Express Connect:Establish connections between a data center and Alibaba Cloud over a specific Express Connect circuit by using an ECR

Description

The following figure shows the scenario in this example. A company has a data center in Shanghai and creates a VPC in the China (Shanghai) region. Business-critical systems such as database clusters are deployed in the data center, and cloud resources such as Elastic Compute Service (ECS) instances that host specific business systems are deployed in the VPC. To ensure stable connections between the cloud and on-premises networks, the company needs to lease two Express Connect circuits to connect the customer-premises equipment (CPE) and virtual border routers (VBRs) and use an ECR to connect the data center and VPC. The data center is connected to the VBRs. The Border Gateway Protocol (BGP) dynamic routing and bidirectional forwarding detection (BFD) features are used to accelerate route convergence between the data center and VPC and implement connections over an Express Connect circuit that is specified by a route with higher priority. This improves network availability.

The following table describes how CIDR blocks are allocated in this example. You can allocate CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap with each other.

Preparations

Before you start, make sure that the following prerequisites are met:

• A VPC is created in the China (Shanghai) region, and cloud resources such as ECS instances that host your business systems are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

• You understand the security group rules of the ECS instances in the VPC. Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.

• An ECR is created. For more information, see Create and manage an ECR.

Procedure

Step 1: Create two connections over Express Connect circuits

In this example, two dedicated connections over Express Connect circuits are created to provide powerful disaster recovery capabilities in high-reliability mode. For more information, see Powerful disaster recovery.

Step 2: Create VBRs

Create a VBR for each Express Connect circuit. The VBRs serve as bridges for data exchange between the data center and VPC.

1. Log on to the Express Connect console.

2. In the top navigation bar, select a region. In the left-side navigation pane, click Virtual Border Routers (VBRs).

3. On the Virtual Border Routers (VBRs) page, click Create VBR. In the Create VBR panel, configure the parameters that are described in the following table and click OK.

   Parameter	Description
   Account	The Alibaba Cloud account to which the VBR belongs. In this example, Current Account is selected.
   Name	The name of the VBR. In this example, VBR1 is used.
   Express Connect Circuit	The type of the connection over the Express Connect circuit. In this example, Dedicated Physical Connection and Express Connect Circuit 1 are selected.
   VLAN ID	The VLAN ID of the VBR. In this example, 110 is used.
   Set VBR Bandwidth Value	The bandwidth of the VBR. In this example, 200Mb is selected.
   IPv4 Address (Alibaba Cloud Gateway)	The IPv4 address for the VBR to route network traffic between the VPC and data center. In this example, 172.16.1.2 is used.
   IPv4 Address (Data Center Gateway)	The IPv4 address for the gateway device in the data center to route network traffic between the data center and VPC. In this example, 172.16.1.1 is used.
   Subnet Mask (IPv4)	The subnet mask of the specified IPv4 addresses. In this example, 255.255.255.252 is used.

4. Repeat the preceding steps to create VBR2 for the other Express Connect circuit.

   The following table describes the parameters.

   Parameter	Description
   Account	The Alibaba Cloud account to which the VBR belongs. In this example, Current Account is selected.
   Name	The name of the VBR. In this example, VBR2 is used.
   Express Connect Circuit	The type of the connection over the Express Connect circuit. In this example, Dedicated Physical Connection and Express Connect Circuit 2 are selected.
   VLAN ID	The VLAN ID of the VBR. In this example, 120 is used.
   Set VBR Bandwidth Value	The bandwidth of the VBR. In this example, 200Mb is selected.
   IPv4 Address (Alibaba Cloud Gateway)	The IPv4 address for the VBR to route network traffic between the VPC and data center. In this example, 172.16.2.2 is used.
   IPv4 Address (Data Center Gateway)	The IPv4 address for the gateway device in the data center to route network traffic between the data center and VPC. In this example, 172.16.2.1 is used.
   Subnet Mask (IPv4)	The subnet mask of the specified IPv4 addresses. In this example, 255.255.255.252 is used.

Step 3: Enable BFD for the VBRs

Enable BFD for the VBRs to accelerate route convergence.

1. Log on to the Express Connect console.

2. In the top navigation bar, select a region. In the left-side navigation pane, click Virtual Border Routers (VBRs).

3. On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click Edit in the Actions column.

4. In the Edit VBR panel, configure the parameters and click OK.

   The following table describes the parameters related to BFD. Use default values for other parameters.

   Parameter	Description
   Submission Interval	The time interval at which BFD packets are sent. Unit: millisecond. Default value: 1000. In this example, the default value is used.
   Reception Interval	The time interval at which BFD packets are received. Unit: millisecond. Default value: 1000. In this example, the default value is used.
   Detection Time Multiplier	The detection time multiplier that is used to determine the maximum number of lost packets. Default value: 3. In this example, the default value is used.

5. On the Virtual Border Routers (VBRs) page, click the ID of the VBR for which you want to configure BGP routing.

6. On the details page of the VBR, click the BGP Peers tab.

7. Find the BGP peer that you want to manage and click Edit in the Actions column.

8. In the Modify BGP Peer panel, select Enable BFD, configure the BFD Hop Count parameter, and then click OK.

   Note

   BFD supports single-hop and multi-hop authentication. You can specify hops based on your network configurations.

