This topic describes how to connect a data center to a virtual private cloud (VPC) by using an Express Connect circuit. This allows the servers in the data center to access the Elastic Compute Service (ECS) instances in the VPC.

Background information

To connect to the cloud services in the VPC from your data center, you must configure routes on both the virtual border router (VBR) and the gateway device in the data center. The destination CIDR blocks of the routes that you configure must fall within the network segment 100.64.0.0/10. Specify the VBR interface that points to the VPC as the next hop of the route on the VBR. In addition, specify the VBR interface that points to the data center as the next hop of the route on the gateway device.

The network segment 100.64.0.0/10 is reserved for VPCs, and is used by cloud services such as Alibaba Cloud Domain Name System (DNS), Object Storage Service (OSS), and Log Service.

Note Therefore, you cannot create a route whose destination CIDR block is 100.64.0.0/10 on the VBR. You must create the following two routes on the VBR: one route whose destination CIDR block is 100.64.0.0/11 and the other route whose destination CIDR block is 100.96.0.0/11.

Example

The following figure shows an example of the network configurations for connecting a VPC and a data center. The data center is located in the China (Hangzhou) region and the VPC is deployed in the China (Hangzhou) region. The private CIDR block of the VPC is 172.16.0.0/16. The private CIDR block of the data center is 172.17.1.0/24. You want to connect a server in the data center to an ECS instance in the VPC by using an Express Connect circuit. The IP address of the server is 172.17.1.2. The IP address of the ECS instance is 172.16.0.1.

Connect to an ECS instance from a data center by using an Express Connect circuit
Parameter IP address/CIDR block
CIDR block of the VPC 172.16.0.0/16
CIDR block of the vSwitch 172.16.0.0/24
CIDR block of the ECS instances 172.16.0.1/24
CIDR block of the data center 172.17.1.0/24
Peer IP addresses
  • Alibaba Cloud peer IP addresses: 10.0.0.1/30
  • Data center peer IP addresses: 10.0.0.2/30
CIDR block of the servers in the data center 172.17.1.2/24
IP addresses used for health checks
  • Source IP address: 172.16.0.2
  • Destination IP address: 10.0.0.2

Step 1: Create a connection over an Express Connect circuit

You can create a dedicated connection over an Express Connect circuit by applying for a dedicated Express Connect circuit in the Express Connect console. You can also establish a hosted connection over a shared Express Connect circuit provided by an Express Connect partner. For more information, see Create a dedicated connection over an Express Connect circuit or Establish a hosted connection over an Express Connect circuit.

The following table describes the parameters that are set for the VBR associated with the Express Connect circuit in this example.

Parameter Value
VLAN ID 0
IPv4 Address of Gateway at Alibaba Cloud Side 10.0.0.1
IPv4 Address of Gateway at Customer Side 10.0.0.2
Subnet Mask (IPv4 Address) 255.255.255.252

Step 2: Attach the VPC and the VBR to a CEN instance

After the data center is connected to the VPC, you must attach the VPC and the VBR to the same Cloud Enterprise Network (CEN) instance. The CEN instance automatically learns and distributes the routes of the attached network instances to enable private communication.

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click its ID.
    For more information about how to create a CEN instance, see Create a CEN instance.
  3. On the Networks tab, click Attach Network to attach the VBR that is associated with the Express Connect circuit to the CEN instance. In the panel that appears, set the parameters and click OK.
    Attach network instances
    • Instance Type: Select Virtual Border Routers (VBRs).
    • Region: Select the region where the VBR is deployed.
    • Networks: Select the VBR that is associated with the Express Connect circuit.
  4. Click Attach More, attach the VPC that you want to access and click OK.
    Same account

Step 3: Configure routes on the VBR

After you attach the VBR and the VPC to the CEN instance, you must create a route that points to the data center and a route that points to the Express Connect circuit on the VBR. The following procedure shows how to create a route that points to the Express Connect circuit on the VBR.

