Establish active/active connections between a data center and Alibaba Cloud - Express Connect

This topic describes how to use two Express Connect circuits to establish active/active connections between a data center and Alibaba Cloud. If your data center is connected to Alibaba Cloud through two Express Connect circuits, network traffic is distributed across both connections by default. If one of the Express Connect circuits is down, the other Express Connect circuit takes over to serve your workloads. This ensures service availability.

Scenarios

The following scenario is used as an example to show how to use two Express Connect circuits to establish active/active connections.

A company has a data center in Shanghai and a virtual private cloud (VPC) in the China (Shanghai) region. The private CIDR block of the data center is 172.16.0.0/12, and the CIDR block of the VPC is 192.168.0.0/16. To prevent single points of failure (SPOFs), the company needs to lease two Express Connect circuits from different connectivity providers to configure active-active failover.

The following table describes the configurations of the virtual border routers (VBRs) connected to the Express Connect circuits.


Configuration item	VBR1 (connected to Express Connect Circuit 1)	VBR2 (connected to Express Connect Circuit 2)
VLAN ID	0	0
Peer IPv4 Address of Gateway at Alibaba Cloud Side	10.0.0.1	10.0.0.5
Peer IPv4 Address of Gateway at Customer Side	10.0.0.2	10.0.0.6
Subnet Mask (IPv4 Address)	255.255.255.252	255.255.255.252

Prerequisites

A VPC is created in the China (Shanghai) region and cloud resources such as Elastic Compute Service (ECS) instances that host your business systems are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
Note Before you connect an Enterprise Edition transit router to a VPC, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. In this example, the transit router is deployed in the China (Shanghai) region and supports Zone F and Zone G.
You understand the security group rules of the Elastic Compute Service (ECS) instances in the virtual private cloud (VPC). Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see Query security group rules and Add a security group rule.
A Cloud Enterprise Network (CEN) instance is created. For more information, see Create a CEN instance.
An Enterprise Edition transit router is created in the region where the VPC resides. For information, see Create a transit router.
Before you purchase an Express Connect circuit, make sure that you understand the billing rules. In this topic, two Express Connect circuits are used. Therefore, you need to apply for two ports. For more information about the resource usage fee and outbound data transfer fee, refer to the following topics:

Procedure

Step 1: Create two connections over Express Connect circuits

In this example, two dedicated connections are created. For more information, see Create and manage a dedicated connection over an Express Connect circuit.

When you apply for the second Express Connect circuit, you may need to specify a redundant Express Connect circuit based on the access point.

If you want to connect the Express Connect circuits to the same access point, you must specify the redundant Express Connect circuit. Set Redundant Connection ID to the first Express Connect circuit. This way, the Express Connect circuits will be connected to different access devices.
If you want to connect the Express Connect circuits to different access points, you do not need to specify the redundant Express Connect circuit. In this case, you do not need to specify Redundant Connection ID.
In this example, the Express Connect circuits are connected to different access points.

Step 2: Create VBRs and configure routing

You must create a VBR for each Express Connect circuit and add a route to each VBR. Set the destination of both routes to the data center.

Log on to the Express Connect console.

Create a VBR for Express Connect Circuit 1.

In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.
On the Virtual Border Routers (VBRs) page, click Create VBR.

In the Create VBR panel, set the following parameters and click OK.


Parameter	Description
Account	Specify whether to create a VBR for the current or another Alibaba Cloud account. In this example, Current Account is selected.
Name	Enter a name for the VBR. In this example, VBR1 is entered.
Physical Connection Interface	In this example, Dedicated Physical Connection is selected and Express Connect Circuit 1 is selected.
VLAN ID	Enter the virtual LAN (VLAN) ID of the VBR. In this example, 0 is used.
Set VBR Bandwidth Value	Set the maximum bandwidth of the VBR. In this example, 200Mb is selected.
Peer IPv4 Address of Gateway at Alibaba Cloud Side	Specify an IPv4 address for the VBR to route network traffic between the VPC and data center. In this example, 10.0.0.1 is used.
Peer IPv4 Address of Gateway at Customer Side	Specify an IPv4 address for the gateway device in the data center to route network traffic between the VPC and data center. In this example, 10.0.0.2 is used.
Subnet Mask (IPv4 Address)	Enter the subnet mask of the specified IPv4 addresses. In this example, 255.255.255.252 is used.

Add a route whose destination is the data center to VBR1.

In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.
On the Virtual Border Routers (VBRs) page, click the ID of VBR1.
On the details page of VBR1, click the Routes tab and click Add Route.

In the Add Route Entry panel, set the following parameters and click OK.


Parameter	Description
Next Hop Type	In this example, Physical Connection Interface is selected.
Destination CIDR Block	Enter the CIDR block of the data center. In this example, 172.16.0.0/12 is used.
Next Hop	Select the interface of the Express Connect circuit. In this example, the interface of Express Connect Circuit 1 is selected.
Description	Enter a description for the route.

Repeat the preceding steps to create VBR2 for Express Connect Circuit 2 and add a route to VBR2. Set the destination of the route to the data center.

Step 3: Connect the VBRs and VPC to a transit router

Connect the transit router in the China (Shanghai) region to the VBRs that are associated with the Express Connect circuits. Then, connect the transit router to the VPC that you want to connect to the data center. This way, the VPC and the data center can communicate with each other.

Log on to the CEN console.
On the Instances page, find the CEN instance that you want to manage and click the instance ID.
On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, set the following parameters and click OK to create a VPC connection.

