Express Connect:Connect an on-premises IDC to Alibaba Cloud over load-balanced Express Connect circuits

Scenario

This topic describes how to connect an on-premises data center (IDC) to Alibaba Cloud using load-balanced Express Connect circuits based on the following scenario.

A company has an on-premises data center in Shanghai and a virtual private cloud (VPC) in the China (Shanghai) region. The private CIDR block of the data center is 172.16.0.0/12, and the CIDR block of the VPC is 192.168.0.0/16. To prevent single points of failure (SPOFs), the company leases two Express Connect circuits from different carriers. Both circuits forward traffic simultaneously to connect the on-premises data center to Alibaba Cloud.

The following table describes the configurations of the two virtual border routers (VBRs) that are connected to the two Express Connect circuits.

Prerequisites

• A virtual private cloud (VPC) is created in the China (Shanghai) region. The VPC contains cloud resources, such as Elastic Compute Service (ECS) instances, to host your services. For more information, see Create a VPC with an IPv4 CIDR block.

  Note

  Before you connect an Enterprise Edition transit router to a VPC, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. In this example, the transit router is created in the China (Shanghai) region. Shanghai Zone F and Shanghai Zone G support Enterprise Edition transit routers.

• You understand the security group rules of the ECS instances in the VPC. Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.

• A Cloud Enterprise Network (CEN) instance is created. For more information, see Create a CEN instance.

• An Enterprise Edition transit router is created in the region where the VPC is deployed. For more information, see Create a transit router.

• You are familiar with the billing rules for Express Connect circuits. This example requires two circuits, so you must apply for two ports. For more information about port resource usage fees and outbound data transfer fees, see the following documents:

  • Billing overview

  • Port resource usage fee

  • Outbound data transfer fee

• Two Express Connect circuits are created. Both dedicated and shared circuits are supported.

Step 1: Create VBRs and configure routes

Create a virtual border router (VBR) for each Express Connect circuit. On each VBR, configure a route that points to the on-premises data center.

1. Log on to the Express Connect console.

2. Create a VBR for Express Connect circuit 1.

   1. In the top navigation bar, select the destination region. In the left navigation pane, click Virtual Border Routers (VBRs).

   2. On the Virtual Border Routers (VBRs) page, click Create VBR.

   3. In the Create VBR panel, set the following parameters and click OK.

      This topic describes only the key parameters. For more information, see Create and manage a VBR.

      Configuration	Description
      Account	The type of account that owns the VBR. In this example, select Current Account.
      Name	Enter a name for the VBR. In this topic, the value is set to VBR1.
      Physical Connection Interface	In this example, select Express Connect circuit 1.
      VLAN ID	Enter the VLAN ID for the VBR. In this example, enter 1.
      Set VBR Bandwidth Value	Set the bandwidth for the VBR. In this example, set the value to 200 Mbps.
      Alibaba Cloud-side IPv4 Peer IP	Enter the IPv4 address of the gateway for routing from the VPC to the on-premises IDC. In this example, enter 10.0.0.1.
      Customer-side IPv4 Peer IP	Enter the IPv4 address of the gateway for routing from the on-premises IDC to the VPC. In this example, enter 10.0.0.2.
      IPv4 Subnet Mask	The subnet mask for the Alibaba Cloud-side and customer-side IPv4 addresses. In this example, enter 255.255.255.252.

3. Configure a route on VBR1 that points to the on-premises data center.

   1. In the top navigation bar, select the destination region. In the left navigation pane, click Virtual Border Routers (VBRs).

   2. On the Virtual Border Routers (VBRs) page, you can click the ID of the VBR1 instance.

   3. On the VBR1 details page, on the Routes tab, click Add Route.

   4. In the Add Route panel, set the following parameters and click OK.

      Configuration	Description
      Next Hop Type	In this example, select Physical Connection.
      Destination CIDR Block	Enter the CIDR block of the on-premises IDC. In this example, enter 172.16.0.0/12.
      Next Hop	Select the Express Connect circuit. In this example, select Express Connect circuit 1.
      Description	Enter a description for the route entry.

4. Repeat the preceding steps to create VBR2 for Express Connect circuit 2 and configure a route on VBR2 that points to the on-premises data center.

Step 2: Connect the VPC and VBR instances

In the transit router in the China (Shanghai) region, create a VBR connection for each Express Connect circuit and a VPC connection for the VPC. This establishes private communication between the on-premises data center and the VPC.

This topic describes only the key parameters. For more information, see Network instance connections.

1. Log on to the CEN console.

2. On the Instances page, click the ID of the CEN instance that you want to manage.

3. On the Basic Settings > Transit Router tab, find the transit router in the destination region and click Create Connection in the Actions column.

4. On the Connection with Peer Network Instance page, configure the following parameters and click OK.

   Note

   When you perform this operation for the first time, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router to create an ENI in a vSwitch of the VPC. For more information, see AliyunServiceRoleForCEN.

   Parameter	Description
   Instance Type	The type of network instance. In this example, VPC is selected.
   Region	The region in which the VPC is deployed. In this example, China (Shanghai) is selected.
   Transit Router	The system automatically displays the transit router in the selected region.
   Resource Owner ID	The Alibaba Cloud account to which the VPC belongs. In this example, Current Account is selected.
   Billing Method	By default, transit routers use the pay-as-you-go billing method. For more information, see Billing rules.
   Network Instance	The ID of the VPC. In this example, the VPC that you created is selected.
   VSwitch	Select at least two vSwitches in a zone supported by the transit router.
   Advanced Settings	By default, the following advanced features are selected: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC. In this example, the default settings are used.

