When you connect a data center to a virtual private cloud (VPC) on Alibaba Cloud by using redundant Express Connect circuits and establishing connections between virtual border routers (VBRs) and the VPC in Express Connect, you need to configure health checks for the data center and VBRs to test the connectivity of the Express Connect circuits. If one of the Express Connect circuits is declared unhealthy, the system automatically routes network traffic over the other Express Connect circuit that works as expected.

Background information

By default, Alibaba Cloud sends a probe packet every two seconds over an Express Connect circuit from the source IP address to the destination IP address in a data center. If the probe packet is returned, the Express Connect circuit works as expected. If no responses are returned for eight consecutive probe packets, the Express Connect circuit is down.
Warning Make sure that responses for probe packets can be returned from the IP address that is pinged. Do not limit the probe packet rate or block ping.
If you create a VBR-to-VPC connection, you can use one of the following methods to configure health checks:
  • Add a static route to the VBR

    If you use this method, you need to configure the source IP address of health checks on the VBR. The subnet mask of this source IP address is 32 bits in length. From the perspective of the return route, the next hop of the route on the VBR is the corresponding VPC. You must also manually configure a route that points to the corresponding Express Connect circuit in the data center. The source IP address of this route is the source IP address of health checks, and the subnet mask of this source IP address is 32 bits in length.

  • Configure BGP routing for the VBR

    If you use this method, you need to configure the source IP address of health checks on the VBR. The subnet mask of this source IP address is 32 bits in length. From the perspective of the return route, the next hop of the route on the VBR is the corresponding VPC. Then, you must advertise the CIDR block of the VPC on the VBR.

Note If throttling such as Control Plane Policing (CoPP) such as Cisco devices or local attack defense is enabled for the gateway devices in the data center, probe packets may be dropped. As a result, the system may frequently switch between the two Express Connect circuits. We recommend that you disable CoPP throttling for the gateway devices in the data center.
Configure health checks

Prerequisites

Equal-cost multi-path (ECMP) routing is configured by using two Express Connect circuits. For more information, see Configure ECMP between a data center and Alibaba Cloud, Establish active/standby connections between a data center and Alibaba Cloud, or Create active/standby connections and configure BGP routing.

Add a static route to the VBR

Configure health checks on a VBR

Note If you create a VBR-to-VPC connection across accounts, you must configure health checks for the VBR by using the acceptor account.
  1. Log on to the Express Connect console.
  2. In the top navigation bar, select a region and choose VPC Peering Connections > VBR-to-VPC in the left-side navigation pane.
  3. On the VBR-to-VPC page, find the peering connection that you want to manage and choose More > Health Check in the Actions column.
  4. In the Health Check panel, click Configure.
  5. In the Edit VBR panel, set the following parameters to configure health checks and click OK.
    ParameterDescription
    Network TypeSelect the network type of the VBR. In this example, only IPv4 Routing is supported.
    Source IPEnter an idle private IP address from the connected VPC.
    Destination IPEnter the private IP address of the interface on the gateway device in the data center.
    Send Packet Every (Seconds)Specify an interval at which probe packets are sent for health checks. Unit: seconds.

    Default value: 2. Valid values: 2 to 3.

    Packets DetectedSpecify the number of probe packets that are sent for health checks. Unit: packets.

    Default value: 8. Valid values: 3 to 8.

Configure health checks in the data center

You must configure the return route of probe packets and health checks in the data center, and then configure the gateway device to route network traffic based on health check results to achieve network redundancy.

  1. Configure the return route of probe packets in the data center.
    Important Before you configure health checks in the data center, you must configure the return route of probe packets in the data center.

    The configuration commands may vary based on gateway devices. The following example is for reference only. For more information about the configuration commands, consult the vendor of your gateway device. 

    # Configure the return route of the probe packets.
ip route <Source IP address 1 for health checks> 255.255.255.255 < IP address 1 of the desired VBR>
ip route <Source IP address 2 for health checks> 255.255.255.255 <IP address 2 of the desired VBR>
  2. Configure health checks in the data center.
    You can configure Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) on the gateway device in the data center to test the reachability of routes destined for the VBRs. For more information about the configuration commands, consult the vendor of your gateway device.
  3. Configure the gateway device to route network traffic based on health check results.
    The configuration may vary based on the network environment. For more information about the configuration commands, consult the vendor of your gateway device.

