Express Connect:Establish load-balanced connections between an on-premises data center and Alibaba Cloud

Scenario

This topic uses the following scenario to describe how to connect an on-premises data center to Alibaba Cloud using load-balanced Express Connect circuits.

A company has an on-premises data center in Shanghai that uses the private CIDR block 172.16.0.0/12. The company also created a virtual private cloud (VPC) in the China (Shanghai) region that uses the CIDR block 192.168.0.0/16. To avoid single points of failure, the company uses two Express Connect circuits from different carriers to connect the on-premises data center to Alibaba Cloud. Both circuits forward traffic simultaneously.

The following table describes the configurations of the two virtual border routers (VBRs) that are connected to the Express Connect circuits.

Prerequisites

• You have created a VPC in the China (Shanghai) region. You have also deployed cloud resources, such as Elastic Compute Service (ECS) instances, in the VPC to host your applications. For more information, see Create a VPC with an IPv4 CIDR block.

  Note

  Before you create a VPC connection on an Enterprise Edition transit router, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. This topic uses a transit router created in the China (Shanghai) region. This region supports Shanghai Zone F and Shanghai Zone G.

• You understand the security group rules of the ECS instances in the VPC. Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.

• You have created a Cloud Enterprise Network (CEN) instance.

• You have created an Enterprise Edition transit router in the region where the VPC is deployed. For more information, see Create a transit router.

• Before you purchase the Express Connect circuits, make sure that you understand the billing rules. This topic requires two Express Connect circuits, which means you must apply for two ports. For more information about port resource fees and outbound traffic fees, see the following topics:

  • Billing overview

  • Port resource fees

  • Outbound traffic fees

• You have created two dedicated Express Connect circuits.

Step 1: Create VBRs and configure routes

Create a VBR for each of the two Express Connect circuits. Then, configure a route on each VBR that points to the on-premises data center.

1. Log on to the Express Connect console.

2. Create a VBR for Express Connect circuit 1.

   1. In the top navigation bar, select the destination region. In the navigation pane on the left, click Virtual Border Routers (VBRs).

   2. On the Virtual Border Routers (VBRs) page, click Create VBR.

   3. In the Create VBR panel, configure the following parameters and click OK.

      This topic describes only the key parameters. For more information, see Create and manage a VBR.

      Configuration	Description
      Account	The type of account used to create the VBR. This topic uses the Current Account as an example.
      Name	A custom name for the VBR. Set the name to VBR1.
      Physical Connection	Select Dedicated Connection and Express Connect circuit 1.
      VLAN ID	The VLAN ID of the VBR. Enter 1.
      Set VBR Bandwidth Value	The bandwidth of the VBR. You can set the bandwidth to 200 Mb.
      Peer IPv4 Address On The Alibaba Cloud Side	The IPv4 address of the gateway on the Alibaba Cloud side. This gateway routes traffic from the VPC to the on-premises data center. Enter 10.0.0.1.
      Peer IPv4 Address On The Customer Side	The IPv4 address of the gateway on the customer side. This gateway routes traffic from the on-premises data center to the VPC. Enter 10.0.0.2.
      IPv4 Subnet Mask	The subnet mask for the IPv4 addresses on the Alibaba Cloud and customer sides. Enter 255.255.255.252.

3. Configure a route on VBR1 that points to the on-premises data center.

   1. In the top navigation bar, select the destination region. In the left navigation pane, click Virtual Border Routers (VBRs).

   2. On the Virtual Border Routers (VBRs) page, click the VBR1 instance ID.

   3. On the VBR1 details page, click the Routes tab and click Add Route.

   4. In the Add Route panel, configure the following parameters and click OK.

      Configuration	Description
      Next Hop Type	Select Physical Connection.
      Destination CIDR Block	Enter the CIDR block of the on-premises data center. Enter 172.16.0.0/12.
      Next Hop	Select the Express Connect circuit. Select Express Connect circuit 1.
      Description	Enter a description for the route.

4. Repeat the preceding steps to create VBR2 for Express Connect circuit 2 and configure a route on VBR2 that points to the on-premises data center.

Step 2: Connect the VPC and VBRs to the transit router

In the transit router in the China (Shanghai) region, create connections for the VBRs and the VPC. This enables private communication between the on-premises data center and the VPC.

This topic describes only the key parameters. For more information, see Network instance connections.

1. Log on to the CEN console.

2. On the Instances page, click the ID of the CEN instance that you want to manage.

3. On the Basic Settings > Transit Router tab, find the transit router in the destination region and click Create Connection in the Actions column.

4. On the Connection with Peer Network Instance page, configure the following parameters and click OK.

   Note

   When you perform this operation for the first time, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router to create an ENI in a vSwitch of the VPC. For more information, see AliyunServiceRoleForCEN.

   Parameter	Description
   Instance Type	The type of network instance. In this example, VPC is selected.
   Region	The region in which the VPC is deployed. In this example, China (Shanghai) is selected.
   Transit Router	The system automatically displays the transit router in the selected region.
   Resource Owner ID	The Alibaba Cloud account to which the VPC belongs. In this example, Current Account is selected.
   Billing Method	By default, transit routers use the pay-as-you-go billing method. For more information, see Billing rules.
   Network Instance	The ID of the VPC. In this example, the VPC that you created is selected.
   VSwitch	Select at least two vSwitches in a zone supported by the transit router.
   Advanced Settings	By default, the following advanced features are selected: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC. In this example, the default settings are used.

