Use two Express Connect circuits and an Express Connect Router (ECR) to connect a data center to Alibaba Cloud over equal-cost multi-path routing (ECMP). Both circuits carry live traffic simultaneously. If Bidirectional Forwarding Detection (BFD) detects that one circuit fails, traffic automatically shifts to the other circuit—keeping your applications running without manual intervention.
Why active-active instead of active-standby
Running both circuits in active-standby mode introduces a risk: the standby link receives no traffic, so link-layer issues go undetected until failover is attempted. When the active link fails, the standby link may also be degraded or advertising stale routes, resulting in an extended outage.
With active-active ECMP, both links carry real traffic at all times. Any degradation is visible immediately, and failover affects roughly half the flows rather than all of them—significantly reducing mean time to recovery (MTTR).
Do not terminate both circuits on the same CPE device or the same port of a single CPE. Doing so eliminates physical-layer redundancy and reintroduces the single point of failure that ECMP is designed to prevent.
Scenario
An enterprise has a data center in the China (Beijing) region. The same region already has a transit router (TR) and a virtual private cloud (VPC). The goal is to let servers in the data center reach cloud resources over two parallel Express Connect circuits that form ECMP connections.
The setup uses the following components:
| Component | Role |
|---|---|
| Two Express Connect circuits | Connect to separate customer-premises equipment (CPE) devices and virtual border routers (VBRs) |
| VBR1 and VBR2 | Act as private network bridges between the data center and the VPC |
| ECR | Routes traffic between the data center and the VPC |
| BFD | Detects link failures and triggers automatic switchover |
Prerequisites
Before you begin, make sure you have:
A VPC in the China (Beijing) region with services running on ECS instances. See Create and manage a VPC
A transit router in the China (Beijing) region with a VPC connection configured
Security group rules on ECS instances that allow inbound traffic from the data center. See Add a security group rule
Step 1: Apply for physical ports
Apply for ports in high-reliability mode. The system creates two physical port instances, one for each Express Connect circuit.
Step 2: Create VBRs
Log on to the Express Connect console and select the China (Beijing) region in the top navigation bar.
On the Physical Connection page, click the first physical port instance. On the details page, click Create VBR.
In the Create VBR panel, set Account type to Current Account, configure the parameters shown below, and click OK to create VBR1.
Repeat the steps above for the second physical port instance to create VBR2.
Step 3: Create an ECR and attach it to the TR and VBRs
Create an ECR
In the left navigation pane, click the menu icon and select Express Connect Router (ECR).
In the dialog box, enter
64512for ASN, accept the default values for other parameters, select the billing agreement checkbox, and click OK.
Attach the ECR to the VBRs
Click the ID of the ECR instance. On the VBR tab, click Associate VBR.
Configure the following parameters and click OK.
Parameter Value Resource ownership Same AccountRegion China (Beijing)Network instance VBR1 Repeat the steps above to attach VBR2 to the ECR.
Attach the ECR to the TR
Click the ID of the ECR instance. On the TR tab, click Associate TR.
Configure the following parameters, accept the default values for unlisted parameters, and click OK.
Parameter Value CEN ID Your CEN instance Region China (Beijing)TR Your transit router instance
Step 4: Configure BGP and enable BFD
ECMP requirements
ECMP takes effect automatically when both VBRs are in the same region and use the same routing method. The routes advertised from the data center to both VBRs must have identical attributes. If any attribute differs, the routing system treats the paths as unequal and ECMP does not take effect.
Make sure the following BGP attributes are consistent across both CPE devices:
| Attribute | CPE1 | CPE2 | Requirement |
|---|---|---|---|
| VLAN tag | 1308 | 1309 | Can differ |
| Network | 192.168.0.0/16 | 192.168.0.0/16 | Must match |
| BGP ASN | 6\*\*\*3 | 6\*\*\*4 | Can differ |
| Interface IP | 10.10.1.5 | 10.10.2.5 | Can differ |
| AS-Path | A | A | Must match |
The AS-Path values for CPE1 and CPE2 must be identical. If they differ, the VBRs receive routes with different AS-Path lengths and cannot form an ECMP pair. Normalize the AS-Path on both CPE devices before proceeding.
Why BFD matters
Without BFD, failure detection relies on the BGP hold-time. This means a link failure can go undetected for an extended period before BGP reconverges and traffic shifts to the surviving circuit. BFD provides subsecond link failure detection, dramatically reducing the time your applications are affected.
Enable BFD on both the VBR side (in the console) and the CPE side (on your device). A one-sided BFD configuration does not provide fast failure detection.
Configure BGP on VBR1 and VBR2
Log on to the Express Connect console.
In the left navigation pane, click Virtual Border Routers (VBRs). Click the ID of VBR1.
Click Create BGP group and configure the following parameters, then click OK.
Parameter Value Peer ASN 6***3(the AS number of the data center network)Local ASN 64512(the ECR ASN, inherited by the VBR)Click Create BGP peer, configure the following parameters, select Enable BFD, and click OK.
Parameter Value BGP groups The BGP group you just created BGP peer IP 10.10.1.5(the interface IP of CPE1 facing the Express Connect circuit)Repeat steps 2–4 for VBR2.
Configure BGP on the CPE devices
On each CPE device, advertise the data center CIDR block (192.168.0.0/16) to the VBRs so the VBRs can learn the routes to the data center.
CPE1 and CPE2 both learn the routes to the VPC through BGP. With consistent route attributes, the data center accesses cloud resources through both CPE1 and CPE2 over ECMP.
Enable BFD on each CPE device. The configuration commands vary by vendor and device. Consult your device vendor for the exact commands and recommended BFD timer values for use with Express Connect.
When both BGP peer statuses show Established, the BGP sessions are active and route exchange has begun.
Step 5: Verify the setup
Verify connectivity
Log on to an ECS instance in the VPC and run:
ping <IP address of the client in the data center>A successful ping response confirms that the data center and VPC can communicate.
Verify ECMP
Run traceroute to confirm that both circuits are carrying traffic.
If traceroute is not installed, run sudo yum install traceroute on CentOS.
From the VPC to the data center:
traceroute <IP address of the client in the data center>If the output shows two different next hops at the same TTL, ECMP is active.
From the data center to the VPC:
traceroute <IP address of the ECS instance in the VPC>
Verify failover
Use the failure drill feature to simulate a VBR1 link failure.
Run
tracerouteagain to confirm that traffic has shifted to VBR2. From the VPC to the data center:traceroute <IP address of the client in the data center>The output should show only the VBR2 path. From the data center to the VPC:
traceroute <IP address of the ECS instance in the VPC>
What's next
To set up an active/standby configuration instead of active-active ECMP, see Connect a data center to the cloud over active/standby circuits using ECR.