Configure BGP routing for the VBR

Configure health checks on a VBR

Note If you create a VBR-to-VPC connection across accounts, you must configure health checks for the VBR by using the acceptor account.
  1. Log on to the Express Connect console.
  2. In the top navigation bar, select a region and choose VPC Peering Connections > VBR-to-VPC in the left-side navigation pane.
  3. On the VBR-to-VPC page, find the peering connection that you want to manage and choose More > Health Check in the Actions column.
  4. In the Health Check panel, click Configure.
  5. In the Edit VBR panel, set the following parameters to configure health checks and click OK.
    ParameterDescription
    Network TypeSelect the network type of the VBR. In this example, only IPv4 Routing is supported.
    Source IPEnter an idle private IP address from the connected VPC.
    Destination IPEnter the private IP address of the interface on the gateway device in the data center.
    Send Packet Every (Seconds)Specify an interval at which probe packets are sent for health checks. Unit: seconds.

    Default value: 2. Valid values: 2 to 3.

    Packets DetectedSpecify the number of probe packets that are sent for health checks. Unit: packets.

    Default value: 8. Valid values: 3 to 8.

Add a route that points to the VPC to the VBR

  1. Log on to the Express Connect console.
  2. In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.
  3. On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click its ID.
  4. On the details page of the VBR, choose Routes > Custom Route and click Add Route.
  5. In the Add Route panel, set the following parameters and click OK.
    ParameterDescription
    Next Hop TypeSelect the type of the next hop.

    In this example, VPC is selected.

    Destination CIDR BlockEnter the destination CIDR block.

    In this example, the CIDR block of the source IP addresses for health checks is entered. The subnet masks of the source IP addresses are 32 bits in length. Example: 192.168.0.1/32.

    Next HopSelect an instance as the next hop.

    In this example, the desired VPC is selected.

    DescriptionEnter a description for the route.

Advertise the BGP CIDR block on the VBR

Note Before you advertise the BGP CIDR block on the VBR, make sure that a route that points to the VPC is configured for the VBR.
  1. Log on to the Express Connect console.
  2. In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.
  3. On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click its ID.
  4. On the details page of the VBR, click the Advertised BGP Subnets tab, and then click Advertise BGP Subnet.
  5. In the Advertise BGP Subnet panel, enter the CIDR block of the source IP addresses for health checks in the Advertised Subnet field and click OK. The subnet masks of the source IP addresses are 32 bits in length. Example: 192.168.0.1/32.

What to do next

Clear health check settings

You can clear the settings of health checks that are configured on VBRs.

  1. Log on to the Express Connect console.
  2. In the top navigation bar, select a region and choose VPC Peering Connections > VBR-to-VPC in the left-side navigation pane.
  3. On the VBR-to-VPC page, find the peering connection that you want to manage and choose More > Health Check in the Actions column.
  4. In the Health Check panel, click Clear. In the Clear Health Check Settings message, click OK.

Configure alert rules about health checks in the CloudMonitor console

  1. Log on to the CloudMonitor console.
  2. In the left-side navigation pane, choose Alerts > Alert Rules.
  3. On the Alert Rules page, click Create Alert Rule.
  4. In the Create Alert Rule panel, select Express Connect - Peering Connections, Express Connect - VBR, or Express Connect - Physical Connections from the Product drop-down list, set the following parameters, and then click OK.
    The following table describes the parameters that are relevant to this topic. For more information about other parameters, see Create an alert rule.
    Click + Add Rule. In the Add Rule Description panel, set the following parameters and click OK.
    ParameterDescription
    Alert RuleThe name of the threshold-triggered alert rule.
    Metric TypeThe metric type of the threshold-triggered alert rule. In this example, Single Metric is selected. For more information about parameters of Multiple Metrics and Dynamic Threshold, see Create an alert template.
    • Single Metric
    • Multiple Metrics
    • Dynamic Threshold
    MetricThe metric that you want to monitor. The following content describes the metrics for peering connections, VBRs, and physical connections:
    • Express Connect - Peering Connections
      • RouterInterfaceLossRate: the packet loss rate monitored by health checks between the Express Connect circuit and the VPC.
      • RouterInterfaceResponseTime: the network latency monitored by health checks between the Express Connect circuit and the VPC. Unit: milliseconds.
    • Express Connect - VBR
      • VbrHealthyCheckLatency: the network latency monitored by health checks between the Express Connect circuit and the VBR. Unit: microseconds.
      • VbrHealthyCheckLossRate: the packet loss rate monitored by health checks between the Express Connect circuit and the VBR.
    • Express Connect - Physical Connections

      PhysicalConnectionStatus: the connection status of the Express Connect circuit.

    Threshold and Alert LevelThe alert conditions, alert threshold, and alert level of the alert rule.
    Chart PreviewThe chart in which the monitoring data of the selected metric is displayed.

References