5. On the Connection with Peer Network Instance page, click Create More Connections.

6. On the Connection with Peer Network Instance page, configure the following parameters for the VBR1 connection and click OK.

   Parameter	Configuration
   Network Type	Select Virtual Border Router (VBR).
   Region	Select the region where the network instance is deployed. Select the China (Shanghai) region.
   Transit Router	The system automatically displays the transit router that is created in the current region.
   Resource Owner ID	Select the type of account that owns the network instance. Use the default value Current Account.
   Networks	Select the ID of the VBR to connect. Select the VBR1 instance that you created.
   Advanced Settings	By default, the following three advanced features are enabled: Associate With The Default Route Table Of The Transit Router, Propagate System Routes To The Default Route Table Of The Transit Router, and Automatically Publish Routes To VBR. Use the default configurations.

7. Repeat Step 5 and Step 6 to create a connection for VBR2.

   After the network connections are created, you can view the VPC and VBR connection details on the Intra-region Connections tab. For more information, see View network instance connections.

Step 3: Configure health checks on the Alibaba Cloud side

By default, Alibaba Cloud sends a probe packet every 2 seconds from a source IP address to a destination IP address in the on-premises data center to perform a health check. If eight consecutive probe packets for an Express Connect circuit fail, traffic is automatically switched to the other circuit.

1. Log on to the CEN console.

2. In the left-side navigation pane, click Health Checks.

3. On the Health Check page, select the region where the VBR instance is deployed, and then click Set Health Check.

   Select China (Shanghai), the region where the VBR1 instance is deployed.

4. In the Set Health Check panel, configure the following parameters and then click OK.

   Parameter	Description
   Instances	The CEN instance to which the VBR is attached.
   Virtual Border Router (VBR)	The VBR that you want to monitor. In this example, VBR1 is selected.
   Source IP	The source IP address. You can select one of the following methods to specify the source IP address: Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option. Note If you select this option and an ACL policy is configured on the peer , you must modify the ACL policy to allow this CIDR block. Otherwise, the health check fails.   Custom IP Address: You need to specify an idle IP address within the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address cannot be the IP address with which you want to communicate, the IP address of the VBR on the Alibaba Cloud side, or the IP address of the VBR on the user side.
   Destination IP	The IP address of the VBR on the user side.
   Probe Interval (Seconds)	The interval at which probe packets are sent for the health check. Unit: seconds. Default value: 2. Valid values: 2 to 3.
   Probe Packets	The number of probe packets that are sent for health checks. Unit: packet. Default value: 8. Valid values: 3 to 8.
   Change Route	Specifies whether to allow the health check feature to switch to the redundant route. By default, Change Route is turned on. This indicates that the health check feature can switch to the redundant route. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. If you turn off Change Route, the health check feature does not switch to the redundant route. Only probing is performed. The health check feature does not switch to the redundant route even if an error is detected on the Express Connect circuit. Warning Before you turn off Change Route, make sure that the system can switch to a redundant route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit is down.

   Note

   Health check sends probe packets at the specified interval. If the specified number of consecutive probe packets are lost, the health check fails.

5. Repeat Step 3 to Step 4 to configure a health check for VBR2.

Step 4: Configure routes and health checks on the data center side

On your on-premises data center side, configure routes, health checks, and the filter interaction between health checks and routes to connect to Alibaba Cloud over redundant Express Connect circuits.

1. Configure routes in the on-premises data center.

   Configuration commands vary by device manufacturer. The following example is for reference only. For specific commands, consult your device's documentation or manufacturer.

   # Configure routes from the on-premises data center to the VPC.
   ip route 192.168.0.0 255.255.0.0 10.0.0.1
   ip route 192.168.0.0 255.255.0.0 10.0.0.5
   # Configure return routes for the health check probe packets.
   ip route <Health check source IP address> 255.255.255.255 10.0.0.1
   ip route <Health check source IP address> 255.255.255.255 10.0.0.5

2. Configure health checks in the on-premises data center.

   You can use Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) to check route reachability from the on-premises data center to the VBRs. For specific configuration commands, consult your device manufacturer.

3. Configure filter interaction between health checks and routes.

   The configuration depends on your network environment. For specific configuration commands, consult your device manufacturer.

Step 5: Test the connectivity

After you complete the preceding configurations, test the connectivity of the Express Connect circuits.

1. On a computer in your on-premises data center, open the command-line window.

2. Run the ping command to check the connectivity between the on-premises data center and an ECS instance in the VPC (CIDR block: 192.168.0.0/16).

   If you receive a reply message, the connection is established.

3. Run a route tracing command to check whether the two Express Connect circuits are used for load balancing.

   Note

   Before you run the command, make sure that you have installed the relevant commands. If you are using a different operating system, see the manual of your operating system for specific operations.

   • Windows operating system: Run the tracert command.

   • Linux operating system: Run the traceroute command.

References

• For more information about how to troubleshoot connectivity issues between a data center and an ECS instance, see Troubleshooting.

• For more information about Express Connect circuit installation, see FAQ about installing an Express Connect circuit.

• For more information about how to resolve issues in Express Connect circuit connections, see Express connect.