Express Connect:Connect a data center to ECS by using an Express Connect circuit

Scenarios

The following figure provides an example of the network configurations for connecting a data center to a VPC. The data center is located in Shanghai and the VPC is deployed in the China (Shanghai) region. The private CIDR block of the VPC is 172.16.0.0/16. The private CIDR block of the data center is 172.17.1.0/24. You want to connect a server in the data center to an ECS instance in the VPC by using an Express Connect circuit. The IP address of the on-premises server is 172.17.1.2. The IP address of the ECS instance is 172.16.0.1.

Prerequisites

• A VPC is created in the China (Shanghai) region and cloud resources such as ECS instances that host your business systems are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

  Note

  Before you connect an Enterprise Edition transit router to a VPC, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. In this example, the transit router is created in the China (Shanghai) region. Shanghai Zone F and Shanghai Zone G support Enterprise Edition transit routers.

• You understand the security group rules of the Elastic Compute Service (ECS) instances in the virtual private cloud (VPC). Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.

• A Cloud Enterprise Network (CEN) instance is created. For more information, see the Create a CEN instance section of the "CEN instances" topic.

• An Enterprise Edition transit router is created in the region where the VPC resides. For more information, see Create a transit router.

Step 1: Create an Express Connect circuit

You can create a dedicated connection over an Express Connect circuit by applying for a dedicated Express Connect circuit in the Express Connect console. You can also use a hosted connection over a shared Express Connect circuit provided by an Express Connect partner. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview of hosted connections.

The following table describes the configurations of the VBR that is associated with the Express Connect circuit in this example.

Step 2: Create a VBR

1. Log on to the Express Connect console.

2. In the top navigation bar, select a region.

3. On the Physical Connection page, click the ID of the Express Connect circuit for which you want to create a VBR. Make sure that the Express Connect circuit is enabled.

4. On the details page of the Express Connect circuit, click Create VBR.

5. In the Create VBR panel, set the parameters that are described in the following table and click OK.

   Parameter	Description
   Account	The Alibaba Cloud account for which you want to create a VBR. In this example, Current Account is selected.
   Name	The name of the VBR.
   Physical Connection Interface	The Express Connect circuit to be associated with the VBR. Select Dedicated Physical Connection, and select the Express Connect circuit that you want to associate with the VBR. The Express Connect circuit must be enabled and work as expected.
   VLAN ID	The virtual local area network (VLAN) ID of the VBR. In this example, 1 is entered.
   Set VBR Bandwidth Value	The bandwidth of the VBR. In this example, 200Mb is specified.
   IPv4 Address (Alibaba Cloud Gateway)	The IPv4 address for the VBR to route network traffic between the VPC and the data center. In this example, 10.0.0.1 is entered.
   IPv4 Address (Data Center Gateway)	The IPv4 address for the gateway device in the data center to route network traffic between the data center and the VPC. In this example, 10.0.0.2 is entered.
   Subnet Mask (IPv4)	The subnet mask of the IPv4 addresses that you specified for the VBR and the gateway device in the data center. In this example, 255.255.255.252 is entered.

Step 3: Connect the transit router to the VPC and the VBR

Connect the transit router in the China (Shanghai) region to the VBR that is associated with the Express Connect circuit. Then, connect the transit router to the VPC that you want to connect to the data center. This way, the VPC and the data center can communicate with each other.

1. Log on to the CEN console.

2. On the Instances page, click the ID of the CEN instance that you want to manage.

3. On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

4. On the Connection with Peer Network Instance page, set the following parameters and click OK to create a VPC connection.

   Note

   When you perform this operation for the first time, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router to create an ENI in a vSwitch of the VPC. For more information, see AliyunServiceRoleForCEN.

   Parameter	Description
   Network Type	Select the type of network instance that you want to attach to the CEN instance. In this example, VPC is selected.
   Region	Select the region where the network instance is deployed. In this example, China (Shanghai) is selected.
   Transit Router	The system automatically displays the transit router in the selected region.
   Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Your Account is selected.
   Billing Method	By default, transit routers use the Pay-As-You-Go billing method. For more information about the billing rules, see Billing rules.
   Attachment Name	Enter a name for the VPC connection. In this example, VPC-test is used.
   Networks	Select the VPC to be connected. In this example, the VPC that you created is selected.
   vSwitch	Select a vSwitch in a zone that supports transit routers. In this example, the vSwitch in the corresponding zone is selected.
   Advanced Settings	By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC. In this example, the default settings are used.

5. On the Connection with Peer Network Instance page, click Create More Connections.

6. On the Connection with Peer Network Instance page, set the following parameters and click OK to create a connection for VBR1.

   Parameter	Description
   Network Type	In this example, Virtual Border Router (VBR) is selected.
   Region	Select the region where the network instance is deployed. In this example, China (Shanghai) is selected.
   Transit Router	The system automatically displays the transit router in the current region.
   Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Your Account is selected.
   Attachment Name	Enter a name for the VBR connection. In this example, VBR-test is used.
   Networks	Select the ID of the VBR that you want to connect. In this example, VBR1 is selected.
   Advanced Settings	By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC. In this example, the default settings are used.

