a CEN instance

After you connect the VBR and the VPC to a CEN transit router, the CEN instance automatically advertises and learns routes to enable network communication between the VPC and the data center.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, set the following parameters and click OK to create a VPC connection.

Note If this is the first time that you attach a VPC to a transit router, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router to create an elastic network interface (ENI) in a vSwitch of the VPC. For more information, see AliyunServiceRoleForCEN.

Parameter	Description
Network Type	Select the type of the network instance that you want to connect. In this example, VPC is selected.
Region	Select the region where the network instance is deployed. In this example, China (Hangzhou) is selected.
Transit Router	The system automatically displays the transit router in the selected region.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Your Account is selected.
Billing Method	By default, transit routers use the pay-as-you-go billing method. For more information about the billing rules, see Billing rules.
Attachment Name	Enter a name for the VPC connection. In this example, `VPC-test` is used.
Networks	Select the ID of the VPC that you want to connect. In this example, the VPC that you created is selected.

Advanced Settings	By default, the following three advanced features are selected: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC. In this example, the default settings are used.

On the Connection with Peer Network Instance page, click Create More Connections.

On the Connection with Peer Network Instance page, set the following parameters and click OK to create a VBR connection.

Parameter	Description
Network Type	In this example, Virtual Border Router (VBR) is selected.
Region	Select the region where the network instance is deployed. In this example, China (Hangzhou) is selected.
Transit Router	The system automatically displays the transit router in the selected region.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Your Account is selected.
Attachment Name	Enter a name for the VBR connection. In this example, `VBR-test` is used.
Networks	Select the ID of the VBR that you want to connect. In this example, the VBR that you created is selected.
Advanced Settings	By default, the following three advanced features are selected: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Propagate Routes to VBR. In this example, the default settings are used.

After the VPC connection and the VBR connection are created, you can view the details about the connections on the Intra-region Connections tab. For more information, see View network instance connections.

Step 4: Configure health checks on Alibaba Cloud

If you use the default health check settings, Alibaba Cloud sends a probe packet every 2 seconds over the Express Connect circuit from the source IP address to the destination IP address in the data center. If no responses are returned for eight consecutive probe packets, it indicates that the Express Connect circuit is down.

Log on to the Cloud Enterprise Network console.
In the left-side navigation pane, click Health Check.
On the Health Check page, select the region where the VBR is deployed. Then, click Set Health Check.
In this example, the VBR is deployed in the China (Hangzhou) region.

In the Set Health Check dialog box, set the following parameters and click OK.

Parameter	Description
CEN Instances	Select the CEN instance to which the VBR is attached.
Virtual Border Router (VBR)	Select the VBR that you want to monitor.
Source IP	You can use one of the following methods to configure the source IP address: Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option. Custom IP Address: You can specify an available IP address that falls within the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address must not conflict with the destination IP address, the IP address of the VBR on the Alibaba Cloud side, or the IP address of the VBR on the user side. Note Take note of the following rules if you select Automatic IP Address: In each of the following regions, at most 16 VBRs can be automatically assigned a source IP address: Click to view the regions US (Silicon Valley), China (Hong Kong), US (Virginia), China (Beijing), China (Shanghai), China (Shenzhen), Singapore, China (Hangzhou), China (Heyuan), China (Chengdu), China (Zhangjiakou), Germany (Frankfurt), Malaysia (Kuala Lumpur), and UK (London), China (Qingdao), Indonesia (Jakarta), China (Hohhot), India (Mumbai), China (Guangzhou), China (Ulanqab), China (Nanjing-Local Region), Japan (Tokyo), and Australia (Sydney) In the Philippines (Manila), South Korea (Seoul), China (Fuzhou-Local Region), or Thailand (Bangkok) region, at most eight VBRs can be automatically assigned a source IP address. No matter which method you select, the CEN instance advertises a route whose destination CIDR block is the source IP address and the subnet mask is 32 bits in length to the VBR after health checks are configured. If the VBR and data center use the BGP dynamic routing protocol, the route is advertised to the data center over BGP.
Destination IP	Set the destination IP address to the IP address of the VBR on the customer side.
Probe Interval (Seconds)	Enter a time interval at which probe packets are sent during the health check. Unit: seconds. Valid values: 2 to 3. Default value: 2.
Probe Packets	Enter the number of consecutive probe packets that are sent during the health check. Unit: connections. Valid values: 3 to 8. Default value: 8.
Change Route	Specify whether to allow the health check feature to switch to the redundant route. This feature is enabled by default. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. If you disable this feature, health checks only perform probing. The health check feature does not switch to the redundant route even if an error is detected on the Express Connect circuit. Warning Before you clear the check box, make sure that network traffic can be switched to a redundant route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit fails.

Step 5: Configure routes and health checks in the data center

You must configure routes and health checks in the data center, and then configure the gateway device to route network traffic based on health check results to achieve connection redundancy.

Configure routes in the data center.
The following example is for reference only. Route configurations may vary based on the gateway device.
```
ip route 192.168.0.0 255.255.0.0 10.0.0.1
```
Configure health checks in the data center.
You can configure Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) on the gateway device in the data center to monitor the reachability of routes destined for the VBR. For more information about the configuration commands, consult the vendor of your gateway device. BFD can detect a link failure within milliseconds. We recommend that you configure BFD on your gateway device.
Configure the gateway device to route network traffic based on health check results.
Route configurations may vary based on the gateway device. For more information, consult the vendor of your gateway device.
After you add routes, the following private connection is established: data center > Express Connect circuit > VBR > VPC.

Step 6: Test the network connectivity

You can run the ping command in the data center to verify the connectivity to the VBR and the VPC.

Open the command-line interface (CLI) on a server in the data center.
Run the ping 10.0.0.1 command to verify the connectivity between the data center and the VBR.
If you receive echo reply packets, it indicates that the data center and the VBR are connected.
Run the ping 192.168.0.10 command to verify the connectivity between the data center and the VPC.
If you receive echo reply packets, it indicates that the data center and the VPC are connected.

References

For more information about how to troubleshoot issues related to the connectivity between a data center and a VPC, see Troubleshooting.
You can test the data transfer rate of your Express Connect circuit to ensure that the Express Connect circuit meets your business requirements. For more information, see Test the performance of an Express Connect circuit.
For more information about how to troubleshoot issues related to Express Connect circuit installation, see FAQ about installing an Express Connect circuit.
For more information about how to troubleshoot issues related to Express Connect circuit connections, see FAQ about connections over Express Connect circuits.