Note When you perform this operation for the first time, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router to create an elastic network interface (ENI) in a vSwitch of the VPC. For more information, see AliyunServiceRoleForCEN.


Parameter	Description
Network Type	Select the type of network instance that you want to attach to the CEN instance. In this example, VPC is selected.
Region	Select the region where the network instance is deployed. In this example, China (Shanghai) is selected.
Transit Router	The system automatically displays the transit router in the selected region.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Your Account is selected.
Billing Method	By default, transit routers use the Pay-As-You-Go billing method. For more information about the billing rules, see Billing rules.
Attachment Name	Enter a name for the VPC connection. In this example, `VPC-test` is used.
Networks	Select the VPC to be connected. In this example, the VPC that you created is selected.
VSwitch	Select a vSwitch in a zone that supports transit routers. In this example, the vSwitch in the corresponding zone is selected.
Advanced Settings	By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC. In this example, the default settings are used.

On the Connection with Peer Network Instance page, click Create More Connections.

On the Connection with Peer Network Instance page, set the following parameters and click OK to create a connection for VBR1.


Parameter	Description
Network Type	In this example, Virtual Border Router (VBR) is selected.
Region	Select the region where the network instance is deployed. In this example, China (Shanghai) is selected.
Transit Router	The system automatically displays the transit router in the current region.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Your Account is selected.
Attachment Name	Enter a name for the VBR connection. In this example, `VBR-test` is used.
Networks	Select the ID of the VBR that you want to connect. In this example, VBR1 is selected.
Advanced Settings	By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC. In this example, the default settings are used.

Repeat Step 5 and Step 6 to create a connection for VBR2.
After the network connections are created, you can view the details about the connections on the Intra-region Connections tab. For more information, see View network instance connections.

Step 4: Configure health checks on Alibaba Cloud

By default, after you configure health checks, Alibaba Cloud sends a probe packet every 2 seconds over the Express Connect circuits from the source IP address to the destination IP address in the data center. If no responses are returned for eight consecutive probe packets over one of the Express Connect circuits, the other Express Connect circuit automatically takes over.

Log on to the Cloud Enterprise Network console.
In the left-side navigation pane, click Health Check.
On the Health Check page, select the region where the VBR is deployed. Then, click Set Health Check.
In this example, China (Shanghai) is selected, which is the region of VBR1.

In the Set Health Check panel, set the following parameters and click OK.


Parameter	Description
Instances	Select the CEN instance to which the VBR is attached.
Virtual Border Router (VBR)	Select the VBR that you want to monitor. VBR1 is selected in this example.
Source IP	You can use one of the following methods to specify the source IP address: Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option. Custom IP Address: You must specify an idle IP address from the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address cannot be the IP address with which you want to communicate, the IP address of the VBR on the Alibaba Cloud side, or the IP address on the user side.
Destination IP	Set the destination IP address to the IP address of the gateway device in the data center.
Probe Interval (Seconds)	Specify an interval at which probe packets are sent for the health check. Unit: seconds. Default value: 2. Valid values: 2 to 3.
Probe Packets	Specify the number of probe packets that are sent for the health check. Unit: packets. Default value: 8. Valid values: 3 to 8.
Change Route	Specify whether to allow the health check feature to switch to the redundant route. If you select Yes, the health check feature can switch to the redundant route. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. If you select No, the health check feature does not switch to the redundant route. Only probing is performed. The health check feature does not switch to the redundant route even if an error is detected on the Express Connect circuit. Warning Before you clear the check box, make sure that the system can switch to a redundant route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit fails.

Note The system sends probe packets at the specified intervals. If the number of consecutively dropped packets reaches the specified value, the health check fails.

Repeat Step 3 to Step 4 to configure health checks for VBR2.

Step 5: Configure routes and health checks in the data center

You must configure routes and health checks in the data center, and then configure the gateway device to route network traffic based on health check results to achieve network redundancy.

Configure routes in the data center.

The configuration may vary based on the gateway device. For more information about the configuration commands, consult the vendor of your gateway device.

#Configure routes in the data center to route network traffic to the VPC.
ip route 192.168.0.0 255.255.0.0 10.0.0.1
ip route 192.168.0.0 255.255.0.0 10.0.0.5
# Configure the return route of the probe packets.
ip route <The source IP address for health checks> 255.255.255.255 10.0.0.1
ip route <The source IP address for health checks> 255.255.255.255 10.0.0.5

Configure health checks in the data center.
You can configure Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) on the gateway device in the data center to monitor the reachability of routes destined for the VBRs. For more information about the configuration commands, consult the vendor of your gateway device.
Configure the gateway device to route network traffic based on health check results.
The configuration may vary based on the network environment. For more information about the configuration commands, consult the vendor of your gateway device.

Step 6: Test the network connectivity

After you complete the preceding steps, you must test the connectivity of the Express Connect circuits.

Open the command-line interface (CLI) on a computer in the data center.
Run the ping command to test the connectivity between the data center and an ECS instance in the VPC. The CIDR block of the VPC is 192.168.0.0/16.
If echo reply packets are returned, it indicates that the destination is reachable.
To check whether active/active connections are established between the data center and Alibaba Cloud, run the tracert command to query the routes through which packets are sent.

References

For more information about how to troubleshoot connectivity issues between a data center and an ECS instance, see Troubleshooting.
For more information about Express Connect circuit installation FAQ, see FAQ about installing an Express Connect circuit.
For more information about how to resolve issues in Express Connect circuit connections, see FAQ about connections over Express Connect circuits.