Step 4: Configure BGP routing

Configure BGP routing between the data center and VBRs. You can use the autonomous system (AS) path attribute to configure route priorities in the data center to establish active/standby connections.

1. Set the data center and VBRs as BGP peers and advertise routes. For more information, see Configure and manage BGP.

   The default autonomous system number (ASN) of Alibaba Cloud is 45104. The data center can use 2-byte or 4-byte ASNs.

2. When you configure BGP routing in the data center, you must specify the destination CIDR block of the BGP routes that you want to advertise to Alibaba Cloud. In this example, the destination CIDR block is 10.1.1.0/24. To implement route selection mode and establish connections from Alibaba Cloud to the data center, specify the AS path length to determine route priorities.

You can specify the AS path length to configure route priorities. A shorter AS path indicates a higher priority. The following table describes how BGP routing is configured on the CPE in the data center. For more information about the commands, contact the service provider of the CPE.

Step 5: Associate the VBRs and VPC with the ECR

After the connections over Express Connect circuits are established, you must associate the VBRs and VPC with the ECR to connect the data center and VPC.

1. Log on to the Express Connect console.

2. In the left-side navigation pane, click Express Connect Router (ECR). On the Express Connect Router (ECR) page, find the ECR that you want to manage and click the name of the ECR. The details page of the ECR appears.

3. Click the VBR tab. On the VBR tab, click Associate VBR.

4. In the Associate VBR dialog box, configure the parameters described in the following table and click OK.

   Parameter	Description
   Resource Owner	The type of the account to which the VBR belongs. Valid values: Current Account: The VBR and the ECR belong to the same account. Another Account: If you want to associate a VBR with the ECR across accounts, you must authorize the ECR that belongs to the current Alibaba Cloud account to access the VBR that belongs to another Alibaba Cloud account. For more information, see the "Grant permissions to the ECR by using the VBR" section of the Grant permissions to an ECR across Alibaba Cloud accounts topic.
   Region	The region in which the VBR resides.
   Peer Account UID	The ID of the Alibaba Cloud account to which the VPC belongs. Note This parameter is required if you set the Resource Owner parameter to Another Account.
   Network Instance	The name or ID of the VBR.
   Allow Business Access Between Data Centers	Specifies whether to allow data centers to access each other. Note By default, this feature is disabled. If you want to use the feature, contact your Alibaba Cloud account manager to apply for enabling the feature.

5. Click the VPC tab. On the VPC tab, click Associate VPC.

6. In the Associate VPC dialog box, configure the parameters described in the following table and click OK.

   Parameter	Description
   Resource Owner	The type of the account to which the VPC belongs. Valid values: Current Account: The VPC and the ECR belong to the same account. Another Account: If you want to associate a VPC with the ECR across accounts, you must authorize the ECR that belongs to the current Alibaba Cloud account to access the VPC that belongs to another Alibaba Cloud account For more information, see the "Grant permissions to the ECR by using the VPC" section of the Grant permissions to an ECR across Alibaba Cloud accounts topic.
   Region	The region in which the VPC resides.
   Peer Account UID	The ID of the Alibaba Cloud account to which the VPC belongs. Note This parameter is required if you set the Resource Owner parameter to Another Account.
   VPC ID	The ID of the VPC.
   Allowed Route Prefixes	The route prefixes that you want to advertise to the data center by using the ECR. You can select Matching Mode or Incremental Mode to configure route prefixes. Note You can add IPv4 and IPv6 route prefixes to an ECR. You can select or switch the following modes when you configure route prefixes. Matching mode: Express Connect withdraws specific routes that are advertised to a data center and advertises allowed route prefixes to the data center. Incremental mode: Express Connect withdraws specific routes that are advertised to a data center and that fall within the configured route range. Routes that do not fall within the range are still advertised. Switch the match mode to the incremental mode: Express Connect re-advertises routes that do not fall within the route range to a data center. Configured route prefixes are still advertised. Switch the incremental mode to the matching mode: Express Connect withdraws the routes that are advertised to a data center and that do not fall within the route range. Configured route prefixes are still advertised. If no prefix routes are configured or configured route prefixes are cleared, Express Connect automatically advertises specific routes to a data center. If the ECR advertises only one route prefix and you modify the route prefix, Alibaba Cloud will temporarily resume the specific route to ensure your service continuity. After the modified route prefix is advertised, the configured route prefix is used. Pay attention to the impacts on your peer networks after the specific routes are advertised.

Step 6: Test the network connectivity

1. Open the CLI on a computer of the data center.

2. Run the ping command to test the connectivity between the data center and an ECS instance in the VPC. The CIDR block of the VPC is 192.168.20.0/24. If echo reply packets are returned, the destination is reachable.

3. You can use the failure drill feature of Express Connect to simulate scenarios in which the active route is disconnected. This feature allows you to check whether the network traffic can be automatically switched to the standby route under this circumstance. For more information, see Use the failure drill feature.