This topic describes how to establish active/standby connections between a data center and Alibaba Cloud by using two Express Connect circuits. If the primary Express Connect circuit is up, data is transmitted only through the primary Express Connect circuit. To ensure service availability, you can configure health checks to monitor the status of your Express Connect circuits. Probe packets are sent at the specified health check intervals. If the primary Express Connect circuit is down, the secondary Express Connect circuit takes over.

Scenarios

The following example shows how to establish active/standby connections between a data center and Alibaba Cloud by using two Express Connect circuits.

A company has a data center in Shanghai and a virtual private cloud (VPC) in the China (Shanghai) region. The private CIDR block of the data center is 172.16.0.0/12, and the CIDR block of the VPC is 192.168.0.0/16. To eliminate single points of failure (SPOFs), the company plans to lease two Express Connect circuits from different connectivity providers to establish active/standby connections between the data center and Alibaba Cloud.

Architecture

The following table describes the configurations of the virtual border routers (VBRs) connected to the Express Connect circuits.

Parameter VBR1 (connected to Express Connect circuit 1) VBR2 (connected to Express Connect circuit 2)
VLAN ID 0 0
IPv4 Address (Alibaba Cloud Gateway) 10.0.0.1 10.0.0.5
IPv4 Address (Data Center Gateway) 10.0.0.2 10.0.0.6
Subnet Mask (IPv4) 255.255.255.252 255.255.255.252

Procedure

Establish active/standby connections

Step 1: Create two connections over Express Connect circuits

In this example, two dedicated connections are created. For more information, see Create and manage a dedicated connection over an Express Connect circuit.

When you apply for the second Express Connect circuit, you may need to specify a redundant Express Connect circuit based on the access point.
  • If you want to connect the Express Connect circuits to the same access point, you must specify the redundant Express Connect circuit. Set Redundant Connection ID to the first Express Connect circuit. This way, the Express Connect circuits will be connected to different access devices.
  • If you want to connect the Express Connect circuits to different access points, you do not need to specify the redundant Express Connect circuit. In this case, you do not need to specify Redundant Connection ID.

    In this example, the Express Connect circuits are connected to different access points.

Step 2: Create VBRs and configure routes

You must create a VBR for each Express Connect circuit and add a route to each VBR. Set the destination of both routes to the data center.

  1. Log on to the Express Connect console.
  2. Create a VBR for Express Connect circuit 1.
    1. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
    2. On the Virtual Border Routers (VBRs) page, click Create VBR.
    3. In the Create VBR panel, set the following parameters and click OK:
      • Account: Specify the type of account for which you want to create the VBR. In this example, Current Account is selected.
      • Name: Enter a name for the VBR. In this example, VBR1 is entered.
      • Physical Connection Interface: In this example, Dedicated Physical Connection is selected and then Express Connect Circuit 1 is selected.
      • VLAN ID: Enter the VLAN ID of the VBR. In this example, 0 is entered.
      • Peer IPv4 Address of Gateway at Alibaba Cloud Side: Specify an IPv4 address for the VBR. In this example, 10.0.0.1 is entered.
      • Peer IPv4 Address of Gateway at Customer Side: Specify an IPv4 address for the gateway device in the data center. In this example, 10.0.0.2 is entered.
      • Subnet Mask (IPv4 Address): Enter the IPv4 subnet mask of the specified IP addresses. In this example, 255.255.255.252 is entered.
  3. Add a route that points to the data center to VBR1.
    1. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
    2. On the Virtual Border Routers (VBRs) page, click the ID of VBR1.
    3. On the details page of VBR1, click the Routes tab and click Add Route.
    4. In the Add Route Entry panel, set the following parameters and click OK:
      • Next Hop Type: In this example, Physical Connection Interface is selected.
      • Destination Subnet: Enter the CIDR block of the data center. In this example, 172.16.0.0/12 is entered.
      • Next Hop: Select an Express Connect circuit. In this example, Express Connect Circuit 1 is selected.
  4. Repeat the preceding steps to create VBR2 for Express Connect Circuit 2 and add a route to VBR2. Set the destination of the route to the data center.

Step 3: Connect the transit router to the VPC and the VBRs

Connect the transit router in the China (Shanghai) region to the VBRs. Then, connect the transit router to the VPC that you want to connect to the data center. This way, the VPC and the data center can communicate with each other.

Step 4: Configure health checks on Alibaba Cloud

By default, after you configure health checks, Alibaba Cloud sends a probe packet every 2 seconds over the Express Connect circuits from the specified source IP address to the destination IP address in the data center. If no responses are returned for eight consecutive probe packets over one of the Express Connect circuits, the other Express Connect circuit takes over.

  1. Log on to the CEN console.
  2. In the left-side navigation pane, click Health Check.
  3. On the Health Check page, select the region where the VBR is deployed. Then, click Set Health Check.
    In this example, China (Shanghai) is selected, which is the region of VBR1.
  4. In the Set Health Check panel, set the health check parameters and click OK.
    Parameter Description
    Instances Select the CEN instance to which the VBR is attached.
    Virtual Border Router (VBR) Select the VBR that you want to monitor. In this example, VBR1 is selected.
    Source IP

    You can use one of the following methods to configure the source IP address:

    • Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option.
    • Custom IP Address: You must specify an idle IP address from the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address must not be the same as the IP address with which you want to communicate, the IP address of the VBR, or the IP address of the gateway device in the data center.
    Destination IP Set the destination IP address to the IP address of the gateway device in the data center.
    Probe Interval (Seconds) Specify the interval at which probe packets are sent for a health check. Unit: seconds.

