This topic describes how to establish active/active connections between a data center and Alibaba Cloud by using two Express Connect circuits and configuring Border Gateway Protocol (BGP) routing for virtual border routers (VBRs).
Scenario
In this example, the following scenario is used. If your data center is connected to Alibaba Cloud over two Express Connect circuits, network traffic is distributed across both connections by default. If one of the Express Connect circuits is down, the system automatically routes network traffic over the other Express Connect circuit that works as expected. This ensures service availability.
An enterprise has a data center in Hangzhou and a virtual private cloud (VPC) in the China (Hangzhou) region. The private CIDR block of the data center is 172.17.1.0/24, and the private CIDR block of the VPC is 172.16.0.0/16. To prevent single points of failure (SPOFs), the enterprise needs to lease two Express Connect circuits from different connectivity providers to configure active-active failover.
The following table describes the configurations of the VBRs that are connected to the Express Connect circuits.
Configuration item | VBR1 (connected to Express Connect Circuit 1) | VBR2 (connected to Express Connect Circuit 2) |
VLAN ID | 0 | 0 |
IPv4 Address (Alibaba Cloud Gateway) | 10.100.1.2 | 10.100.5.5 |
IPv4 Address (Data Center Gateway) | 10.100.1.10 | 10.100.5.6 |
Subnet Mask (IPv4) | 255.255.255.0 | 255.255.255.0 |
Prerequisites
A VPC is created in the China (Hangzhou) region and cloud resources such as Elastic Compute Service (ECS) instances that host your business systems are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
Two dedicated connections are created. For more information, see Classic mode.
Step 1: Create VBRs for both Express Connect circuits
After the Express Connect circuits are enabled, you need to create a VBR for each Express Connect circuit. The VBRs serve as bridges for data exchange between the data center and the VPC.
Log on to the Express Connect console.
In the top menu bar, select the destination region.
On the Physical Connection page, click the ID of the connection over Express Connect Circuit 1.
On the VBR tab, click Create VBR.
In the Create VBR panel, configure the parameters that are described in the following table and click OK.
The following table describes only the key parameters. For more information, see Create and manage a VBR.
Repeat the preceding steps to create VBR 2 for Express Connect Circuit 2.
Step 2: Establish VBR-to-VPC connections
After you create VBRs, you need to create VBR-to-VPC connections to enable private network communication between the VPC and the VBRs.
In the left-side navigation pane, choose .
On the VBR-to-VPC page, click Create Peering Connection. On the Establish VBR-VPC Interconnection page, set the parameters.
The following table describes only the key parameters. For more information, see Create and manage a VBR-to-VPC connection.
Repeat the preceding steps to create a VBR-to-VPC connection between VBR 2 and the VPC.
If the initiator or acceptor is deployed outside the Chinese mainland and the acceptor is deployed in the Chinese mainland or vice versa, the VBR-to-VPC connection is a cross-border connection. In this case, you must select the agreement for cross-border connections before you can create the VBR-to-VPC connection.
Step 3: Configure routes to route network traffic from the VPC to the data center
Configure routes for the VPC to forward traffic that is destined from the VPC to the data center (172.17.1.0/24) to the VBR.
Log on to the VPC console.
In the left-side navigation pane, click Route Tables.
In the top navigation bar, select the region to which the route table belongs.
On the Route Tables page, find the custom route table of the VPC and click the route table ID.
On the details page of the route table, click the tab and click the Custom Route tab.
Click Add Route Entry. In the Add Route Entry dialog box, configure the parameters that are described in the following table and click OK.
Repeat the preceding steps to configure a route that points to VBR 2 for the VPC.
Step 4: Configure routes to route network traffic from the data center to the VPC
Configure routes that point to the VPC for the VBRs and configure BGP routes between the data center and the VBR. This ensures that network traffic can be securely routed from the data center to the VPC.
Configure routes for the VBRs to route network traffic from the VBRs to the VPC (172.16.0.0/16) to the VPC.
Log on to the Express Connect console.
In the top navigation bar, select the region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.
On the Virtual Border Routers (VBRs) page, click the ID of VBR 1.
On the details page of the VBR, click the Routes tab and then the Custom Route Entry tab. Then, click Add Route.
In the Add Route panel, configure the parameters that are described in the following table and click OK.
Repeat the preceding steps to configure a route that points to the VPC for VBR 2.
Configure the BGP routing between the data center and the VBRs (VBR 1 and VBR 2).
Configure the BGP routing between the data center and the VBRs (VBR 1 and VBR 2). For more information, see Configure and manage BGP.
Advertise the VPC CIDR block 172.16.0.0/16.
Step 5 (optional): Configure health checks
After you perform the preceding steps, you must configure health checks to test the status of the Express Connect circuits. For information about health check configurations, see Configure and manage health checks.
Step 6: Test the network connectivity
After you complete the preceding steps, you need to check whether the data center can communicate with the VPC.
Before you check the connectivity, make sure that you understand the security group rules of the ECS instances in the VPC. Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.
Open the command-line interface (CLI) on a computer of the data center side.
Run the
pingcommand to test the connectivity between the data center and an ECS instance in the VPC. The CIDR block of the VPC is 172.16.0.0/16.If echo reply packets are returned, the connection is established.
To check whether active/active connections are established between the data center and Alibaba Cloud over Express Connect circuits, run a command to query the routes of packets.
NoteBefore you run a command, make sure that relevant commands are installed. The command varies based on the operating system. For more information, see the manual of your operating system.
Windows: Run the
tracertcommand.Linux: Run the
traceroutecommand.
References
For more information about how to troubleshoot connectivity issues between a data center and a VPC, see Troubleshooting.
You can test the data transfer rate of your Express Connect circuit to ensure that the Express Connect circuit meets your business requirements. For more information, see Test the performance of an Express Connect circuit.
For more information about how to troubleshoot issues related to Express Connect circuit installation, see FAQ about installing an Express Connect circuit.
For more information about how to troubleshoot issues related to Express Connect circuit connections, see FAQ about connections over Express Connect circuits.