:Connect to an ECS instance from a data center by using an Express Connect circuit

Scenarios

The following figure shows an example of the network configurations for connecting a data center to a VPC. The data center is located in Shanghai and the VPC is deployed in the China (Shanghai) region. The private CIDR block of the VPC is 172.16.0.0/16. The private CIDR block of the data center is 172.17.1.0/24. You want to connect a server in the data center to an ECS instance in the VPC by using an Express Connect circuit. The IP address of the on-premises server is 172.17.1.2. The IP address of the ECS instance is 172.16.0.1.

Prerequisites

• A VPC is created in the China (Shanghai) region and cloud resources such as ECS instances that host your business systems are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
  Note Before you connect an Enterprise Edition transit router to a VPC, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. In this example, the transit router is created in the China (Shanghai) region. Shanghai Zone F and Shanghai Zone G support Enterprise Edition transit routers.
• You understand the security group rules of the ECS instances in the VPC. Make sure that the rules allow access from the data center. For more information, see Query security group rules and Add a security group rule.
• A Cloud Enterprise Network (CEN) instance is created. For more information, see Create a CEN instance.
• An Enterprise Edition transit router is created in the region where the VPC resides. For more information about, see Create a transit router.

Step 1: Create an Express Connect circuit

You can create a dedicated connection over an Express Connect circuit by applying for a dedicated Express Connect circuit in the Express Connect console. You can also use a hosted connection over a shared Express Connect circuit provided by an Express Connect partner. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview.

The following table describes the configurations of the VBR that is associated with the Express Connect circuit in this example.

Step 2: Create a VBR

1. Log on to the Express Connect console.
2. In the top navigation bar, select the region and click Exclusive Physical Connection in the left-side navigation pane.
3. On the Physical Connections page, click the ID of the Express Connect circuit for which you want to create a VBR. Make sure that the Express Connect circuit is enabled.
4. On the details page of the Express Connect circuit, click Create VBR.
5. In the Create VBR panel, set the following parameters and click OK.

   Parameter	Description
   Account	Specify whether to create a VBR for the current or another Alibaba Cloud account. Current Account is selected in this example.
   Name	Enter a name for the VBR.
   Physical Connection Interface	Select Dedicated Physical Connection, and then select the Express Connect circuit that you want to associate with the VBR. The Express Connect circuit must be enabled and work as expected.
   VLAN ID	Enter the VLAN ID of the VBR. In this example, 0 is used.
   Set VBR Bandwidth Value	Set the maximum bandwidth of the VBR. In this example, 200Mb is used.
   IPv4 Address (Alibaba Cloud Gateway)	Specify the IPv4 address of the VBR. In this example, 10.0.0.1 is used.
   IPv4 Address (Data Center Gateway)	Specify the IPv4 address of the on-premises gateway. In this example, 10.0.0.2 is used.
   Subnet Mask (IPv4)	Enter the subnet mask of the specified IPv4 addresses. In this example, 255.255.255.252 is used.

Step 3: Connect the transit router to the VPC and the VBR

Connect the transit router in the China (Shanghai) region to the VBR that is associated with the Express Connect circuit. Then, connect the transit router to the VPC that you want to connect to the data center. This way, the VPC and the data center can communicate with each other.

Step 4: Add routes to the VBR

Add a route that points to the data center and a route that points to the Express Connect circuit to the VBR. The following procedure shows how to add a route that points to the Express Connect circuit to the VBR.

1. Log on to the Express Connect console.
2. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
3. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
4. On the details page of the VBR, click the Routes tab and click Add Route.
5. In the Add Route panel, set the following parameters and click OK:

   Parameter	Description
   Next Hop Type	In this example, Physical Connection Interface is selected.
   Destination CIDR Block	Enter the CIDR block of the data center. In this example, 172.17.1.0/24 is used.
   Next Hop	Select an Express Connect circuit. The Express Connect circuit that you applied for is selected in this topic.
   Description	Enter a description for the route.