   After the connections are created, you can view the details about the connections on the Intra-region Connections tab. For more information, see View network instance connections.

Step 4: Add routes to the VBR

Add a route that points to the data center and a route that points to the Express Connect circuit to the VBR. The following procedure shows how to add a route that points to the Express Connect circuit to the VBR.

1. Log on to the Express Connect console.

2. In the top navigation bar, select a region and click Virtual Border Routers (VBRs) in the left-side navigation pane.

3. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.

4. On the details page of the VBR, click the Routes tab and click Add Route.

5. In the Add Route panel, set the parameters that are described in the following table and click OK.

   Parameter	Description
   Next Hop Type	The type of the next hop to which the route points. In this example, Physical Connection Interface is selected.
   Destination CIDR Block	The CIDR block of the data center. In this example, 172.17.1.0/24 is entered.
   Next Hop	The Express Connect circuit that serves as the next hop. In this example, the Express Connect circuit for which you have applied is selected.
   Description	The description of the route.

   Note

   By default, if you ping the IP address of the VBR from an ECS instance, you cannot reach the VBR. If you want to reach the VBR, you must first add a route that points to the Express Connect circuit and set the destination CIDR block to 10.0.0.1/30.

Step 5: Configure health checks

CEN provides the health check feature to monitor the status of connections to the data center.

1. Log on to the CEN console.

2. In the left-side navigation pane, click Health Checks.

3. On the Health Checks page, select the region where the VBR resides. Then, click Set Health Check. In this example, China (Shanghai) is selected.

4. In the Set Health Check dialog box, set the parameters that are described in the following table and click OK.

   Parameter	Description
   Instances	The CEN instance to which the VBR is attached.
   Virtual Border Router (VBR)	The VBR that you want to monitor. In this example, VBR1 is selected.
   Source IP	The source IP address. Select Custom IP Address and enter an idle IP address that belongs to a vSwitch of the connected VPC. In this example, 172.16.0.2 is entered.
   Destination IP	The IP address of the gateway device in the data center. In this example, 10.0.0.2 is entered.
   Probe Interval (Seconds)	The interval at which probe packets are sent. Unit: seconds. In this example, the value is set to 2.
   Probe Packets	The number of probe packets to be sent. In this example, the value is set to 8.
   Change Route	Specifies whether to allow the health check feature to switch to the redundant route. By default, Change Route is turned on. This indicates that the health check feature can switch to the redundant route. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. If you turn off Change Route, the health check feature does not switch to the redundant route. Only probing is performed. The health check feature does not switch to the redundant route even if an error is detected on the Express Connect circuit. Warning Before you turn off Change Route, make sure that the system can switch to a redundant route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit is down.

   Note

   The system sends probe packets at the specified intervals. If the number of consecutively dropped packets reaches the specified value, the health check fails.

Step 6: Configure routes on the gateway device in the data center

After you complete the previous steps, you must log on to the gateway device in the data center and configure routes that point to the VPC. You can create a static route or configure Border Gateway Protocol (BGP) routing to forward network traffic from the data center to the VBR.

1. Create a static route or configure BGP routing on the gateway device in the data center to route traffic to the VPC.

   • The following static route is used as an example.

     Note

     The route in this example is provided for reference only. Route configurations may vary based on the gateway device.

     ip route 172.16.0.0 255.255.0.0 10.0.0.1

   • Configure BGP routing. For more information, see Configure and manage BGP.

     The CIDR block to be advertised is the CIDR block of the VPC connected to the data center. In this example, the CIDR block of the VPC is 172.16.0.0/16.

2. Run the ping command to ping the IP address of the VBR from the gateway device to verify network connectivity.

   Run the ping command to ping the IP address 10.0.0.1. If you can receive echo reply packets, the gateway device in the data center is connected to Alibaba Cloud over the Express Connect circuit.

3. Run the following command to configure the default route on a server in the data center. The route points to the gateway device in the data center.

   route add default gw 172.17.1.1

Step 7: Test the connectivity of the Express Connect circuit

To test the connectivity of the Express Connect circuit, you can ping the IP address of the VBR.

1. Open the CLI on a server in the data center.

2. Run the ping command to ping the IP address 10.0.0.1, which is the IP address of the VBR.

   If you can receive echo reply packets, the on-premises server is connected to Alibaba Cloud over the Express Connect circuit.

Step 8: Test the connectivity to an ECS instance

You can ping the IP address of an ECS instance to test the connectivity between Alibaba Cloud and the data center. IP addresses of ECS instances are dynamically allocated. You must ping the private IP address of an ECS instance. In this example, the private IP address of the ECS instance is 172.16.0.1.

1. Open the CLI on a server in the data center. Run the ping command to ping the private IP address of the ECS instance.

   ping 172.16.0.1

2. Log on to the ECS instance and open the CLI.

3. Run the ping command to ping the IP address of the server in the data center. If you can reach the IP address, the server in the data center is connected to the ECS instance on Alibaba Cloud over the Express Connect circuit.

   ping 172.17.1.2