    Default value: 2. Valid values: 2 to 3.

    Probe Packets Specify the number of probe packets to be sent for a health check. Unit: packets.

    Default value: 8. Valid values: 3 to 8.

    Note The system sends probe packets at the specified intervals. If the number of consecutively dropped packets reaches the specified number of probe packets, the health check fails.
  5. Repeat Step 3 to Step 4 to configure health checks for VBR2.

Step 5: Specify the primary and secondary Express Connect circuits

To specify the primary and secondary Express Connect circuits, you must configure routing policies in CEN. In this example, the primary Express Connect circuit is connected to VBR1. The secondary Express Connect circuit is connected to VBR2.

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
  3. Choose Basic Settings > Transit Router, find the transit router that you want to manage, and then click the ID of the transit router.
  4. On the details page of the transit router, click the Route Propagation tab.
  5. In the left-side area of the route table details page, click the ID of the default route table.
  6. On the details page of the default route table, click the Route Maps tab.
  7. On the Route Maps tab, click Add Route Map.
  8. On the Add Route Map page, set the following parameters and click OK.
    Parameter Description
    Routing Policy Priority Set a priority for the routing policy. Valid values: 1 to 100. A lower value indicates a higher priority.

    In this example, 20 is used.

    Description Enter a description for the routing policy.
    Associated Route Table Select a route table to associate with the routing policy.

    You can associate a routing policy with the system route table or a custom route table. In this example, the default route table is selected.

    Direction Select the direction in which the routing policy applies.
    • Import to Regional Gateway: Routes are advertised to the transit router deployed in the current region. For example, routes are advertised from network instances deployed in the current region or transit routers deployed in other regions to the transit router deployed in the current region.
    • Export from Regional Gateway: Routes are advertised from the transit router deployed in the current region. For example, routes are advertised from the transit router deployed in the current region to network instances deployed in the current region or transit routers deployed in other regions.

    In this example, Import to Regional Gateway is selected.

    Match Conditions Select a match condition for the routing policy.

    In this example, Source Instance IDs is selected and the ID of VBR1 is selected. This way, the routing policy applies to all routes of VBR1.

    Click AddAdd Match Condition to add multiple match conditions. For more information, see Match conditions.

    Routing Policy Action Select Permit for Routing Policy Action and set a priority for routes.

    Click AddAdd Policy Entry, select Preference, and then set a priority for routes that are permitted. A lower value indicates a higher priority. In this example, Preference is set to 10.

    Note In this example, Priority of Associated Routing Policy is not set for VBR1.
  9. Repeat the preceding steps to specify the Express Connect circuit that is associated with VBR2 as the secondary Express Connect circuit.
    The following table describes the key parameters. Use the same values as VBR1 for the other parameters.
    Parameter Description
    Routing Policy Priority A lower value indicates a higher priority. The priority value of the routing policy for VBR2 must be greater than that of the routing policy for VBR1.

    In this example, 30 is used.

    Match Conditions In this example, Source Instance IDs is selected and VBR2 is selected. This way, the routing policy applies to all routes of VBR2.
    Routing Policy Action Select Permit for Routing Action Policy and set a priority for routes.
    • A lower value indicates a higher priority. The priority value of the routes that you set for VBR2 must be greater than the priority value that you set for VBR1. In this example, Preference is set to 20.
    • In this example, Priority of Associated Routing Policy is not set for VBR2.
    After you create the routing policies, you can view two 172.16.0.0/12 routes on the Routes tab, which are destined for the data center. One of the routes is the secondary route.

Step 6: Configure routes and health checks in the data center

You must configure routes and health checks in the data center, and then configure the gateway device to route network traffic based on health check results to achieve connection redundancy.

  1. Configure routes in the data center.

    The following example is for reference only. Route configurations may vary based on the gateway device. 

    ip route 192.168.0.0 255.255.0.0 10.0.0.1 preference 10
ip route 192.168.0.0 255.255.0.0 10.0.0.5 preference 20
  2. Configure health checks in the data center.
    You can configure Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) on the gateway device in the data center to monitor the reachability of routes destined for the VBRs. For more information about the configuration commands, consult the vendor of your gateway device. BFD can detect a link failure within milliseconds. We recommend that you configure BFD on your gateway device.
  3. Configure the gateway device to route network traffic based on health check results.
    Configurations may vary based on the gateway device. For more information, consult the vendor of your gateway device.

Step 7: Test network connectivity

You must verify the connectivity of both Express Connect circuits to ensure that your service is not interrupted when one of the Express Connect circuits is down.

  1. Open the command-line interface on a computer in the data center.
  2. Run the ping command to verify the connectivity between the data center and an ECS instance in the VPC whose CIDR block is 192.168.0.0/16.
    If you can receive echo reply packets, the connection is established.
  3. Disable the primary Express Connect circuit and run the ping command to verify the connectivity between the data center and an ECS instance in the VPC whose CIDR block is 192.168.0.0/16.
    If echo reply packets are returned, it indicates that the secondary Express Connect circuit can serve your workloads when the primary Express Connect is down.

References