   Note By default, if you ping the IP address of the VBR from an ECS instance, you cannot reach the VBR. If you want to reach the VBR, you must first add a route that points to the Express Connect circuit and set the destination CIDR block to 10.0.0.1/30.

Step 5: Configure health checks

CEN provides the health check feature to monitor the status of connections to the data center.

1. Log on to the CEN console.
2. In the left-side navigation pane, click Health Check.
3. On the Health Check page, select the region where the VBR resides. In this example, China (Shanghai) is selected. Then, click Set Health Check.
4. In the Set Health Check panel, set the parameters and click OK.

   Parameter	Description
   Instances	Select the CEN instance to which the VBR is attached.
   Virtual Border Router (VBR)	Select the VBR that you want to monitor. VBR1 is selected in this example.
   Source IP	Select Custom IP Address and enter an idle IP address that belongs to a vSwitch of the connected VPC. In this example, 172.16.0.2 is used.
   Destination IP	Enter the IP address of the gateway device in the data center. In this example, 10.0.0.2 is used.
   Probe Interval (Seconds)	Set the value to 2. Unit: seconds.
   Probe Packets	Set the value to 8.
   Change Route	Specify whether to allow the health check feature to switch to the redundant route. If you select Yes, the health check feature can switch to the redundant route. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. If you select No, the health check feature does not switch to the redundant route. Only probing is performed. The health check feature does not switch to the redundant route even if an error is detected on the Express Connect circuit. Warning Before you clear the check box, make sure that the system can switch to a redundant route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit fails.

   Note The system sends probe packets at the specified intervals. If the number of consecutively dropped packets reaches the specified value, the health check fails.

Step 6: Configure routes on the gateway device of the data center

After you complete the previous steps, you must log on to the gateway device in the data center and configure routes that point to the VPC. You can create a static route or configure Border Gateway Protocol (BGP) routing to forward network traffic from the data center to the VBR.

1. Create a static route or configure BGP routing on the gateway device to route traffic to the VPC.
   • The following static route is used as an example.
     Note The route in this example is provided for reference only. Route configurations may vary based on the gateway device.

     ip route 172.16.0.0 255.255.0.0 10.0.0.1

   • Configure BGP routing. For more information, see Configure BGP.

     The CIDR block to be advertised is the CIDR block of the VPC connected to the data center. In this example, the CIDR block of the VPC is 172.16.0.0/16.

2. Run the ping command to ping the IP address of the VBR from the gateway device to verify network connectivity.
   Run the ping command to ping the IP address 10.0.0.1. If you can receive echo reply packets, it indicates that the gateway device in the data center is connected to Alibaba Cloud over the Express Connect circuit.
3. Run the following command to configure the default route on a server in the data center. The route points to the gateway device in the data center.

   route add default gw 172.17.1.1

Step 7: Verify the connectivity of the Express Connect circuit

To verify the connectivity of the Express Connect circuit, you can ping the IP address of the VBR.

1. Open the CLI on a server in the data center.
2. Run the ping command to ping 10.0.0.1, which is the IP address of the VBR.
   If you can receive echo reply packets, the on-premises server is connected to Alibaba Cloud through the Express Connect circuit.

Step 8: Test the connectivity to an ECS instance

You can ping the IP address of an ECS instance to verify the connectivity between Alibaba Cloud and the data center. IP addresses of ECS instances are dynamically allocated. You must ping the private IP address of an ECS instance. In this example, the private IP address of the ECS instance is 172.16.0.1.

1. Open the CLI on a server in the data center. Run the ping command to ping the private IP address of the ECS instance.

   ping 172.16.0.1

2. Log on to the ECS instance and open the CLI.
3. Run the ping command to ping the IP address of the server in the data center. If you can reach the IP address, it indicates that the server in the data center is connected to the ECS instance on Alibaba Cloud through the Express Connect circuit.

   ping 172.17.1.2