  1. Log on to the Express Connect console.
  2. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
  3. On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
  4. On the VBR details page, click the Routes tab, and click Add Route.
  5. In the Add Route panel, set the following parameters and click OK:
    • Next Hop Type: Select Physical Connection Interface.
    • Destination Subnet: Enter the CIDR block of the data center. In this example, 172.17.1.0/24 is entered.
    • Next Hop: Select the Express Connect circuit that you created.
    Note By default, if you ping the IP address of the VBR from an ECS instance, you cannot reach the VBR. You must first create a route on the VBR, and then set the next hop of the route to the Express Connect circuit and the destination CIDR block to 10.0.0.1/30.

Step 4: Configure health checks

CEN provides the health check feature to monitor the status of connections to the data center.

  1. Log on to the CEN console.
  2. In the left-side navigation pane, click Health Check.
  3. On the Health Check page, select the region where the VBR is deployed. In this example, China (Hangzhou) is selected. Click Set Health Check.
  4. In the Set Health Check panel, set the following parameters and click OK.
    • Instances: Select the CEN instance to which the VBR is attached.
    • Virtual Border Router (VBR): Select the VBR that you want to monitor.
    • Source IP: Select Custom IP Address and enter an idle IP address that belongs to a vSwitch of the connected VPC. In this example, 172.16.0.2 is entered.
    • Destination IP: Enter the IP address of the gateway device in the data center. In this example, 10.0.0.2 is entered.
    • Probe Interval (Seconds): Set the time interval at which probe packets are sent. In this example, the time interval is set to 2 seconds.
    • Probe Packets: Specify the number of probe packets to be sent for each health check. In this example, this parameter is set to 8.
    Note The system sends probes at the specified intervals. If the number of consecutively dropped probe packets reaches the specified number of probe packets, the connection is considered unhealthy.

Step 5: Configure routes on the gateway device of the data center

After you complete the previous steps, you must log on to the gateway device of the data center and configure routes that point to the VPC. You can create a static route or configure Border Gateway Protocol (BGP) routing to forward network traffic from the data center to the VBR.

  1. Create a static route or configure BGP routing on the gateway device to route traffic to the VPC.
    • The following static route is used as an example.
      Note The route is only for reference. Route configurations may vary based on the manufacturer of the gateway device. 
      ip route 172.16.0.0 255.255.0.0 10.0.0.1
    • Configure BGP routing. For more information, see Configure BGP.

      The CIDR block to be advertised is the CIDR block of the VPC connected to the data center. In this example, the CIDR block of the VPC is 172.16.0.0/16.

  2. Run the ping command to ping the IP address of the VBR from the gateway device to verify network connectivity.
    Run the ping command to ping the IP address 10.0.0.1. If the ping succeeds, it indicates that the gateway device in the data center is connected to Alibaba Cloud over the Express Connect circuit.
  3. Run the following command to configure a default route on a server in the data center. The route points to the gateway device in the data center. 
    route add default gw 172.17.1.1

Step 6: Verify the connectivity of the Express Connect circuit

To verify the connectivity of the Express Connect circuit, you can ping the IP address of the VBR.

  1. Open the command prompt on a server in the data center.
  2. Run the ping command to ping the IP address of the VBR: 10.0.0.1. If the ping succeeds, it indicates that the server in the data center is connected to Alibaba Cloud over the Express Connect circuit.
Note If you ping the IP address of the VBR from an ECS instance, you cannot reach the VBR.

Step 7: Verify the connectivity to an ECS instance

You can ping the IP address of an ECS instance to verify the connectivity between Alibaba Cloud and the data center. IP addresses of ECS instances are dynamically allocated. You must ping the private IP address of an ECS instance. In this example, the private IP address of the ECS instance is 172.16.0.1.

Note Before you perform the operations, make sure that the security group rules configured for the ECS instance in the VPC accept network traffic from the data center. For more information, see Query security group rules.
  1. Open the command prompt on a server in the data center. Run the following command to ping the private IP address of the ECS instance: 
    ping 172.16.0.1
  2. Log on to the ECS instance and open the command prompt.
  3. Run the ping command to ping the IP address of the server in the data center. If the ping succeeds, it indicates that the server in the data center is connected to the ECS instance on Alibaba Cloud. 
    ping 172.17.1.2