This topic describes how to connect a data center to a virtual private cloud (VPC) by using an Express Connect circuit. This allows servers in the data center to access the Elastic Compute Service (ECS) instances in the VPC.

Scenarios

The following figure shows an example of the network configurations for connecting a VPC and a data center. The data center is located in Hangzhou and the VPC is deployed in the China (Hangzhou) region. The private CIDR block of the VPC is 172.16.0.0/16. The private CIDR block of the data center is 172.17.1.0/24. You want to connect a server in the data center to an ECS instance in the VPC by using an Express Connect circuit. The IP address of the on-premises server is 172.17.1.2. The IP address of the ECS instance is 172.16.0.1.

Connect to an ECS instance from a data center by using an Express Connect circuit
Configuration item IP address/CIDR block
VPC CIDR block 172.16.0.0/16
vSwitch CIDR block 172.16.0.0/24
ECS instance IP address 172.16.0.1
Data center CIDR block 172.17.1.0/24
IP addresses used by the gateways to connect the on-premises network and Alibaba Cloud
  • IP addresses for the VBR: 10.0.0.1/30
  • IP addresses for the gateway device in the data center: 10.0.0.2/30
On-premises server IP address 172.17.1.2
Health check IP addresses
  • Source IP address: 172.16.0.2
  • Destination IP address: 10.0.0.2

Step 1: Create a connection over an Express Connect circuit

You can create a dedicated connection over an Express Connect circuit by applying for a dedicated Express Connect circuit in the Express Connect console. You can also use a hosted connection over a shared Express Connect circuit provided by an Express Connect partner. For more information, see Create a dedicated connection over an Express Connect circuit or Overview.

The following table describes the configurations of the VBR that is associated with the Express Connect circuit in this example.

Configuration item Configuration details
VLAN ID 0
Peer IPv4 Address of Gateway at Alibaba Cloud Side 10.0.0.1
Peer IPv4 Address of Gateway at Customer Side 10.0.0.2
Subnet Mask (IPv4 Address) 255.255.255.252

Step 2: Attach the VPC and the VBR to a CEN instance

After the data center is connected to the VPC, you must attach the VPC and the VBR to the same Cloud Enterprise Network (CEN) instance. The CEN instance automatically learns and distributes the routes of the attached network instances to enable private communication.

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click its ID.
    For more information about how to create a CEN instance, see Create a CEN instance.
  3. On the Networks tab, click Attach Network to attach the VBR that is associated with the Express Connect circuit to the CEN instance. In the panel that appears, set the parameters and click OK.
    Attach network instances
    • Network Type: Select Virtual Border Routers (VBRs).
    • Region: Select the region where the VBR is deployed.
    • Networks: Select the VBR that is associated with the Express Connect circuit.
  4. Click Attach More, attach the VPC that you want to access and click OK.
    Your Account

Step 3: Configure routes on the VBR

After you attach the VBR and the VPC to the CEN instance, you must add a route that points to the data center and a route that points to the Express Connect circuit to the VBR. The following procedure shows how to add a route that points to the Express Connect circuit to the VBR.

  1. Log on to the Express Connect console.
  2. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
  3. On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
  4. On the VBR details page, click the Routes tab, and click Add Route.
  5. In the Add Route panel, set the following parameters and click OK:
    • Next Hop Type: Select Physical Connection Interface.
    • Destination Subnet: Enter the CIDR block of the data center. In this example, 172.17.1.0/24 is entered.
    • Next Hop: Select the Express Connect circuit associated with the VBR.
    Note By default, if you ping the IP address of the VBR from an ECS instance, you cannot reach the VBR. You must first add a route to the VBR, and then set the next hop of the route to the Express Connect circuit and the destination CIDR block to 10.0.0.1/30.

Step 4: Configure health checks

CEN provides the health check feature to monitor the status of connections to the data center.

  1. Log on to the CEN console.
  2. In the left-side navigation pane, click Health Check.
  3. On the Health Check page, select the region where the VBR is deployed. In this example, China (Hangzhou) is selected. Click Set Health Check.
  4. In the Set Health Check panel, set the following parameters and click OK.
    • Instances: Select the CEN instance to which the VBR is attached.
    • Virtual Border Router (VBR): Select the VBR that you want to monitor.
    • Source IP: Select Custom IP Address and enter an idle IP address that belongs to a vSwitch of the connected VPC. In this example, 172.16.0.2 is entered.
    • Destination IP: Enter the IP address of the gateway device in the data center. In this example, 10.0.0.2 is entered.
    • Probe Interval (Seconds): Set the time interval at which probe packets are sent. In this example, the time interval is set to 2 seconds.
    • Probe Packets: Specify the number of probe packets to be sent for a health check. In this example, the value of this parameter is set to 8.
    Note The system sends probe packets at the specified intervals. If the number of consecutively dropped packets reaches the specified value, the health check fails.

Step 5: Configure routes on the gateway device of the data center

After you complete the previous steps, you must log on to the gateway device of the data center and configure routes that point to the VPC. You can create a static route or configure Border Gateway Protocol (BGP) routing to forward network traffic from the data center to the VBR.

  1. Create a static route or configure BGP routing on the gateway device to route traffic to the VPC.
    • The following static route is used as an example.
      Note The route in this example is provided only for reference. Route configurations may vary based on the gateway device. 
      ip route 172.16.0.0 255.255.0.0 10.0.0.1
    • Configure BGP routing. For more information, see Configure BGP.

      The CIDR block to be advertised is the CIDR block of the VPC connected to the data center. In this example, the CIDR block of the VPC is 172.16.0.0/16.

  2. Run the ping command to ping the IP address of the VBR from the gateway device to verify network connectivity.
    Run the ping command to ping the IP address 10.0.0.1. If you can reach the destination, it indicates that the gateway device in the data center is connected to Alibaba Cloud over the Express Connect circuit.
  3. Run the following command to configure the default route on a server in the data center. The route points to the gateway device in the data center. 
    route add default gw 172.17.1.1

Step 6: Verify the connectivity of the Express Connect circuit

To verify the connectivity of the Express Connect circuit, you can ping the IP address of the VBR.

  1. Open the command prompt on a server in the data center.
  2. Run the ping command to ping the IP address of the VBR: 10.0.0.1. If the ping succeeds, it indicates that the server in the data center is connected to Alibaba Cloud over the Express Connect circuit.
Note If you ping the IP address of the VBR from an ECS instance, you cannot reach the VBR.

Step 7: Test the connectivity to an ECS instance

You can ping the IP address of an ECS instance to verify the connectivity between Alibaba Cloud and the data center. IP addresses of ECS instances are dynamically allocated. You must ping the private IP address of an ECS instance. In this example, the private IP address of the ECS instance is 172.16.0.1.

Note Before you ping the private IP address, make sure that the security group rules configured for the ECS instance accept network traffic from the data center. For more information, see Query security group rules.
  1. Open the command prompt on a server in the data center. Run the following command to ping the private IP address of the ECS instance: 
    ping 172.16.0.1
  2. Log on to the ECS instance and open the command prompt.
  3. Run the ping command to ping the IP address of the server in the data center. If you can reach the IP address, it indicates that the server in the data center is connected to the ECS instance on Alibaba Cloud. 
    ping 172.17.1.2