5. On the Connection with Peer Network Instance page, click Create More Connections.

6. On the Connection with Peer Network Instance page, set the following parameters and click OK to create a connection for VBR1.

   Parameter	Configuration
   Network Type	In this example, select Virtual Border Router (VBR).
   Region	Select the region where the network instance is deployed. In this example, select China (Shanghai).
   Transit Router	The system automatically displays the transit router in the current region.
   Resource Owner ID	Select the type of account that owns the network instance. In this example, use the default value Current Account.
   Networks	Select the ID of the VBR to connect. In this example, select the created VBR1 instance.
   Advanced Settings	By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically advertise routes to the VBR. In this example, use the default configurations.

7. Repeat Step 5 and Step 6 to create a connection for VBR2.

   After the network connections are established, you can view information about the VPC and VBR connections on the Intra-region Connections tab. For more information, see View network instance connections.

Step 3: Configure health checks on the Alibaba Cloud side

By default, Alibaba Cloud sends a ping packet from the health check source IP address to the destination IP address in the on-premises data center every 2 seconds. If no response is received for eight consecutive ping packets on an Express Connect circuit, traffic is automatically switched to the other circuit.

1. Log on to the CEN console.

2. In the left-side navigation pane, click Health Checks.

3. On the Health Check page, select the region where the VBR instance is located, and then click Set Health Check.

   In this example, select China (Shanghai), the deployment region of the VBR1 instance.

4. In the Set Health Check panel, set the following parameters and click OK.

   Parameter	Description
   Instances	The CEN instance to which the VBR is attached.
   Virtual Border Router (VBR)	The VBR that you want to monitor. In this example, VBR1 is selected.
   Source IP	The source IP address. You can select one of the following methods to specify the source IP address: Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option. Note If you select this option and an ACL policy is configured on the peer , you must modify the ACL policy to allow this CIDR block. Otherwise, the health check fails.   Custom IP Address: You need to specify an idle IP address within the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address cannot be the IP address with which you want to communicate, the IP address of the VBR on the Alibaba Cloud side, or the IP address of the VBR on the user side.
   Destination IP	The IP address of the VBR on the user side.
   Probe Interval (Seconds)	The interval at which probe packets are sent for the health check. Unit: seconds. Default value: 2. Valid values: 2 to 3.
   Probe Packets	The number of probe packets that are sent for health checks. Unit: packet. Default value: 8. Valid values: 3 to 8.
   Change Route	Specifies whether to allow the health check feature to switch to the redundant route. By default, Change Route is turned on. This indicates that the health check feature can switch to the redundant route. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. If you turn off Change Route, the health check feature does not switch to the redundant route. Only probing is performed. The health check feature does not switch to the redundant route even if an error is detected on the Express Connect circuit. Warning Before you turn off Change Route, make sure that the system can switch to a redundant route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit is down.

   Note

   The health check sends probe packets at the specified interval. If the specified number of consecutive probe packets are lost, the health check fails.

5. Repeat Step 3 to Step 4 to configure a health check for VBR2.

Step 4: Configure routes and health checks on the on-premises IDC side

You must configure routes, health checks, and route filtering based on health check results in your on-premises data center to implement redundant connections to Alibaba Cloud.

1. Configure routes in the on-premises data center.

   The configuration commands vary based on the device. The following example is for reference only. For specific commands, consult your device vendor.

   #Configure routes from the on-premises IDC to the VPC.
   ip route 192.168.0.0 255.255.0.0 10.0.0.1
   ip route 192.168.0.0 255.255.0.0 10.0.0.5
   #Configure return routes for health check probe packets.
   ip route <Health check source IP address> 255.255.255.255 10.0.0.1
   ip route <Health check source IP address> 255.255.255.255 10.0.0.5

2. Configure health checks in the on-premises data center.

   You can use Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) to check route reachability from the on-premises data center to the VBRs. For the specific commands, consult your device vendor.

3. Configure route filtering based on health check results.

   Configure this based on your network environment. For the specific commands, consult your device vendor.

Step 5: Test the connectivity

After you complete the preceding configurations, test the connectivity of the Express Connect circuits.

1. On a computer in your on-premises data center, open the command-line window.

2. Run the ping command to check the connection between the on-premises data center and an ECS instance in the VPC (CIDR block: 192.168.0.0/16).

   If you receive a reply message, the connection is successful.

3. Run a route tracing command to check whether the two Express Connect circuits are used for load balancing.

   Note

   Before you run the command, make sure that you have installed the relevant commands. If you are using a different operating system, see the manual of your operating system for specific operations.

   • Windows operating system: Run the tracert command.

   • Linux operating system: Run the traceroute command.

References

• For more information about how to troubleshoot connectivity issues between a data center and an ECS instance, see Troubleshooting.

• For more information about Express Connect circuit installation, see FAQ about installing an Express Connect circuit.

• For more information about how to resolve issues in Express Connect circuit connections, see Express connect.